deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-24 06:43:38 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into indicators-update

Browse Source
This commit is contained in:
Joey Caparas
2019-09-03 13:48:05 -07:00
parent 0c7e6fa715 e8ba385359
commit f4d704e35c
49 changed files with 2018 additions and 612 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
windows/security/threat-protection/TOC.md
View File

@ -398,7 +398,6 @@
####### [Get domain related alerts](microsoft-defender-atp/get-domain-related-alerts.md)
####### [Get domain related machines](microsoft-defender-atp/get-domain-related-machines.md)
####### [Get domain statistics](microsoft-defender-atp/get-domain-statistics.md)
####### [Is domain seen in organization (Deprecated)](microsoft-defender-atp/is-domain-seen-in-org.md)
###### [File]()
####### [File methods and properties](microsoft-defender-atp/files.md)
@ -409,9 +408,7 @@
###### [IP]()
####### [Get IP related alerts](microsoft-defender-atp/get-ip-related-alerts.md)
####### [Get IP related machines (Deprecated)](microsoft-defender-atp/get-ip-related-machines.md)
####### [Get IP statistics](microsoft-defender-atp/get-ip-statistics.md)
####### [Is IP seen in organization (Deprecated)](microsoft-defender-atp/is-ip-seen-org.md)
###### [User]()
####### [User methods](microsoft-defender-atp/user.md)
@ -440,13 +437,13 @@
##### [Experiment with custom threat intelligence alerts (Deprecated)](microsoft-defender-atp/experiment-custom-ti.md)
##### [Troubleshoot custom threat intelligence issues (Deprecated)](microsoft-defender-atp/troubleshoot-custom-ti.md)
#### [Pull alerts to your SIEM tools]()
##### [Learn about different ways to pull alerts](microsoft-defender-atp/configure-siem.md)
#### [Pull detections to your SIEM tools]()
##### [Learn about different ways to pull detections](microsoft-defender-atp/configure-siem.md)
##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md)
##### [Configure Splunk to pull alerts](microsoft-defender-atp/configure-splunk.md)
##### [Configure HP ArcSight to pull alerts](microsoft-defender-atp/configure-arcsight.md)
##### [Microsoft Defender ATP SIEM alert API fields](microsoft-defender-atp/api-portal-mapping.md)
##### [Pull alerts using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md)
##### [Configure Splunk to pull detections](microsoft-defender-atp/configure-splunk.md)
##### [Configure HP ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md)
##### [Microsoft Defender ATP detection fields](microsoft-defender-atp/api-portal-mapping.md)
##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md)
##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md)
#### [Reporting]()

BIN
windows/security/threat-protection/images/TVM_icon.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 2.1 KiB

After

Width:  |  Height:  |  Size: 1.2 KiB

BIN
windows/security/threat-protection/intelligence/images/Transparency-report-August-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 26 KiB

BIN
windows/security/threat-protection/intelligence/images/Transparency-report-August.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 25 KiB

10
windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
View File

@ -26,7 +26,7 @@ Microsoft Defender Advanced Threat Protection ([Microsoft Defender ATP](https://
Windows Defender Antivirus is the [next generation protection](https://www.youtube.com/watch?v=Xy3MOxkX_o4) capability in the Microsoft Defender ATP security stack which addresses the latest and most sophisticated threats today. In some cases, customers might not even know they were protected because a cyberattack is stopped [milliseconds after a campaign starts](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign?ocid=cx-docs-avreports). That's because Windows Defender Antivirus detects and stops malware at first sight by using [machine learning](https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering?ocid=cx-docs-avreports), [artificial intelligence](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak?ocid=cx-docs-avreports), behavioral analysis, and other advanced technologies.
<br><br>
![String of images showing scores](./images/Transparency-report-August.png)
![String of images showing scores](./images/Transparency-report-August-2.png)
**Download the latest transparency report: [Examining industry test results, August 2019](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)**
@ -48,10 +48,6 @@ The AV-TEST Product Review and Certification Report tests on three categories: p
- July - August 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/august-2018/microsoft-windows-defender-antivirus-4.12--4.18-183212/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2IL3Y)
|||
|---|---|
|![Graph showing Microsoft's Real-World detection rate scores for AV-Test](./images/real-world-aug-small.png)|![Graph showing Microsoft's Prevalent Malware detection rate scores for AV-Test](./images/prevalent-malware-aug-small.png)|
### AV-Comparatives: Protection rating of 99.9% in the latest test
Business Security Test consists of three main parts: the Real-World Protection Test which mimics online malware attacks, the Malware Protection Test where the malware enters the system from outside the internet (e.g. USB), and the Performance Test which looks at the impact on the systems performance.
@ -64,9 +60,7 @@ Business Security Test consists of three main parts: the Real-World Protection T
- Business Security Test 2018 (March - June): [Real-World Protection Rate 98.7%](https://www.av-comparatives.org/tests/business-security-test-2018-march-june/)
![Graph showing Microsoft's Real-World Protection scores for AV-Comparatives](./images/real-world-protection-aug-small.png)
### SE Labs: Total accuracy rating of AAA in the latest test
### SE Labs: AAA award in the latest test
SE Labs tests a range of solutions used by products and services to detect and/or protect against attacks, including endpoint software, network appliances, and cloud services.

