From c389666e2339b01890871db7cbb59f603e0542c4 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 19 Jan 2017 17:58:14 -0800 Subject: [PATCH] updates on URLs and steps --- ...ows-defender-advanced-threat-protection.md | 34 +++++++++++++++++-- ...ows-defender-advanced-threat-protection.md | 8 ++--- ...ows-defender-advanced-threat-protection.md | 4 +-- 3 files changed, 35 insertions(+), 11 deletions(-) diff --git a/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md index b9e0ae639a..3564ee13fb 100644 --- a/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md @@ -25,8 +25,6 @@ localizationpriority: high You need to add an application in your Azure Active Directory (AAD) tenant then authorize the Windows Defender ATP Alerts Export application to communicate with it so that your security information and events management (SIEM) tool can consume alerts from Windows Defender ATP portal. 1. Login to the [Azure management portal](https://ms.portal.azure.com). - >!NOTE: - >Use your Azure credentials not the Windows Defender Advanced Threat protection portal credentials. 2. Select **Active Directory**. @@ -82,7 +80,37 @@ An Azure login page appears. 23. Save the application changes. -After configuring the application in AAD, you can continue to configure the SIEM tool that you want to use. +After configuring the application in AAD, you'll need to obtain a refresh token. You'll need to use the token when you configure the connector for your SIEM tool in the next steps. The token lets the connector access Windows Defender ATP events to be consumed by your SIEM. + +## Obtain a refresh token using an events URL +Obtain a refresh token used to retrieve the Windows Defender Advanced Threat Protection events to your SIEM. This section provides information on how you can use an events URL to obtain the required refresh token. +>[!NOTE] +>For HP ArcSight, you can obtain a refresh token using the restutil tool. For more information, see [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md). + +### Before you begin +Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page: + + - OAuth 2 Client ID + - OAuth 2 Client secret + +You'll use these values to obtain a refresh token. + +>[!IMPORTANT] +>Before using the OAuth 2 Client secret described in the next steps, you **must** encode it. Use a URL encoder to transform the OAuth 2 client secret. + +### Obtain a refresh token +1. Open a web browser and connect to the following URL: `https://DataAccess-PRD.trafficmanager.net:444/api/FetchToken?clientId=&tenantId=&clientSecret=` + + >[!NOTE] + >- Replace the *client ID* value with the one you got from your AAD application. + >- Replace *tenant ID* with your actual tenant ID. + >- Replace *client secret* with your encoded client secret. The client secret **must** be pasted encoded. + +2. Click **Accept**. When you authenticate, a web page opens with your refresh token. + +3. Save the refresh token which you'll find it the ``value. You'll need this value when configuring your SIEM tool. + +After configuring your AAD application and generating a refresh token, you can proceed to configure your SIEM tool. ## Related topics - [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md index 1292a9b0e0..1a8122188d 100644 --- a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md @@ -85,10 +85,10 @@ The following steps assume that you have completed all the required steps in [Be Field | Value :---|:--- Configuration File | Type in the name of the client property file. It must match the client property file. - Events URL | https://DataAccess-PRD.trafficmanager.net:444/api/alerts + Events URL | Depending on the location of your datacenter, select either the EU or the US URL:

**For EU**: `https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME`

**For US**: `https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME` Authentication Type | OAuth 2 OAuth 2 Client Properties file | Select wdatp-connector.properties. - Refresh Token | Use either the Windows Defender ATP token URL or the restutil tool to obtain your refresh token. For more information, see JOEY ADD LINK HERE.
**Get your refresh token using the restutil tool:**
a. Open a command prompt. Navigate to `C:\ArcSightSmartConnectors\\current\bin`.
b. Type: `arcsight restutil token -config C:\ArcSightSmartConnectors_Prod\WDATP\WDATP-connector.properties`.A Web browser window will open.
c. A web browser will open. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials.
d. A refresh token is provided in the command prompt. + Refresh Token | Use either the Windows Defender ATP token URL or the restutil tool to obtain your refresh token. For more information, see see [Obtain a refresh token](configure-aad-windows-defender-advanced-threat-protection.md#obtain-a-refresh-token).

**Get your refresh token using the restutil tool:**
a. Open a command prompt. Navigate to `C:\ArcSightSmartConnectors\\current\bin`.
b. Type: `arcsight restutil token -config C:\ArcSightSmartConnectors_Prod\WDATP\WDATP-connector.properties`.A Web browser window will open.
c. A web browser will open. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials.
d. A refresh token is provided in the command prompt. 7. A browser window is opened by the connector. Login with your application credentials. After you log in, you'll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client so that the connector configuration can authenticate.

If the `redirect_uri` is a https URL, you'll be redirected to a URL on the local host. You'll see a page that requests for you to trust the certificate supplied by the connector running on the local host. You'll need to trust this certificate if the redirec_uri is a https.

If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the certificate. @@ -116,12 +116,8 @@ If the `redirect_uri` is a https URL, you'll be redirected to a URL on the local 16. Verify events are flowing by setting the initial filter to Device Product = Windows Defender ATP. If so stop the process again and go to Windows Services and start the ArcSight FlexConnector REST. - -## Run HP ArcSight queries You can now run queries in the HP ArcSight console. -In the HP ArcSight console, create a Windows Defender ATP channel with intervals and properties suitable to your enterprise needs. - Windows Defender ATP alerts will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name. diff --git a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md index 86cf16e270..9ba7f3625b 100644 --- a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md @@ -26,7 +26,7 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler ## Before you begin - Install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/) in Splunk -- Contact the Windows Defender ATP team to get your refresh token +- Obtain your refresh token. For more information, see [Obtain a refresh token](configure-aad-windows-defender-advanced-threat-protection.md#obtain-a-refresh-token). - Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page: - OAuth 2 Token refresh URL - OAuth 2 Client ID @@ -56,7 +56,7 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler Endpoint URL - Depending on the location of your datacenter, select either the EU or the US URL:

**For EU**: https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts
**For US:** https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts + Depending on the location of your datacenter, select either the EU or the US URL:

**For EU**: https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
**For US:** https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME HTTP Method