From d5cdbc4f4755f8a64c99b3da7fe3bd1af8fe0b3c Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 7 Feb 2017 16:23:26 -0800 Subject: [PATCH] update top level topic and TOC --- windows/keep-secure/TOC.md | 12 +++++++----- ...ndows-defender-advanced-threat-protection.md | 17 ++++++++++++----- 2 files changed, 19 insertions(+), 10 deletions(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 1981dcda44..58c0b8e7fd 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -738,7 +738,13 @@ #### [Use the Windows Defender ATP portal](use-windows-defender-advanced-threat-protection.md) ##### [Alerts overview](alerts-queue-windows-defender-advanced-threat-protection.md) ##### [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) -##### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) +#### [Consume alerts and create custom indicators](configure-siem-windows-defender-advanced-threat-protection.md) +##### [Configure an Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md) +##### [Configure Splunk to consume Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) +##### [Configure HP ArcSight to consume Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) +##### [Understand threat indicators](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) +##### [Create custom threat indicators using REST API](custom-ti-api-windows-defender-advanced-threat-protection.md) +#### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) ##### [Machines overview](machines-view-overview-windows-defender-advanced-threat-protection.md) ##### [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) ##### [Investigate files](investigate-files-windows-defender-advanced-threat-protection.md) @@ -748,10 +754,6 @@ ###### [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md) #### [Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md) #### [Windows Defender ATP service status](service-status-windows-defender-advanced-threat-protection.md) -#### [Configure SIEM tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md) -##### [Configure an Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md) -##### [Configure Splunk to consume Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) -##### [Configure HP ArcSight to consume Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) #### [Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) #### [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md) #### [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md index f8f22a049a..35dead1efe 100644 --- a/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- -title: Configure security information and events management tools -description: Configure supported security information and events management tools to receive and consume alerts. -keywords: configure siem, security information and events management tools, splunk, arcsight +title: Consume alerts and create custom indicators in Windows Defender Advanced Threat Protection +description: Learn how to configure supported security information and events management tools to receive and consume alerts and create custom indicators using REST API. +keywords: configure siem, security information and events management tools, splunk, arcsight, custom indicators, rest api, alert definitions, indicators of compromise search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -11,7 +11,7 @@ author: mjcaparas localizationpriority: high --- -# Configure security information and events management (SIEM) tools to consume alerts +# Consume alerts and create custom indicators **Applies to:** @@ -21,7 +21,9 @@ localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -Windows Defender ATP supports security information and events management (SIEM) tools to consume alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to get alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment. +## Consume alerts using supported security information and events management (SIEM) tools +Windows Defender ATP supports (SIEM) tools to consume alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to get alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment. + Windows Defender ATP currently supports the following SIEM tools: @@ -35,6 +37,11 @@ To use either of these supported SIEM tools you'll need to: - [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md) - [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) +## Create custom threat indicators in Windows Defender ATP +You can also create custom threat indicators using the available REST API so that you can create specific alerts that are applicable to your organization. + +For more information, see [Create custom threat indicators (TI) using REST API](custom-ti-api-windows-defender-advanced-threat-protection.md). + ## In this section Topic | Description