71
windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
View File

@ -1,7 +1,7 @@
---
title: Microsoft Defender ATP alert API fields
description: Understand how the alert API fields map to the values in Microsoft Defender Security Center
keywords: alerts, alert fields, fields, api, fields, pull alerts, rest api, request, response
title: Microsoft Defender ATP detections API fields
description: Understand how the Detections API fields map to the values in Microsoft Defender Security Center
keywords: detections, detections fields, fields, api, fields, pull Detections, rest api, request, response
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -15,10 +15,9 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/16/2017
---
# Microsoft Defender ATP SIEM alert API fields
# Microsoft Defender ATP detections API fields
**Applies to:**
@ -26,10 +25,14 @@ ms.date: 10/16/2017
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink)
Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center.
Understand what data fields are exposed as part of the detections API and how they map to Microsoft Defender Security Center.
## Alert API fields and portal mapping
The following table lists the available fields exposed in the alerts API payload. It shows examples for the populated values and a reference on how data is reflected on the portal.
>[!Note]
>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
>- **Microsoft Defender ATP Detection** is composed from the suspicious event occurred on the Machine and its related **Alert** details.
## Detections API fields and portal mapping
The following table lists the available fields exposed in the detections API payload. It shows examples for the populated values and a reference on how data is reflected on the portal.
The ArcSight field column contains the default mapping between the Microsoft Defender ATP fields and the built-in fields in ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it to match the needs of your organization. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md).
@ -39,33 +42,33 @@ Field numbers match the numbers in the images below.
>
> | Portal label | SIEM field name | ArcSight field | Example value | Description |
> |------------------|---------------------------|---------------------|------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
> | 1 | AlertTitle | name | Windows Defender AV detected 'Mikatz' high-severity malware | Value available for every alert. |
> | 2 | Severity | deviceSeverity | High | Value available for every alert. |
> | 3 | Category | deviceEventCategory | Malware | Value available for every alert. |
> | 4 | Detection source | sourceServiceName | Antivirus | Windows Defender Antivirus or Microsoft Defender ATP. Value available for every alert. |
> | 5 | MachineName | sourceHostName | desktop-4a5ngd6 | Value available for every alert. |
> | 6 | FileName | fileName | Robocopy.exe | Available for alerts associated with a file or process. |
> | 7 | FilePath | filePath | C:\Windows\System32\Robocopy.exe | Available for alerts associated with a file or process. |
> | 8 | UserDomain | sourceNtDomain | CONTOSO | The domain of the user context running the activity, available for Microsoft Defender ATP behavioral based alerts. |
> | 9 | UserName | sourceUserName | liz.bean | The user context running the activity, available for Microsoft Defender ATP behavioral based alerts. |
> | 10 | Sha1 | fileHash | 3da065e07b990034e9db7842167f70b63aa5329 | Available for alerts associated with a file or process. |
> | 11 | Sha256 | deviceCustomString6 | ebf54f745dc81e1958f75e4ca91dd0ab989fc9787bb6b0bf993e2f5 | Available for Windows Defender AV alerts. |
> | 12 | Md5 | deviceCustomString5 | db979c04a99b96d370988325bb5a8b21 | Available for Windows Defender AV alerts. |
> | 13 | ThreatName | deviceCustomString1 | HackTool:Win32/Mikatz!dha | Available for Windows Defender AV alerts. |
> | 14 | IpAddress | sourceAddress | 218.90.204.141 | Available for alerts associated to network events. For example, 'Communication to a malicious network destination'. |
> | 15 | Url | requestUrl | down.esales360.cn | Available for alerts associated to network events. For example, 'Communication to a malicious network destination'. |
> | 16 | RemediationIsSuccess | deviceCustomNumber2 | TRUE | Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE. |
> | 17 | WasExecutingWhileDetected | deviceCustomNumber1 | FALSE | Available for Windows Defender AV alerts. ArcSight value is 1 when TRUE and 0 when FALSE. |
> | 18 | AlertId | externalId | 636210704265059241_673569822 | Value available for every alert. |
> | 19 | LinkToWDATP | flexString1 | `https://securitycenter.windows.com/alert/636210704265059241_673569822` | Value available for every alert. |
> | 20 | AlertTime | deviceReceiptTime | 2017-05-07T01:56:59.3191352Z | The time the activity relevant to the alert occurred. Value available for every alert. |
> | 21 | MachineDomain | sourceDnsDomain | contoso.com | Domain name not relevant for AAD joined machines. Value available for every alert. |
> | 1 | AlertTitle | name | Windows Defender AV detected 'Mikatz' high-severity malware | Value available for every Detection. |
> | 2 | Severity | deviceSeverity | High | Value available for every Detection. |
> | 3 | Category | deviceEventCategory | Malware | Value available for every Detection. |
> | 4 | Detection source | sourceServiceName | Antivirus | Windows Defender Antivirus or Microsoft Defender ATP. Value available for every Detection. |
> | 5 | MachineName | sourceHostName | desktop-4a5ngd6 | Value available for every Detection. |
> | 6 | FileName | fileName | Robocopy.exe | Available for detections associated with a file or process. |
> | 7 | FilePath | filePath | C:\Windows\System32\Robocopy.exe | Available for detections associated with a file or process. |
> | 8 | UserDomain | sourceNtDomain | CONTOSO | The domain of the user context running the activity, available for Microsoft Defender ATP behavioral based detections. |
> | 9 | UserName | sourceUserName | liz.bean | The user context running the activity, available for Microsoft Defender ATP behavioral based detections. |
> | 10 | Sha1 | fileHash | 3da065e07b990034e9db7842167f70b63aa5329 | Available for detections associated with a file or process. |
> | 11 | Sha256 | deviceCustomString6 | ebf54f745dc81e1958f75e4ca91dd0ab989fc9787bb6b0bf993e2f5 | Available for Windows Defender AV detections. |
> | 12 | Md5 | deviceCustomString5 | db979c04a99b96d370988325bb5a8b21 | Available for Windows Defender AV detections. |
> | 13 | ThreatName | deviceCustomString1 | HackTool:Win32/Mikatz!dha | Available for Windows Defender AV detections. |
> | 14 | IpAddress | sourceAddress | 218.90.204.141 | Available for detections associated to network events. For example, 'Communication to a malicious network destination'. |
> | 15 | Url | requestUrl | down.esales360.cn | Available for detections associated to network events. For example, 'Communication to a malicious network destination'. |
> | 16 | RemediationIsSuccess | deviceCustomNumber2 | TRUE | Available for Windows Defender AV detections. ArcSight value is 1 when TRUE and 0 when FALSE. |
> | 17 | WasExecutingWhileDetected | deviceCustomNumber1 | FALSE | Available for Windows Defender AV detections. ArcSight value is 1 when TRUE and 0 when FALSE. |
> | 18 | AlertId | externalId | 636210704265059241_673569822 | Value available for every Detection. |
> | 19 | LinkToWDATP | flexString1 | `https://securitycenter.windows.com/alert/636210704265059241_673569822` | Value available for every Detection. |
> | 20 | AlertTime | deviceReceiptTime | 2017-05-07T01:56:59.3191352Z | The time the event occurred. Value available for every Detection. |
> | 21 | MachineDomain | sourceDnsDomain | contoso.com | Domain name not relevant for AAD joined machines. Value available for every Detection. |
> | 22 | Actor | deviceCustomString4 | BORON | Available for alerts related to a known actor group. |
> | 21+5 | ComputerDnsName | No mapping | liz-bean.contoso.com | The machine fully qualified domain name. Value available for every alert. |
> | 21+5 | ComputerDnsName | No mapping | liz-bean.contoso.com | The machine fully qualified domain name. Value available for every Detection. |
> | | LogOnUsers | sourceUserId | contoso\liz-bean; contoso\jay-hardee | The domain and user of the interactive logon user/s at the time of the event. Note: For machines on Windows 10 version 1607, the domain information will not be available. |
> | | InternalIPv4List | No mapping | 192.168.1.7, 10.1.14.1 | List of IPV4 internal IPs for active network interfaces. |
> | | InternalIPv6List | No mapping | fd30:0000:0000:0001:ff4e:003e:0009:000e, FE80:CD00:0000:0CDE:1257:0000:211E:729C | List of IPV6 internal IPs for active network interfaces. |
> | Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that alerts are retrieved. |
> | Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that detections are retrieved. |
> | | Not part of the schema | deviceVendor | | Static value in the ArcSight mapping - 'Microsoft'. |
> | | Not part of the schema | deviceProduct | | Static value in the ArcSight mapping - 'Microsoft Defender ATP'. |
> | | Not part of the schema | deviceVersion | | Static value in the ArcSight mapping - '2.0', used to identify the mapping versions.
@ -88,7 +91,7 @@ Field numbers match the numbers in the images below.
## Related topics
- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
- [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk.md)
- [Configure ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight.md)
- [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api.md)
- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)
- [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md)
- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)

