deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 06:47:21 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

delete 2 files

Browse Source
This commit is contained in:
Joey Caparas 2017-01-10 15:01:59 -08:00
parent 7aa2e5a982
commit ef0a4be140
3 changed files with 8 additions and 135 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

125
windows/keep-secure/WDATP-Connector.jsonparser.properties
View File

@ -1,125 +0,0 @@
#json parser file for Windows Defender ATP alerts
trigger.node.location=/
token.count=22
token[0].name=AlertTime
token[0].type=String
token[0].location=AlertTime
token[1].name=ComputerDnsName
token[1].type=String
token[1].location=ComputerDnsName
token[2].name=AlertTitle
token[2].type=String
token[2].location=AlertTitle
token[3].name=Category
token[3].type=String
token[3].location=Category
token[4].name=Severity
token[4].type=String
token[4].location=Severity
token[5].name=AlertId
token[5].type=String
token[5].location=AlertId
token[6].name=Actor
token[6].type=String
token[6].location=Actor
token[7].name=LinkToWDATP
token[7].type=String
token[7].location=LinkToWDATP
token[8].name=IocName
token[8].type=String
token[8].location=IocName
token[9].name=IocValue
token[9].type=String
token[9].location=IocValue
token[10].name=CreatorIocName
token[10].type=String
token[10].location=CreatorIocName
token[11].name=CreatorIocValue
token[11].type=String
token[11].location=CreatorIocValue
token[12].name=FileHash
token[12].type=String
token[12].location=FileHash
token[13].name=FileName
token[13].type=String
token[13].location=FileName
token[14].name=FilePath
token[14].type=String
token[14].location=FilePath
token[15].name=IpAddress
token[15].type=IPAddress
token[15].location=IpAddress
token[16].name=Url
token[16].type=String
token[16].location=Url
token[17].name=IoaDefinitionId
token[17].type=String
token[17].location=IoaDefinitionId
token[18].name=UserName
token[18].type=String
token[18].location=UserName
token[19].name=AlertPart
token[19].type=Integer
token[19].location=AlertPart
token[20].name=FullId
token[20].type=String
token[20].location=FullId
token[21].name=LastProcessedTimeUtc
token[21].type=String
token[21].location=LastProcessedTimeUtc
event.deviceVendor=__stringConstant("Microsoft")
event.deviceProduct=__stringConstant("Windows Defender ATP")
event.deviceVersion=__stringConstant("1.0")
event.deviceReceiptTime=__createOptionalTimeStampFromString(AlertTime,"yyyy-MM-dd'T'hh\:mm\:ss")
event.sourceDnsDomain=ComputerDnsName
event.name=AlertTitle
event.deviceEventCategory=Category
event.deviceSeverity=Severity
event.externalId=AlertId
event.deviceCustomString1=Actor
event.deviceCustomString1Label=__stringConstant("Actor")
event.deviceCustomString2=LinkToWDATP
event.deviceCustomString2Label=__stringConstant("Link to WDATP")
event.deviceCustomString3=IocName
event.deviceCustomString3Label=__stringConstant("IOC Name")
event.deviceCustomString4=IocValue
event.deviceCustomString4Label=__stringConstant("IOC Value")
event.deviceCustomString5=CreatorIocName
event.deviceCustomString5Label=__stringConstant("Creator IOC Name")
event.deviceCustomString6=CreatorIocValue
event.deviceCustomString6Label=__stringConstant("Creator IOC Value")
event.fileHash=FileHash
event.fileName=FileName
event.filePath=FilePath
event.sourceAddress=IpAddress
event.sourceUserName=UserName
event.requestUrl=Url
event.message=FullId
severity.map.high.if.deviceSeverity=High
severity.map.medium.if.deviceSeverity=Medium
severity.map.low.if.deviceSeverity=Low

7
windows/keep-secure/WDATP-connector.properties
View File

@ -1,7 +0,0 @@
client_id=50fdc940-6d94-4efe-817f-f9ccb80eae6d
client_secret=hZ91OZMVm7cTfbcVQ1S/jZVxOFV0yJHqu1LrFcxgOGA=
auth_url=https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize?resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com
token_url=https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/token
redirect_uri=https://localhost:44300/sevilleconnector
scope=

11
windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
View File

@ -29,13 +29,20 @@ You'll need to configure HP ArcSight so that it can consume Windows Defender ATP
- OAuth 2 Token refresh URL - OAuth 2 Token refresh URL
- OAuth 2 Client ID - OAuth 2 Client ID
- OAuth 2 Client secret - OAuth 2 Client secret
2. Download the [wdatp-connector.properties](WDATP-connector.properties) file and update the values according to the following: 2. Download the [wdatp-connector.properties](WDATP-connector.properties) file and update the values according to the following:
(JOEY: UPLOAD FILE IN DOWNLOAD CENTER - PUT EMPTY PROPERTIES FILE. PUT WITH THE FOLLOWING VALUES.)
- **client_ID**: OAuth 2 Client ID - **client_ID**: OAuth 2 Client ID
- **client_secret**: OAuth 2 Client secret - **client_secret**: OAuth 2 Client secret
- **auth_url**: Append the following to the value you obtained from the AAD app: ```?resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com ``` - **auth_url**: Append the following to the value you obtained from the AAD app: ```?resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com ```
For example: `https://<url>/<value>/oauth2/authorize?resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com`
- **redirect_uri**: ```https://localhost:44300/wdatpconnector``` - **redirect_uri**: ```https://localhost:44300/wdatpconnector```
- **scope**: Can be left blank but must be present
3. Download the [wdatp-connector.json.properties](wdatp-connector.json.properties) file. This file is used to parse the information from Windows Defender ATP to HP ArcSight consumable format. 3. Download the [wdatp-connector.json.properties](wdatp-connector.json.properties) file. This file is used to parse the information from Windows Defender ATP to HP ArcSight consumable format.
(JOEY: UPLOAD FILE IN DOWNLOAD CENTER)
## Install and configure HP ArcSight SmartConnector ## Install and configure HP ArcSight SmartConnector
The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin). The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin).
@ -43,8 +50,6 @@ The following steps assume that you have completed all the required steps in [Be
1. Install the latest 32-bit Windows SmartConnector installer. how to get? JOEY: Hi Aviv, is it this one: https://marketplace.saas.hpe.com/arcsight/content/connector ? 1. Install the latest 32-bit Windows SmartConnector installer. how to get? JOEY: Hi Aviv, is it this one: https://marketplace.saas.hpe.com/arcsight/content/connector ?
2. Follow the on-screen instructions. The tool is typically installed in `C:\ArcSightSmartConnectors\<descriptive_name>\`. 2. Follow the on-screen instructions. The tool is typically installed in `C:\ArcSightSmartConnectors\<descriptive_name>\`.
>[!NOTE]
>Don't install icons.
3. Open File Explorer to the installation location and put the two configuration files the following location: 3. Open File Explorer to the installation location and put the two configuration files the following location:
@ -95,7 +100,7 @@ Note: To be sure kill the process again (ctrl-c), start again, and no browser wi
e) To verify events are flowing (a good filter initially is Device Product = Windows Defender ATP). If so kill the process again and go to Windows Services and start the ArcSight FlexConnector REST for WDATP e) To verify events are flowing (a good filter initially is Device Product = Windows Defender ATP). If so kill the process again and go to Windows Services and start the ArcSight FlexConnector REST for WDATP
## HP ArcSight ## HP ArcSight
JOEY: what is this section going to talk about? Settings? JOEY: what is this section going to talk about? Settings?
## Related topics ## Related topics