deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 15:27:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

update based on Ronen's feedback

Browse Source
This commit is contained in:
Joey Caparas 2016-07-28 12:00:26 +10:00
parent 89900e907d
commit dafcae5569
4 changed files with 41 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md
View File

@ -17,7 +17,7 @@ author: mjcaparas
- Windows 10, version 1607
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
You need to add an application in your Azure Active Directory (AAD) tenant then authorize the Windows Defender ATP application to communicate with it so that your security information and events management (SIEM) tool can consume alerts from Windows Defender ATP portal.
You need to add an application in your Azure Active Directory (AAD) tenant then authorize the Windows Defender ATP Alerts Export application to communicate with it so that your security information and events management (SIEM) tool can consume alerts from Windows Defender ATP portal.
1. Login to the [Azure management portal](https://manage.windowsazure.com).
@ -25,25 +25,28 @@ You need to add an application in your Azure Active Directory (AAD) tenant then
3. Select your tenant.
4. Select **Applications**, then select **Add** to create a new application.
4. Click **Applications**, then select **Add** to create a new application.
5. Select **Add an application my organization is developing**.
5. Click **Add an application my organization is developing**.
6. Choose a client name for the application, for example, *Alert Export Client*.
7. Select **WEB APPLICATION AND/OR WEB API**.
7. Click **WEB APPLICATION AND/OR WEB API**.
8. Assign a sign-on URL and app ID URI to the application, for example, `https://alertexportclient`.
9. Confirm the request details and verify that you have successfully added the app.
10. Select the application you've just created from the directory application list and select **Configure**.
10. Select the application you've just created from the directory application list and click **Configure**.
11. Type the following URL in the **Reply URL** field: `https://DataAccess-PRD.trafficmanager.net:444/api/FetchAccessTokenFromAuthCode`.
11. Type the following URLs in the **Reply URL** field:
- `https://DataAccess-PRD.trafficmanager.net:444/api/FetchAccessTokenFromAuthCode`
- `https://localhost:44300/WDATPconnector`
12. Scroll down to the **keys** section and select a duration for the application key.
13. Select **Save** and copy the key in a safe place. You'll need this key to authenticate the client application on Azure Active Directory.
13. Click **Save** and copy the key in a safe place. You'll need this key to authenticate the client application on Azure Active Directory.
14. Open a web browser and connect to the following URL: `https://DataAccess-PRD.trafficmanager.net:444/api/FetchToken?clientId=f7c1acd8-0458-48a0-a662-dba6de049d1c&tenantId=<tenant ID>&clientSecret=1234`. An Azure login page appears.
> [!NOTE]
@ -52,28 +55,24 @@ You need to add an application in your Azure Active Directory (AAD) tenant then
15. Sign in with the credentials of a user from your tenant.
16. Select **Accept** to provide consent. Ignore the error.
16. Click **Accept** to provide consent. Ignore the error.
17. Select **Application configuration** under your tenant.
17. Click **Application configuration** under your tenant.
18. Select **Permissions to other applications**, then select **Add application**.
18. Click **Permissions to other applications**, then select **Add application**.
19. Select **All apps** from the **SHOW** field and submit.
19. Click **All apps** from the **SHOW** field and submit.
20. Select **SevilleAlertExport** [RONEN, I ASSUME THIS WILL BE RENAMED?], then select **+** to add the application. You should see it on the **SELECTED** panel.
20. Click **WDATPAlertExport**, then select **+** to add the application. You should see it on the **SELECTED** panel.
21. Submit your changes.
22. On the **SevilleAlertExport** record, in the **Delegated Permissions** field, select **Access SevilleAlertExport**.
22. On the **WDATPAlertExport** record, in the **Delegated Permissions** field, select **Access WDATPAlertExport**.
23. Save the application changes.
After configuring the application in AAD, you can continue to configure the SIEM tool that you want to use.
RONEN - I THINK I'M MISSING SOME STEPS HERE - I THINK I NEED TO PUT IN INFORMATION ON CLICK VIEW ENDPOINT SO THAT CUSTOMERS CAN SEE THEIR OAUTH 2 TOKEN ENDPOINT AND OAUTH 2 AUTHORIZATION ENDPOINT DETAILS.
SHOULD I INCLUDE THOSE INFORMATION HERE? OR CREATE A SEPARATE TOPIC FOR THAT? OR INCLUDE IT IN THE SPLUNK/ARCSIGHT STEPS?
## Related topics
- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)
- [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md)