21
windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md
View File

@ -1,6 +1,6 @@
---
title: Configure HP ArcSight to pull Microsoft Defender ATP alerts
description: Configure HP ArcSight to receive and pull alerts from Microsoft Defender Security Center
title: Configure HP ArcSight to pull Microsoft Defender ATP detections
description: Configure HP ArcSight to receive and pull detections from Microsoft Defender Security Center
keywords: configure hp arcsight, security information and events management tools, arcsight
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -15,10 +15,9 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/20/2018
---
# Configure HP ArcSight to pull Microsoft Defender ATP alerts
# Configure HP ArcSight to pull Microsoft Defender ATP detections
**Applies to:**
@ -29,10 +28,14 @@ ms.date: 12/20/2018
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configurearcsight-abovefoldlink)
You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Microsoft Defender ATP alerts.
You'll need to install and configure some files and tools to use HP ArcSight so that it can pull Microsoft Defender ATP detections.
>[!Note]
>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
## Before you begin
Configuring the HP ArcSight Connector tool requires several configuration files for it to pull and parse alerts from your Azure Active Directory (AAD) application.
Configuring the HP ArcSight Connector tool requires several configuration files for it to pull and parse detections from your Azure Active Directory (AAD) application.
This section guides you in getting the necessary information to set and use the required configuration files correctly.
@ -163,7 +166,7 @@ The following steps assume that you have completed all the required steps in [Be
You can now run queries in the HP ArcSight console.
Microsoft Defender ATP alerts will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name.
Microsoft Defender ATP detections will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name.
## Troubleshooting HP ArcSight connection
@ -187,6 +190,6 @@ Microsoft Defender ATP alerts will appear as discrete events, with "Microsoft”
## Related topics
- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
- [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk.md)
- [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api.md)
- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)
- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md)
- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)

35
windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
View File

@ -1,6 +1,6 @@
---
title: Pull alerts to your SIEM tools from Microsoft Defender Advanced Threat Protection
description: Learn how to use REST API and configure supported security information and events management tools to receive and pull alerts.
title: Pull detections to your SIEM tools from Microsoft Defender Advanced Threat Protection
description: Learn how to use REST API and configure supported security information and events management tools to receive and pull detections.
keywords: configure siem, security information and events management tools, splunk, arcsight, custom indicators, rest api, alert definitions, indicators of compromise
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -18,7 +18,7 @@ ms.topic: article
ms.date: 10/16/2017
---
# Pull alerts to your SIEM tools
# Pull detections to your SIEM tools
**Applies to:**
@ -26,8 +26,13 @@ ms.date: 10/16/2017
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink)
## Pull alerts using security information and events management (SIEM) tools
Microsoft Defender ATP supports (SIEM) tools to pull alerts. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
## Pull detections using security information and events management (SIEM) tools
>[!Note]
>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
Microsoft Defender ATP supports (SIEM) tools to pull detections. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.
Microsoft Defender ATP currently supports the following SIEM tools:
@ -39,16 +44,16 @@ To use either of these supported SIEM tools you'll need to:
- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
- Configure the supported SIEM tool:
- [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk.md)
- [Configure HP ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight.md)
- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)
- [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
For more information on the list of fields exposed in the alerts API see, [Microsoft Defender ATP alert API fields](api-portal-mapping.md).
For more information on the list of fields exposed in the Detection API see, [Microsoft Defender ATP Detection fields](api-portal-mapping.md).
## Pull Microsoft Defender ATP alerts using REST API
Microsoft Defender ATP supports the OAuth 2.0 protocol to pull alerts using REST API.
## Pull Microsoft Defender ATP detections using REST API
Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections using REST API.
For more information, see [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api.md).
For more information, see [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md).
## In this section
@ -56,8 +61,8 @@ For more information, see [Pull Microsoft Defender ATP alerts using REST API](pu
Topic | Description
:---|:---
[Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)| Learn about enabling the SIEM integration feature in the **Settings** page in the portal so that you can use and generate the required information to configure supported SIEM tools.
[Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Microsoft Defender ATP alerts.
[Configure HP ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Microsoft Defender ATP alerts.
[Microsoft Defender ATP alert API fields](api-portal-mapping.md) | Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center.
[Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api.md) | Use the Client credentials OAuth 2.0 flow to pull alerts from Microsoft Defender ATP using REST API.
[Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)| Learn about installing the REST API Modular Input App and other configuration settings to enable Splunk to pull Microsoft Defender ATP detections.
[Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Microsoft Defender ATP detections.
[Microsoft Defender ATP Detection fields](api-portal-mapping.md) | Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center.
[Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) | Use the Client credentials OAuth 2.0 flow to pull detections from Microsoft Defender ATP using REST API.
[Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) | Address issues you might encounter when using the SIEM integration feature.

24
windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md
View File

@ -1,6 +1,6 @@
---
title: Configure Splunk to pull Microsoft Defender ATP alerts
description: Configure Splunk to receive and pull alerts from Microsoft Defender Security Center.
title: Configure Splunk to pull Microsoft Defender ATP detections
description: Configure Splunk to receive and pull detections from Microsoft Defender Security Center.
keywords: configure splunk, security information and events management tools, splunk
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Configure Splunk to pull Microsoft Defender ATP alerts
# Configure Splunk to pull Microsoft Defender ATP detections
**Applies to:**
@ -28,7 +28,11 @@ ms.topic: article
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresplunk-abovefoldlink)
You'll need to configure Splunk so that it can pull Microsoft Defender ATP alerts.
You'll need to configure Splunk so that it can pull Microsoft Defender ATP detections.
>[!Note]
>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
## Before you begin
@ -121,8 +125,8 @@ You'll need to configure Splunk so that it can pull Microsoft Defender ATP alert
After completing these configuration steps, you can go to the Splunk dashboard and run queries.
## View alerts using Splunk solution explorer
Use the solution explorer to view alerts in Splunk.
## View detections using Splunk solution explorer
Use the solution explorer to view detections in Splunk.
1. In Splunk, go to **Settings** > **Searchers, reports, and alerts**.
@ -141,12 +145,12 @@ Use the solution explorer to view alerts in Splunk.
>[!TIP]
> To mininimize alert duplications, you can use the following query:
> To mininimize Detection duplications, you can use the following query:
>```source="rest://windows atp alerts" | spath | dedup _raw | table *```
## Related topics
- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
- [Configure ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight.md)
- [Microsoft Defender ATP alert API fields](api-portal-mapping.md)
- [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api.md)
- [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
- [Microsoft Defender ATP Detection fields](api-portal-mapping.md)
- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md)
- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)

23
windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
View File

@ -1,6 +1,6 @@
---
title: Enable SIEM integration in Microsoft Defender ATP
description: Enable SIEM integration to receive alerts in your security information and event management (SIEM) solution.
description: Enable SIEM integration to receive detections in your security information and event management (SIEM) solution.
keywords: enable siem connector, siem, connector, security information and events
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/10/2018
---
# Enable SIEM integration in Microsoft Defender ATP
@ -26,7 +25,11 @@ ms.date: 12/10/2018
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
Enable security information and event management (SIEM) integration so you can pull alerts from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the alerts REST API.
Enable security information and event management (SIEM) integration so you can pull detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the detections REST API.
>[!Note]
>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
## Prerequisites
- The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is typically someone with a **Global administrator** role.
@ -55,7 +58,7 @@ Enable security information and event management (SIEM) integration so you can p
> - WDATP-connector.jsonparser.properties
> - WDATP-connector.properties <br>
If you want to connect directly to the alerts REST API through programmatic access, choose **Generic API**.
If you want to connect directly to the detections REST API through programmatic access, choose **Generic API**.
4. Copy the individual values or select **Save details to file** to download a file that contains all the values.
@ -64,14 +67,14 @@ Enable security information and event management (SIEM) integration so you can p
> [!NOTE]
> You'll need to generate a new Refresh token every 90 days.
You can now proceed with configuring your SIEM solution or connecting to the alerts REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive alerts from Microsoft Defender Security Center.
You can now proceed with configuring your SIEM solution or connecting to the detections REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive detections from Microsoft Defender Security Center.
## Integrate Microsoft Defender ATP with IBM QRadar
You can configure IBM QRadar to collect alerts from Microsoft Defender ATP. For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1).
You can configure IBM QRadar to collect detections from Microsoft Defender ATP. For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1).
## Related topics
- [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk.md)
- [Configure HP ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight.md)
- [Microsoft Defender ATP alert API fields](api-portal-mapping.md)
- [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api.md)
- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)
- [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
- [Microsoft Defender ATP Detection fields](api-portal-mapping.md)
- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md)
- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)

122
windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines.md
View File

@ -1,122 +0,0 @@
---
title: Get IP related machines API
description: Retrieves a collection of machines related to a given IP address.
keywords: apis, graph api, supported apis, get, ip, related, machines
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Get IP related machines API (Deprecated)
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Retrieves a collection of machines that communicated with or from a particular IP.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---
Application | Machine.Read.All | 'Read all machine profiles'
Application | Machine.ReadWrite.All | 'Read and write all machine information'
Delegated (work or school account) | Machine.Read | 'Read machine information'
Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information'
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
>- Response will include only machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
## HTTP request
```
GET /api/ips/{ip}/machines
```
## Request headers
Name | Type | Description
:---|:---|:---
Authorization | String | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful and IP exists - 200 OK with list of [machine](machine.md) entities in the body. If IP do not exist - 404 Not Found.
## Example
**Request**
Here is an example of the request.
[!include[Improve request performance](improve-request-performance.md)]
```
GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/machines
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"riskScore": "Low",
"rbacGroupName": "The-A-Team",
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
},
{
"id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
"computerDnsName": "mymachine2.contoso.com",
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"lastExternalIpAddress": "79.183.65.82",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"healthStatus": "Inactive",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": null,
"machineTags": [ "test tag 1" ]
}
]
}
```

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm_machine_page_flyout.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 37 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm_machines_discoveredvuln.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 90 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm_machineslist.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 51 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm_machinetoinvestigate.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 21 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 121 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_software.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 98 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_softwarecolon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 104 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_softwareflyout.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 24 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_softwareoptions.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.5 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_vuln.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 23 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_vulnflyout.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 24 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracy_vulnoptions.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.6 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracyflyout.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 24 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm_report_inaccuracyoptions.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.8 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm_weaknesses_machinepage.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 82 KiB

82
windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org.md
View File

@ -1,82 +0,0 @@
---
title: Is domain seen in org API
description: Use this API to create calls related to checking whether a domain was seen in the organization.
keywords: apis, graph api, supported apis, domain, domain seen
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Was domain seen in org (Deprecated)
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Answers whether a domain was seen in the organization.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---
Application | Url.Read.All | 'Read URLs'
Delegated (work or school account) | URL.Read.All | 'Read URLs'
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
## HTTP request
```
GET /api/domains/{domain}
```
## Request headers
Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful and domain exists - 200 OK. If domain does not exist - 404 Not Found.
## Example
**Request**
Here is an example of the request.
[!include[Improve request performance](improve-request-performance.md)]
```
GET https://api.securitycenter.windows.com/api/domains/example.com
Content-type: application/json
```
**Response**
Here is an example of the response.
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Domains/$entity",
"host": "example.com"
}
```

82
windows/security/threat-protection/microsoft-defender-atp/is-ip-seen-org.md
View File

@ -1,82 +0,0 @@
---
title: Is IP seen in org API
description: Answers whether an IP was seen in the organization.
keywords: apis, graph api, supported apis, is, ip, seen, org, organization
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Was IP seen in org (Deprecated)
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Answers whether an IP was seen in the organization.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---
Application | Ip.Read.All | 'Read IP address profiles'
Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles'
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
## HTTP request
```
GET /api/ips/{ip}
```
## Request headers
Name | Type | Description
:---|:---|:---
Authorization | String | Bearer {token}. **Required**.
## Request body
Empty
## Response
If successful and IP exists - 200 OK. If IP do not exist - 404 Not Found.
## Example
**Request**
Here is an example of the request.
```
GET https://api.securitycenter.windows.com/api/ips/10.209.67.177
```
**Response**
Here is an example of the response.
[!include[Improve request performance](improve-request-performance.md)]
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Ips/$entity",
"id": "10.209.67.177"
}
```

1
windows/security/threat-protection/microsoft-defender-atp/management-apis.md
View File

@ -52,7 +52,6 @@ An important aspect of machine management is the ability to analyze the environm
Topic | Description
:---|:---
Understand threat intelligence concepts | Learn about alert definitions, indicators of compromise, and other threat intelligence concepts.
Supported Microsoft Defender ATP APIs | Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses.
Managed security service provider | Get a quick overview on managed security service provider support.

15
windows/security/threat-protection/microsoft-defender-atp/oldTOC.txt
View File

@ -392,7 +392,6 @@
####### [Get domain related alerts](get-domain-related-alerts.md)
####### [Get domain related machines](get-domain-related-machines.md)
####### [Get domain statistics](get-domain-statistics.md)
####### [Is domain seen in organization (Deprecated)](is-domain-seen-in-org.md)
###### [File]()
####### [Methods and properties](files.md)
@ -403,9 +402,7 @@
###### [IP]()
####### [Get IP related alerts](get-ip-related-alerts.md)
####### [Get IP related machines (Deprecated)](get-ip-related-machines.md)
####### [Get IP statistics](get-ip-statistics.md)
####### [Is IP seen in organization (Deprecated)](is-ip-seen-org.md)
###### [User]()
####### [Methods](user.md)
@ -428,13 +425,13 @@
##### [Experiment with custom threat intelligence alerts](experiment-custom-ti.md)
##### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti.md)
#### [Pull alerts to your SIEM tools]()
##### [Learn about different ways to pull alerts](configure-siem.md)
#### [Pull Detections to your SIEM tools]()
##### [Learn about different ways to pull Detections](configure-siem.md)
##### [Enable SIEM integration](enable-siem-integration.md)
##### [Configure Splunk to pull alerts](configure-splunk.md)
##### [Configure HP ArcSight to pull alerts](configure-arcsight.md)
##### [Microsoft Defender ATP SIEM alert API fields](api-portal-mapping.md)
##### [Pull alerts using SIEM REST API](pull-alerts-using-rest-api.md)
##### [Configure Splunk to pull Detections](configure-splunk.md)
##### [Configure HP ArcSight to pull Detections](configure-arcsight.md)
##### [Microsoft Defender ATP Detection fields](api-portal-mapping.md)
##### [Pull Detections using SIEM REST API](pull-alerts-using-rest-api.md)
##### [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)
#### [Reporting]()

