deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 14:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

delete 2 files

Browse Source
This commit is contained in:
Joey Caparas 2017-01-10 15:01:59 -08:00
parent 7aa2e5a982
commit ef0a4be140
3 changed files with 8 additions and 135 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

125
windows/keep-secure/WDATP-Connector.jsonparser.properties
View File

@ -1,125 +0,0 @@
#json parser file for Windows Defender ATP alerts
trigger.node.location=/
token.count=22
token[0].name=AlertTime
token[0].type=String
token[0].location=AlertTime
token[1].name=ComputerDnsName
token[1].type=String
token[1].location=ComputerDnsName
token[2].name=AlertTitle
token[2].type=String
token[2].location=AlertTitle
token[3].name=Category
token[3].type=String
token[3].location=Category
token[4].name=Severity
token[4].type=String
token[4].location=Severity
token[5].name=AlertId
token[5].type=String
token[5].location=AlertId
token[6].name=Actor
token[6].type=String
token[6].location=Actor
token[7].name=LinkToWDATP
token[7].type=String
token[7].location=LinkToWDATP
token[8].name=IocName
token[8].type=String
token[8].location=IocName
token[9].name=IocValue
token[9].type=String
token[9].location=IocValue
token[10].name=CreatorIocName
token[10].type=String
token[10].location=CreatorIocName
token[11].name=CreatorIocValue
token[11].type=String
token[11].location=CreatorIocValue
token[12].name=FileHash
token[12].type=String
token[12].location=FileHash
token[13].name=FileName
token[13].type=String
token[13].location=FileName
token[14].name=FilePath
token[14].type=String
token[14].location=FilePath
token[15].name=IpAddress
token[15].type=IPAddress
token[15].location=IpAddress
token[16].name=Url
token[16].type=String
token[16].location=Url
token[17].name=IoaDefinitionId
token[17].type=String
token[17].location=IoaDefinitionId
token[18].name=UserName
token[18].type=String
token[18].location=UserName
token[19].name=AlertPart
token[19].type=Integer
token[19].location=AlertPart
token[20].name=FullId
token[20].type=String
token[20].location=FullId
token[21].name=LastProcessedTimeUtc
token[21].type=String
token[21].location=LastProcessedTimeUtc
event.deviceVendor=__stringConstant("Microsoft")
event.deviceProduct=__stringConstant("Windows Defender ATP")
event.deviceVersion=__stringConstant("1.0")
event.deviceReceiptTime=__createOptionalTimeStampFromString(AlertTime,"yyyy-MM-dd'T'hh\:mm\:ss")
event.sourceDnsDomain=ComputerDnsName
event.name=AlertTitle
event.deviceEventCategory=Category
event.deviceSeverity=Severity
event.externalId=AlertId
event.deviceCustomString1=Actor
event.deviceCustomString1Label=__stringConstant("Actor")
event.deviceCustomString2=LinkToWDATP
event.deviceCustomString2Label=__stringConstant("Link to WDATP")
event.deviceCustomString3=IocName
event.deviceCustomString3Label=__stringConstant("IOC Name")
event.deviceCustomString4=IocValue
event.deviceCustomString4Label=__stringConstant("IOC Value")
event.deviceCustomString5=CreatorIocName
event.deviceCustomString5Label=__stringConstant("Creator IOC Name")
event.deviceCustomString6=CreatorIocValue
event.deviceCustomString6Label=__stringConstant("Creator IOC Value")
event.fileHash=FileHash
event.fileName=FileName
event.filePath=FilePath
event.sourceAddress=IpAddress
event.sourceUserName=UserName
event.requestUrl=Url
event.message=FullId
severity.map.high.if.deviceSeverity=High
severity.map.medium.if.deviceSeverity=Medium
severity.map.low.if.deviceSeverity=Low

7
windows/keep-secure/WDATP-connector.properties
View File

@ -1,7 +0,0 @@
client_id=50fdc940-6d94-4efe-817f-f9ccb80eae6d
client_secret=hZ91OZMVm7cTfbcVQ1S/jZVxOFV0yJHqu1LrFcxgOGA=
auth_url=https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize?resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com
token_url=https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/token
redirect_uri=https://localhost:44300/sevilleconnector
scope=

9
windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
View File

@ -29,13 +29,20 @@ You'll need to configure HP ArcSight so that it can consume Windows Defender ATP
- OAuth 2 Token refresh URL - OAuth 2 Token refresh URL
- OAuth 2 Client ID - OAuth 2 Client ID
- OAuth 2 Client secret - OAuth 2 Client secret
2. Download the [wdatp-connector.properties](WDATP-connector.properties) file and update the values according to the following: 2. Download the [wdatp-connector.properties](WDATP-connector.properties) file and update the values according to the following:
(JOEY: UPLOAD FILE IN DOWNLOAD CENTER - PUT EMPTY PROPERTIES FILE. PUT WITH THE FOLLOWING VALUES.)
- **client_ID**: OAuth 2 Client ID - **client_ID**: OAuth 2 Client ID
- **client_secret**: OAuth 2 Client secret - **client_secret**: OAuth 2 Client secret
- **auth_url**: Append the following to the value you obtained from the AAD app: ```?resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com ``` - **auth_url**: Append the following to the value you obtained from the AAD app: ```?resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com ```
For example: `https://<url>/<value>/oauth2/authorize?resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com`
- **redirect_uri**: ```https://localhost:44300/wdatpconnector``` - **redirect_uri**: ```https://localhost:44300/wdatpconnector```
- **scope**: Can be left blank but must be present
3. Download the [wdatp-connector.json.properties](wdatp-connector.json.properties) file. This file is used to parse the information from Windows Defender ATP to HP ArcSight consumable format. 3. Download the [wdatp-connector.json.properties](wdatp-connector.json.properties) file. This file is used to parse the information from Windows Defender ATP to HP ArcSight consumable format.
(JOEY: UPLOAD FILE IN DOWNLOAD CENTER)
## Install and configure HP ArcSight SmartConnector ## Install and configure HP ArcSight SmartConnector
The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin). The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin).
@ -43,8 +50,6 @@ The following steps assume that you have completed all the required steps in [Be
1. Install the latest 32-bit Windows SmartConnector installer. how to get? JOEY: Hi Aviv, is it this one: https://marketplace.saas.hpe.com/arcsight/content/connector ? 1. Install the latest 32-bit Windows SmartConnector installer. how to get? JOEY: Hi Aviv, is it this one: https://marketplace.saas.hpe.com/arcsight/content/connector ?
2. Follow the on-screen instructions. The tool is typically installed in `C:\ArcSightSmartConnectors\<descriptive_name>\`. 2. Follow the on-screen instructions. The tool is typically installed in `C:\ArcSightSmartConnectors\<descriptive_name>\`.
>[!NOTE]
>Don't install icons.
3. Open File Explorer to the installation location and put the two configuration files the following location: 3. Open File Explorer to the installation location and put the two configuration files the following location: