diff --git a/windows/keep-secure/WDATP-Connector.jsonparser.properties b/windows/keep-secure/WDATP-Connector.jsonparser.properties deleted file mode 100644 index 71883b6f93..0000000000 --- a/windows/keep-secure/WDATP-Connector.jsonparser.properties +++ /dev/null @@ -1,125 +0,0 @@ -#json parser file for Windows Defender ATP alerts -trigger.node.location=/ -token.count=22 - -token[0].name=AlertTime -token[0].type=String -token[0].location=AlertTime - -token[1].name=ComputerDnsName -token[1].type=String -token[1].location=ComputerDnsName - -token[2].name=AlertTitle -token[2].type=String -token[2].location=AlertTitle - -token[3].name=Category -token[3].type=String -token[3].location=Category - -token[4].name=Severity -token[4].type=String -token[4].location=Severity - -token[5].name=AlertId -token[5].type=String -token[5].location=AlertId - -token[6].name=Actor -token[6].type=String -token[6].location=Actor - -token[7].name=LinkToWDATP -token[7].type=String -token[7].location=LinkToWDATP - -token[8].name=IocName -token[8].type=String -token[8].location=IocName - -token[9].name=IocValue -token[9].type=String -token[9].location=IocValue - -token[10].name=CreatorIocName -token[10].type=String -token[10].location=CreatorIocName - -token[11].name=CreatorIocValue -token[11].type=String -token[11].location=CreatorIocValue - -token[12].name=FileHash -token[12].type=String -token[12].location=FileHash - -token[13].name=FileName -token[13].type=String -token[13].location=FileName - -token[14].name=FilePath -token[14].type=String -token[14].location=FilePath - -token[15].name=IpAddress -token[15].type=IPAddress -token[15].location=IpAddress - -token[16].name=Url -token[16].type=String -token[16].location=Url - -token[17].name=IoaDefinitionId -token[17].type=String -token[17].location=IoaDefinitionId - -token[18].name=UserName -token[18].type=String -token[18].location=UserName - -token[19].name=AlertPart -token[19].type=Integer -token[19].location=AlertPart - -token[20].name=FullId -token[20].type=String -token[20].location=FullId - -token[21].name=LastProcessedTimeUtc -token[21].type=String -token[21].location=LastProcessedTimeUtc - -event.deviceVendor=__stringConstant("Microsoft") -event.deviceProduct=__stringConstant("Windows Defender ATP") -event.deviceVersion=__stringConstant("1.0") - -event.deviceReceiptTime=__createOptionalTimeStampFromString(AlertTime,"yyyy-MM-dd'T'hh\:mm\:ss") -event.sourceDnsDomain=ComputerDnsName -event.name=AlertTitle -event.deviceEventCategory=Category -event.deviceSeverity=Severity -event.externalId=AlertId -event.deviceCustomString1=Actor -event.deviceCustomString1Label=__stringConstant("Actor") -event.deviceCustomString2=LinkToWDATP -event.deviceCustomString2Label=__stringConstant("Link to WDATP") -event.deviceCustomString3=IocName -event.deviceCustomString3Label=__stringConstant("IOC Name") -event.deviceCustomString4=IocValue -event.deviceCustomString4Label=__stringConstant("IOC Value") -event.deviceCustomString5=CreatorIocName -event.deviceCustomString5Label=__stringConstant("Creator IOC Name") -event.deviceCustomString6=CreatorIocValue -event.deviceCustomString6Label=__stringConstant("Creator IOC Value") -event.fileHash=FileHash -event.fileName=FileName -event.filePath=FilePath -event.sourceAddress=IpAddress -event.sourceUserName=UserName -event.requestUrl=Url -event.message=FullId - -severity.map.high.if.deviceSeverity=High -severity.map.medium.if.deviceSeverity=Medium -severity.map.low.if.deviceSeverity=Low diff --git a/windows/keep-secure/WDATP-connector.properties b/windows/keep-secure/WDATP-connector.properties deleted file mode 100644 index fe0575fe99..0000000000 --- a/windows/keep-secure/WDATP-connector.properties +++ /dev/null @@ -1,7 +0,0 @@ - -client_id=50fdc940-6d94-4efe-817f-f9ccb80eae6d -client_secret=hZ91OZMVm7cTfbcVQ1S/jZVxOFV0yJHqu1LrFcxgOGA= -auth_url=https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize?resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com -token_url=https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/token -redirect_uri=https://localhost:44300/sevilleconnector -scope= \ No newline at end of file diff --git a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md index 71253331e2..f5fb394a22 100644 --- a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md @@ -29,13 +29,20 @@ You'll need to configure HP ArcSight so that it can consume Windows Defender ATP - OAuth 2 Token refresh URL - OAuth 2 Client ID - OAuth 2 Client secret + 2. Download the [wdatp-connector.properties](WDATP-connector.properties) file and update the values according to the following: +(JOEY: UPLOAD FILE IN DOWNLOAD CENTER - PUT EMPTY PROPERTIES FILE. PUT WITH THE FOLLOWING VALUES.) - **client_ID**: OAuth 2 Client ID - **client_secret**: OAuth 2 Client secret - **auth_url**: Append the following to the value you obtained from the AAD app: ```?resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com ``` + + For example: `https:////oauth2/authorize?resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com` - **redirect_uri**: ```https://localhost:44300/wdatpconnector``` + - **scope**: Can be left blank but must be present + 3. Download the [wdatp-connector.json.properties](wdatp-connector.json.properties) file. This file is used to parse the information from Windows Defender ATP to HP ArcSight consumable format. +(JOEY: UPLOAD FILE IN DOWNLOAD CENTER) ## Install and configure HP ArcSight SmartConnector The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin). @@ -43,8 +50,6 @@ The following steps assume that you have completed all the required steps in [Be 1. Install the latest 32-bit Windows SmartConnector installer. how to get? JOEY: Hi Aviv, is it this one: https://marketplace.saas.hpe.com/arcsight/content/connector ? 2. Follow the on-screen instructions. The tool is typically installed in `C:\ArcSightSmartConnectors\\`. ->[!NOTE] ->Don't install icons. 3. Open File Explorer to the installation location and put the two configuration files the following location: @@ -95,7 +100,7 @@ Note: To be sure kill the process again (ctrl-c), start again, and no browser wi e) To verify events are flowing (a good filter initially is Device Product = Windows Defender ATP). If so kill the process again and go to Windows Services and start the ArcSight FlexConnector REST for WDATP ## HP ArcSight -JOEY: what is this section going to talk about? Settings? +JOEY: what is this section going to talk about? Settings? ## Related topics