48
windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md
View File

@ -1,7 +1,7 @@
---
title: Pull Microsoft Defender ATP alerts using REST API
description: Pull alerts from Microsoft Defender ATP REST API.
keywords: alerts, pull alerts, rest api, request, response
title: Pull Microsoft Defender ATP detections using REST API
description: Pull detections from Microsoft Defender ATP REST API.
keywords: detections, pull detections, rest api, request, response
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Pull Microsoft Defender ATP alerts using SIEM REST API
# Pull Microsoft Defender ATP detections using SIEM REST API
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@ -26,7 +26,11 @@ ms.topic: article
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-pullalerts-abovefoldlink)
Microsoft Defender ATP supports the OAuth 2.0 protocol to pull alerts from the portal.
>[!Note]
>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections from the API.
In general, the OAuth 2.0 protocol supports four types of flows:
- Authorization grant flow
@ -36,19 +40,19 @@ In general, the OAuth 2.0 protocol supports four types of flows:
For more information about the OAuth specifications, see the [OAuth Website](http://www.oauth.net).
Microsoft Defender ATP supports the _Authorization grant flow_ and _Client credential flow_ to obtain access to generate alerts from the portal, with Azure Active Directory (AAD) as the authorization server.
Microsoft Defender ATP supports the _Authorization grant flow_ and _Client credential flow_ to obtain access to pull detections, with Azure Active Directory (AAD) as the authorization server.
The _Authorization grant flow_ uses user credentials to get an authorization code, which is then used to obtain an access token.
The _Client credential flow_ uses client credentials to authenticate against the Microsoft Defender ATP endpoint URL. This flow is suitable for scenarios when an OAuth client creates requests to an API that doesn't require user credentials.
Use the following method in the Microsoft Defender ATP API to pull alerts in JSON format.
Use the following method in the Microsoft Defender ATP API to pull detections in JSON format.
>[!NOTE]
>Microsoft Defender Security Center merges similar alert detections into a single alert. This API pulls alert detections in its raw form based on the query parameters you set, enabling you to apply your own grouping and filtering.
## Before you begin
- Before calling the Microsoft Defender ATP endpoint to pull alerts, you'll need to enable the SIEM integration application in Azure Active Directory (AAD). For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md).
- Before calling the Microsoft Defender ATP endpoint to pull detections, you'll need to enable the SIEM integration application in Azure Active Directory (AAD). For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md).
- Take note of the following values in your Azure application registration. You need these values to configure the OAuth flow in your service or daemon app:
- Application ID (unique to your application)
@ -59,7 +63,7 @@ Use the following method in the Microsoft Defender ATP API to pull alerts in JSO
## Get an access token
Before creating calls to the endpoint, you'll need to get an access token.
You'll use the access token to access the protected resource, which are alerts in Microsoft Defender ATP.
You'll use the access token to access the protected resource, which are detections in Microsoft Defender ATP.
To get an access token, you'll need to do a POST request to the token issuing endpoint. Here is a sample request:
@ -105,23 +109,23 @@ Use optional query parameters to specify and control the amount of data returned
Name | Value| Description
:---|:---|:---
DateTime?sinceTimeUtc | string | Defines the lower time bound alerts are retrieved from, based on field: <br> `LastProcessedTimeUtc` <br> The time range will be: from sinceTimeUtc time to current time. <br><br> **NOTE**: When not specified, all alerts generated in the last two hours are retrieved.
DateTime?untilTimeUtc | string | Defines the upper time bound alerts are retrieved. <br> The time range will be: from `sinceTimeUtc` time to `untilTimeUtc` time. <br><br> **NOTE**: When not specified, the default value will be the current time.
string ago | string | Pulls alerts in the following time range: from `(current_time - ago)` time to `current_time` time. <br><br> Value should be set according to **ISO 8601** duration format <br> E.g. `ago=PT10M` will pull alerts received in the last 10 minutes.
int?limit | int | Defines the number of alerts to be retrieved. Most recent alerts will be retrieved based on the number defined.<br><br> **NOTE**: When not specified, all alerts available in the time range will be retrieved.
machinegroups | String | Specifies machine groups to pull alerts from. <br><br> **NOTE**: When not specified, alerts from all machine groups will be retrieved. <br><br> Example: <br><br> ```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts/?machinegroups=UKMachines&machinegroups=FranceMachines```
DateTime?sinceTimeUtc | string | Defines the lower time bound detections are retrieved from, based on field: <br> `LastProcessedTimeUtc` <br> The time range will be: from sinceTimeUtc time to current time. <br><br> **NOTE**: When not specified, all detections generated in the last two hours are retrieved.
DateTime?untilTimeUtc | string | Defines the upper time bound detections are retrieved. <br> The time range will be: from `sinceTimeUtc` time to `untilTimeUtc` time. <br><br> **NOTE**: When not specified, the default value will be the current time.
string ago | string | Pulls detections in the following time range: from `(current_time - ago)` time to `current_time` time. <br><br> Value should be set according to **ISO 8601** duration format <br> E.g. `ago=PT10M` will pull detections received in the last 10 minutes.
int?limit | int | Defines the number of detections to be retrieved. Most recent detections will be retrieved based on the number defined.<br><br> **NOTE**: When not specified, all detections available in the time range will be retrieved.
machinegroups | String | Specifies machine groups to pull detections from. <br><br> **NOTE**: When not specified, detections from all machine groups will be retrieved. <br><br> Example: <br><br> ```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts/?machinegroups=UKMachines&machinegroups=FranceMachines```
DeviceCreatedMachineTags | string | Single machine tag from the registry.
CloudCreatedMachineTags | string | Machine tags that were created in Microsoft Defender Security Center.
### Request example
The following example demonstrates how to retrieve all the alerts in your organization.
The following example demonstrates how to retrieve all the detections in your organization.
```syntax
GET https://wdatp-alertexporter-eu.windows.com/api/alerts
Authorization: Bearer <your access token>
```
The following example demonstrates a request to get the last 20 alerts since 2016-09-12 00:00:00.
The following example demonstrates a request to get the last 20 detections since 2016-09-12 00:00:00.
```syntax
GET https://wdatp-alertexporter-eu.windows.com/api/alerts?limit=20&sinceTimeUtc=2016-09-12T00:00:00.000
@ -178,14 +182,14 @@ AuthenticationContext context = new AuthenticationContext(string.Format("https:/
ClientCredential clientCredentials = new ClientCredential(clientId, clientSecret);
AuthenticationResult authenticationResult = context.AcquireToken(resource, clientCredentials);
```
### Use token to connect to the alerts endpoint
### Use token to connect to the detections endpoint
```
HttpClient httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(authenticationResult.AccessTokenType, authenticationResult.AccessToken);
HttpResponseMessage response = httpClient.GetAsync("https://wdatp-alertexporter-eu.windows.com/api/alert").GetAwaiter().GetResult();
string alertsJson = response.Content.ReadAsStringAsync().Result;
Console.WriteLine("Got alert list: {0}", alertsJson);
string detectionsJson = response.Content.ReadAsStringAsync().Result;
Console.WriteLine("Got detections list: {0}", detectionsJson);
```
@ -203,7 +207,7 @@ HTTP error code | Description
## Related topics
- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
- [Configure ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight.md)
- [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk.md)
- [Microsoft Defender ATP alert API fields](api-portal-mapping.md)
- [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)
- [Microsoft Defender ATP Detection fields](api-portal-mapping.md)
- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)