23
windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
View File

@ -21,14 +21,19 @@ You'll need to configure HP ArcSight so that it can consume Windows Defender ATP
## Before you begin
- Get the following information from your Azure Active Directory (AAD) application:
- Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page:
- OAuth 2 Token refresh URL
- OAuth 2 Client ID
- OAuth 2 Client secret
- Create your OAUth 2 Client properties file or get it from your Windows Defender ATP contact. For more information, see I NEED URL FOR THE HYPERLINK HERE TO WHERE YOU GOT THE ARCSIGHT DEVELOPER'S GUIDE PDF.
- Create your OAUth 2 Client properties file or get it from your Windows Defender ATP contact. For more information, see the ArcSight FlexConnector Developer's guide.
> [!NOTE]
> **For the authorization URL**: Append the following to the value you got from the AAD app: ```?resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com``` <br>
> **For the redirect_uri value use**: ```https://localhost:44300/wdatpconnector```
>
- Get the *wdatp-connector.properties* file from your Windows Defender ATP contact. This file is used to parse the information from Windows Defender ATP to HP ArcSight consumable format.
- Install the HP ArcSight REST FlexConnector package on a server that has access to the Internet. (RONEN - MAY I HAVE THE LINK FROM WHERE CUSTOMERS CAN DOWNLOAD THE PACKAGE)
- Contact the Windows Defender ATP team to provide you your refresh token or follow the steps in the section "Run restutil to Obtain a Refresh Token for Connector Appliance/ArcSight Management Center" in _______ NEED LINK TO THE PDF AGAIN HERE.
- Install the HP ArcSight REST FlexConnector package on a server that has access to the Internet.
- Contact the Windows Defender ATP team to get your refresh token or follow the steps in the section "Run restutil to Obtain a Refresh Token for Connector Appliance/ArcSight Management Center" in the ArcSight FlexConnector Developer's guide.
## Configure HP ArcSight
The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin)
@ -46,7 +51,8 @@ The following steps assume that you have completed all the required steps in [Be
4. Enter the following command and press **Enter**: ```runagentsetup.bat```. The Connector Setup pop-up window appears.
5. In the form fill in the following required fields with these values:
>[!NOTE]
>All other values in the form are optional and can be left blank.
<table>
<tbody style="vertical-align:top;">
<tr>
@ -67,16 +73,15 @@ The following steps assume that you have completed all the required steps in [Be
<td>Select *wdatp-connector.properties*.</td>
<tr>
<td>Refresh Token</td>
<td>Paste the refresh token that your Windows Defender ATP contact provided, or you the one you get after running the `restutil` tool.</td>
<td>Paste the refresh token that your Windows Defender ATP contact provided, or run the `restutil` tool to get it.</td>
</tr>
</tr>
</table>
All other values in the form are optional and can be left blank.
6. Select **Next**, then **Save**.
7. Run the connector. You can choose to run in service mode or application mode. RONEN - Should this be Service mode or Application mode (capitalized S and capitalized A?)
7. Run the connector. You can choose to run in Service mode or Application mode.
8. In the HP ArcSight console, create a **Windows Defender ATP** channel with an intervals and properties suitable to your enterprise needs.
8. In the HP ArcSight console, create a **Windows Defender ATP** channel with intervals and properties suitable to your enterprise needs. Windows Defender ATP alerts will appear as discrete events, with “Microsoft” as the vendor and “Windows Defender ATP” as the device name.
## Related topics
- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md)

24
windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md
View File

@ -17,9 +17,9 @@ author: mjcaparas
- Windows 10, version 1607
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Windows Defender ATP supports security information and events management (SIEM) tools to consume alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure Active Directory (AAD). The endpoint can be configured to get alerts from your enterprise tenant in AAD using the OAuth 2.0 authentication protocol in an application hosted in AAD.
Windows Defender ATP supports security information and events management (SIEM) tools to consume alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to get alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
Windows Defender ATP supports the following SIEM tools:
Windows Defender ATP currently supports the following SIEM tools:
- Splunk
- HPE ArcSight
@ -31,26 +31,6 @@ To use either of these supported SIEM tools you'll need to:
- [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
- [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
After configuring the application, you need to take note of the following values:
You need to use these values in your SIEM tool to configure them.
For Splunk you need these values:
For HP ArcSight you need these values:
To get the refresh token:
- if using Splunk - your MS representative will provide this to you
- if using HP ArcSight - you need to run restutil
## In this section
Topic | Description

21
windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
View File

@ -21,9 +21,9 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler
## Before you begin
- Install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/) in Splunk (RONEN - please check if this link is correct.)
- Contact the Windows Defender ATP team to provide you your refresh token
- Get the following information from your Azure Active Directory (AAD) application:
- Install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/) in Splunk
- Contact the Windows Defender ATP team to get your refresh token
- Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page:
- OAuth 2 Token refresh URL
- OAuth 2 Client ID
- OAuth 2 Client secret
@ -32,15 +32,15 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler
1. Login in to Splunk.
2. Select **Search & Reporting**, then **Settings** > **Data inputs**.
2. Click **Search & Reporting**, then **Settings** > **Data inputs**.
3. Select **REST** under **Local inputs**.
3. Click **REST** under **Local inputs**.
> [!NOTE]
> This input will only appear after you install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/).
4. Select **New**.
4. Click **New**.
5. In the form fill in the following required fields with the following values, then click **Save**:
5. Type the following values in the required fields, then click **Save**:
> [!NOTE]
>All other values in the form are optional and can be left blank.
@ -54,8 +54,6 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler
<td>Endpoint URL</td>
<td>https://DataAccess-PRD.trafficmanager.net:444/api/alerts</td>
</tr>
<td>Events URL</td>
<td>`https://DataAccess-PRD.trafficmanager.net:444/api/alerts`</td>
<tr>
<td>HTTP Method</td>
<td>GET</td>
@ -76,7 +74,7 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler
</tr>
<tr>
<td>Response type</td>
<td>json</td>
<td>Json</td>
</tr>
<tr>
<td>Response Handler</td>
@ -99,8 +97,7 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler
After completing these configuration steps, you can go to the Splunk dashboard and run queries.
Some sample queries are: RONEN - PLEASE CHECK IF THE FOLLOWING ARE CORRECT - THANK YOU
```source="rest://windows atp alerts"```
You can use the following query as an example in Splunk: <br>
```source="rest://windows atp alerts"|spath|table*```