diff --git a/enable-custom-ti-windows-defender-advanced-threat-protection.md b/enable-custom-ti-windows-defender-advanced-threat-protection.md index d625917c50..4723cab90d 100644 --- a/enable-custom-ti-windows-defender-advanced-threat-protection.md +++ b/enable-custom-ti-windows-defender-advanced-threat-protection.md @@ -11,7 +11,7 @@ author: mjcaparas localizationpriority: high --- -# Enable the custom threat intelligence +# Enable the custom threat intelligence application **Applies to:** @@ -23,4 +23,22 @@ localizationpriority: high [Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] -Before +Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application through the Windows Defender ATP portal. + +1. In the navigation pane, select **Preference Setup** > **Custom TI**. + +2. Select **Enable custom TI application**. This activates the **Azure Active Directory application** setup sections with pre-populated values. + +3. Copy the individual values or select **Save details to file** to download a file that contains all the values. + +>[WARNING] +>The client secret is only displayed once. Make sure you keep a copy of it in a safe place. +>For more information about getting a new secret see, [Learn how to get a new secret](). + +4. Select **Generate tokens** to get an access and refresh token. + +You'll need to use these values on the JSON file when doing REST API calls. + +## Related topics +- [Understand threat intelligence](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) +- [Create custom threat intelligence](custom-ti-api-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md index f2110b49e0..995d893996 100644 --- a/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/custom-ti-api-windows-defender-advanced-threat-protection.md @@ -25,6 +25,10 @@ localizationpriority: high You can define custom alert definitions and indicators of compromise (IOC) using the available APIs. Creating custom TI’s allows you to create specific alerts that are applicable to your organization. +## Before you begin +Before creating custom TI's, you'll need to enable the custom TI application in Azure Active Directory and generate access tokens. For more information, see [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md). + +### Use the available REST API to create custom TI's You can call and specify the resource URLs using one of the following operations to access and manipulate a custom TI resource, you call and specify the resource URLs using one of the following operations: - GET @@ -339,3 +343,7 @@ $skip | int | The number of items to skip in a result set. $count | boolean | A collection and the number of items in the collection. These parameters are compatible with the [OData V4 query language](http://docs.oasis-open.org/odata/odata/v4.0/errata03/os/complete/part2-url-conventions/odata-v4.0-errata03-os-part2-url-conventions-complete.html#_Toc453752356). + +## Related topics +[Understand threat intelligence](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) +[Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md index a2510c1fc5..585a50cc88 100644 --- a/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/threat-indicator-concepts-windows-defender-advanced-threat-protection.md @@ -46,4 +46,5 @@ Here is an example of an IOC: IOCs have a many-to-one relationship with alert definitions such that an alert definition can have many IOCs that correspond to it. ## Related topic +- [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) - [Create custom threat indicators using REST API](custom-ti-api-windows-defender-advanced-threat-protection.md)