1
windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md
View File

@ -188,3 +188,4 @@ All other related details are also shown, for example, submission date/time, sub
## Related topic
- [Take response actions on a file](respond-file-alerts.md)
- [Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy)

10
windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md
View File

@ -25,7 +25,7 @@ ms.topic: troubleshooting
You might need to troubleshoot issues while pulling alerts in your SIEM tools.
You might need to troubleshoot issues while pulling detections in your SIEM tools.
This page provides detailed steps to troubleshoot issues you might encounter.
@ -80,7 +80,7 @@ If you encounter an error when trying to enable the SIEM connector application,
## Related topics
- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
- [Configure ArcSight to pull Microsoft Defender ATP alerts](configure-arcsight.md)
- [Configure Splunk to pull Microsoft Defender ATP alerts](configure-splunk.md)
- [Microsoft Defender ATP alert API fields](api-portal-mapping.md)
- [Pull Microsoft Defender ATP alerts using REST API](pull-alerts-using-rest-api.md)
- [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md)
- [Microsoft Defender ATP Detection fields](api-portal-mapping.md)
- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md)

25
windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
View File

@ -54,6 +54,31 @@ From that page, you can do any of the following depending on what you need to do
- Choose from exception options - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet due to specific business reasons, compensation controls, or if it is a false positive.
## Report inaccuracy
You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated security recommendation information in the machine page.
1. Select the **Security recommendation** tab.
2. Click **:** beside the security recommendation that you want to report about, then select **Report inaccuracy**.
![Screenshot of Report inaccuracy control from the machine page under the Security recommendation column](images/tvm_report_inaccuracy.png)
<br>A flyout pane opens.</br>
![Screenshot of Report inaccuracy flyout pane](images/tvm_report_inaccuracyflyout.png)
3. From the flyout pane, select the inaccuracy category from the drop-down menu.
<br>![Screenshot of Report inaccuracy categories drop-down menu](images/tvm_report_inaccuracyoptions.png)</br>
4. Include your email address so Microsoft can send you feedback regarding the inaccuracy you reported.
5. Include your machine name for investigation context.
>[!NOTE]
> You can also provide details regarding the inaccuracy you reported in the **Tell us more (optional)** field to give the threat and vulnerability management investigators context.
6. Click **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts with its context.
## Related topics
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)

24
windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
View File

@ -33,6 +33,30 @@ In the field of discovery, we are leveraging the same set of signals in Microsof
Since it is real-time, in a matter of minutes, you will see vulnerability information as they get discovered. The engine automatically grabs information from multiple security feeds. In fact, you'll will see if a particular application is connected to a live campaign. It also provides a link to a Threat Analytics report soon as it's available.
## Report inaccuracy
You can report a false positive when you see any vague, inaccurate version, incomplete, or already remediated software inventory information in the machine page.
1. Select the **Software inventory** tab.
2. Click **:** beside the software that you want to report about, and then select **Report inaccuracy**.
![Screenshot of Report inaccuracy control from the machine page under the Software inventory column](images/tvm_report_inaccuracy_software.png)
<br>A flyout pane opens.</br>
![Screenshot of Report inaccuracy flyout pane](images/tvm_report_inaccuracy_softwareflyout.png)
3. From the flyout pane, select the inaccuracy category from the **Software inventory inaccuracy reason** drop-down menu.
<br>![Screenshot of Report inaccuracy software inventory inaccuracy reason drop-down menu](images/tvm_report_inaccuracy_softwareoptions.png)</br>
4. Include your email address so Microsoft can send you feedback regarding the inaccuracy you reported.
5. Include your machine name for investigation context.
>[!NOTE]
> You can also provide details regarding the inaccuracy you reported in the **Tell us more (optional)** field to give the threat and vulnerability management investigators context.
6. Click **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts with its context.
## Related topics
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)

