deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 06:47:21 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

updates on URLs and steps

Browse Source
This commit is contained in:
Joey Caparas 2017-01-19 17:58:14 -08:00
parent 86cf7f9530
commit c389666e23
3 changed files with 35 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md
View File

@ -25,8 +25,6 @@ localizationpriority: high
You need to add an application in your Azure Active Directory (AAD) tenant then authorize the Windows Defender ATP Alerts Export application to communicate with it so that your security information and events management (SIEM) tool can consume alerts from Windows Defender ATP portal.
1. Login to the [Azure management portal](https://ms.portal.azure.com).
>!NOTE:
>Use your Azure credentials not the Windows Defender Advanced Threat protection portal credentials.
2. Select **Active Directory**.
@ -82,7 +80,37 @@ An Azure login page appears.
23. Save the application changes.
After configuring the application in AAD, you can continue to configure the SIEM tool that you want to use.
After configuring the application in AAD, you'll need to obtain a refresh token. You'll need to use the token when you configure the connector for your SIEM tool in the next steps. The token lets the connector access Windows Defender ATP events to be consumed by your SIEM.
## Obtain a refresh token using an events URL
Obtain a refresh token used to retrieve the Windows Defender Advanced Threat Protection events to your SIEM. This section provides information on how you can use an events URL to obtain the required refresh token.
>[!NOTE]
>For HP ArcSight, you can obtain a refresh token using the restutil tool. For more information, see [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md).
### Before you begin
Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page:
- OAuth 2 Client ID
- OAuth 2 Client secret
You'll use these values to obtain a refresh token.
>[!IMPORTANT]
>Before using the OAuth 2 Client secret described in the next steps, you **must** encode it. Use a URL encoder to transform the OAuth 2 client secret.
### Obtain a refresh token
1. Open a web browser and connect to the following URL: `https://DataAccess-PRD.trafficmanager.net:444/api/FetchToken?clientId=<client ID>&tenantId=<tenant ID>&clientSecret=<client secret>`
>[!NOTE]
>- Replace the *client ID* value with the one you got from your AAD application.
>- Replace *tenant ID* with your actual tenant ID.
>- Replace *client secret* with your encoded client secret. The client secret **must** be pasted encoded.
2. Click **Accept**. When you authenticate, a web page opens with your refresh token.
3. Save the refresh token which you'll find it the `<RefreshToken></RefreshToken>`value. You'll need this value when configuring your SIEM tool.
After configuring your AAD application and generating a refresh token, you can proceed to configure your SIEM tool.
## Related topics
- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)

8
windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
View File

@ -85,10 +85,10 @@ The following steps assume that you have completed all the required steps in [Be
Field | Value
:---|:---
Configuration File | Type in the name of the client property file. It must match the client property file.
Events URL | https://DataAccess-PRD.trafficmanager.net:444/api/alerts
Events URL | Depending on the location of your datacenter, select either the EU or the US URL: </br></br> **For EU**: `https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME` </br></br>**For US**: `https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME`
Authentication Type | OAuth 2
OAuth 2 Client Properties file | Select wdatp-connector.properties.
Refresh Token | Use either the Windows Defender ATP token URL or the restutil tool to obtain your refresh token. For more information, see JOEY ADD LINK HERE. </br> **Get your refresh token using the restutil tool:** </br> a. Open a command prompt. Navigate to `C:\ArcSightSmartConnectors\<descriptive_name>\current\bin`. </br> b. Type: `arcsight restutil token -config C:\ArcSightSmartConnectors_Prod\WDATP\WDATP-connector.properties`.A Web browser window will open. </br> c. A web browser will open. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. </br> d. A refresh token is provided in the command prompt.
Refresh Token | Use either the Windows Defender ATP token URL or the restutil tool to obtain your refresh token. For more information, see see [Obtain a refresh token](configure-aad-windows-defender-advanced-threat-protection.md#obtain-a-refresh-token). </br> </br> **Get your refresh token using the restutil tool:** </br> a. Open a command prompt. Navigate to `C:\ArcSightSmartConnectors\<descriptive_name>\current\bin`. </br> b. Type: `arcsight restutil token -config C:\ArcSightSmartConnectors_Prod\WDATP\WDATP-connector.properties`.A Web browser window will open. </br> c. A web browser will open. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials. </br> d. A refresh token is provided in the command prompt.
7. A browser window is opened by the connector. Login with your application credentials. After you log in, you'll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client so that the connector configuration can authenticate. </br></br>
If the `redirect_uri` is a https URL, you'll be redirected to a URL on the local host. You'll see a page that requests for you to trust the certificate supplied by the connector running on the local host. You'll need to trust this certificate if the redirec_uri is a https. </br></br> If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the certificate.
@ -116,12 +116,8 @@ If the `redirect_uri` is a https URL, you'll be redirected to a URL on the local
16. Verify events are flowing by setting the initial filter to Device Product = Windows Defender ATP. If so stop the process again and go to Windows Services and start the ArcSight FlexConnector REST.
## Run HP ArcSight queries
You can now run queries in the HP ArcSight console.
In the HP ArcSight console, create a Windows Defender ATP channel with intervals and properties suitable to your enterprise needs.
Windows Defender ATP alerts will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name.

4
windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
View File

@ -26,7 +26,7 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler
## Before you begin
- Install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/) in Splunk
- Contact the Windows Defender ATP team to get your refresh token
- Obtain your refresh token. For more information, see [Obtain a refresh token](configure-aad-windows-defender-advanced-threat-protection.md#obtain-a-refresh-token).
- Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page:
- OAuth 2 Token refresh URL
- OAuth 2 Client ID
@ -56,7 +56,7 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler
</tr>
<tr>
<td>Endpoint URL</td>
<td>Depending on the location of your datacenter, select either the EU or the US URL: </br></br> **For EU**: https://<i></i>wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts </br>**For US:** https://<i></i>wdatp-alertexporter-us.securitycenter.windows.com/api/alerts
<td>Depending on the location of your datacenter, select either the EU or the US URL: </br></br> **For EU**: https://<i></i>wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME</br>**For US:** https://<i></i>wdatp-alertexporter-us.securitycenter.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
</tr>
<tr>
<td>HTTP Method</td>