37
windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
View File

@ -26,7 +26,7 @@ Threat & Vulnerability Management leverages the same signals in Microsoft Defend
The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization, their severity, Common Vulnerability Scoring System (CVSS) rating, its prevalence in your organization, corresponding breach, and threat insights.
## Navigate through your organization's weaknesses page
You can see the list of vulnerabilities in three ways:
You can see the list of vulnerabilities in four ways:
*Vulnerabilities in global search*
1. Click the global search drop-down menu.
@ -48,6 +48,18 @@ You can see the list of vulnerabilities in three ways:
3. Select the **Discovered vulnerabilities** tab.
4. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates.
*Discovered vulnerabilities in the machine page*
1. Go to the left-hand navigation menu bar, then select the machine icon. The **Machines list** page opens.
<br>![Screenshot of Machines list page](images/tvm_machineslist.png)</br>
2. In the **Machines list** page, select the machine that you want to investigate.
<br>![Screenshot of machine list with selected machine to investigate](images/tvm_machinetoinvestigate.png)</br>
<br>A flyout pane opens with machine details and response action options.</br>
![Screenshot of the flyout pane with machine details and response options](images/tvm_machine_page_flyout.png)
3. In the flyout pane, select **Open machine page**. A page opens with details and response options for the machine you want to investigate.
<br>![Screenshot of the machine page with details and response options](images/tvm_machines_discoveredvuln.png)</br>
4. Select **Discovered vulnerabilities**.
5. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates.
## How it works
When new vulnerabilities are released, you would want know how many of your assets are exposed. You can see the list of vulnerabilities and the details in the **Weaknesses** page.
@ -66,6 +78,29 @@ The threat insights icons are highlighted if there are associated exploits in th
>[!NOTE]
> Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight ![threat insight](images/tvm_bug_icon.png) icon and possible active alert ![possible active alert](images/tvm_alert_icon.png) icon.
## Report inaccuracy
You can report a false positive when you see any vague, inaccurate, missing, or already remediated vulnerability information in the machine page.
1. Select the **Discovered vulnerabilities** tab.
2. Click **:** beside the vulnerability that you want to report about, and then select **Report inaccuracy**.
![Screenshot of Report inaccuracy control from the machine page in the Discovered vulnerabilities tab](images/tvm_report_inaccuracy_vuln.png)
<br>A flyout pane opens.</br>
![Screenshot of Report inaccuracy flyout pane](images/tvm_report_inaccuracy_vulnflyout.png)
3. From the flyout pane, select the inaccuracy category from the **Discovered vulnerability inaccuracy reason** drop-down menu.
<br>![Screenshot of discovered vulnerability inaccuracy reason drop-down menu](images/tvm_report_inaccuracy_vulnoptions.png)</br>
4. Include your email address so Microsoft can send you feedback regarding the inaccuracy you reported.
5. Include your machine name for investigation context.
>[!NOTE]
> You can also provide details regarding the inaccuracy you reported in the **Tell us more (optional)** field to give the threat and vulnerability management investigators context.
6. Click **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts with its context.
## Related topics
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)

196
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-preferences.md
View File

@ -35,6 +35,9 @@ This topic describes the structure of this profile (including a recommended prof
The configuration profile is a .plist file that consists of entries identified by a key (which denotes the name of the preference), followed by a value, which depends on the nature of the preference. Values can either be simple (such as a numerical value) or complex, such as a nested list of preferences.
>[!CAUTION]
>The layout of the configuration profile depends on the management console that you are using. The following sections contain examples of configuration profiles for JAMF and Intune.
The top level of the configuration profile includes product-wide preferences and entries for subareas of the product, which are explained in more detail in the next sections.
### Antivirus engine preferences
@ -222,6 +225,8 @@ The following configuration profile will:
- Enable cloud delivered protection
- Enable automatic sample submission
### JAMF profile
```XML
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
@ -258,10 +263,91 @@ The following configuration profile will:
</plist>
```
### Intune profile
```XML
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP settings</string>
<key>PayloadDescription</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadType</key>
<string>com.microsoft.wdav</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>com.microsoft.wdav</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>antivirusEngine</key>
<dict>
<key>enableRealTimeProtection</key>
<true/>
<key>threatTypeSettings</key>
<array>
<dict>
<key>key</key>
<string>potentially_unwanted_application</string>
<key>value</key>
<string>block</string>
</dict>
<dict>
<key>key</key>
<string>archive_bomb</string>
<key>value</key>
<string>audit</string>
</dict>
</array>
</dict>
<key>cloudService</key>
<dict>
<key>enabled</key>
<true/>
<key>automaticSampleSubmission</key>
<true/>
</dict>
</dict>
</array>
</dict>
</plist>
```
## Full configuration profile example
The following configuration profile contains entries for all settings described in this document and can be used for more advanced scenarios where you want more control over the product.
### JAMF profile
```XML
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
@ -329,6 +415,116 @@ The following configuration profile contains entries for all settings described
</plist>
```
### Intune profile
```XML
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP settings</string>
<key>PayloadDescription</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadType</key>
<string>com.microsoft.wdav</string>
<key>PayloadOrganization</key>
<string>Microsoft</string>
<key>PayloadIdentifier</key>
<string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>
<key>PayloadDisplayName</key>
<string>Microsoft Defender ATP configuration settings</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>antivirusEngine</key>
<dict>
<key>enableRealTimeProtection</key>
<true/>
<key>exclusions</key>
<array>
<dict>
<key>$type</key>
<string>excludedPath</string>
<key>isDirectory</key>
<false/>
<key>path</key>
<string>/var/log/system.log</string>
</dict>
<dict>
<key>$type</key>
<string>excludedPath</string>
<key>isDirectory</key>
<true/>
<key>path</key>
<string>/home</string>
</dict>
<dict>
<key>$type</key>
<string>excludedFileExtension</string>
<key>extension</key>
<string>pdf</string>
</dict>
</array>
<key>allowedThreats</key>
<array>
<string>eicar</string>
</array>
<key>threatTypeSettings</key>
<array>
<dict>
<key>key</key>
<string>potentially_unwanted_application</string>
<key>value</key>
<string>block</string>
</dict>
<dict>
<key>key</key>
<string>archive_bomb</string>
<key>value</key>
<string>audit</string>
</dict>
</array>
</dict>
<key>cloudService</key>
<dict>
<key>enabled</key>
<true/>
<key>diagnosticLevel</key>
<string>optional</string>
<key>automaticSampleSubmission</key>
<true/>
</dict>
</dict>
</array>
</dict>
</plist>
```
## Configuration profile deployment
Once you've built the configuration profile for your enterprise, you can deploy it through the management console that your enterprise is using. The following sections provide instructions on how to deploy this profile using JAMF and Intune.