diff --git a/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md index 65dcdf6805..0106702834 100644 --- a/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md @@ -24,7 +24,7 @@ localizationpriority: high You need to add an application in your Azure Active Directory (AAD) tenant then authorize the Windows Defender ATP Alerts Export application to communicate with it so that your security information and events management (SIEM) tool can consume alerts from Windows Defender ATP portal. -1. Login to the [Azure management portal](https://manage.windowsazure.com). +1. Login to the [Azure management portal](https://ms.portal.azure.com). 2. Select **Active Directory**. @@ -53,14 +53,12 @@ You need to add an application in your Azure Active Directory (AAD) tenant then 13. Click **Save** and copy the key in a safe place. You'll need this key to authenticate the client application on Azure Active Directory. -14. Open a web browser and connect to the following URL:
-```text -https://DataAccess-PRD.trafficmanager.net:444/api/FetchToken?clientId=f7c1acd8-0458-48a0-a662-dba6de049d1c&tenantId=&clientSecret=1234 -``` -An Azure login page appears. -> [!NOTE] -> - Replace *tenant ID* with your actual tenant ID. -> - Keep the client secret as is. This is a dummy value, but the parameter must appear. +14. Open a web browser and connect to the following URL: `https://DataAccess-PRD.trafficmanager.net:444/api/FetchToken?clientId=f7c1acd8-0458-48a0-a662-dba6de049d1c&tenantId=&clientSecret=1234`
+ + An Azure login page appears. + > [!NOTE] + > - Replace *tenant ID* with your actual tenant ID. + > - Keep the *clientSecret* as is. This is a dummy value, but the parameter must appear. 15. Sign in with the credentials of a user from your tenant. @@ -80,7 +78,37 @@ An Azure login page appears. 23. Save the application changes. -After configuring the application in AAD, you can continue to configure the SIEM tool that you want to use. +After configuring the application in AAD, you'll need to obtain a refresh token. You'll need to use the token when you configure the connector for your SIEM tool in the next steps. The token lets the connector access Windows Defender ATP events to be consumed by your SIEM. + +## Obtain a refresh token +Obtain a refresh token used to retrieve the Windows Defender Advanced Threat Protection events to your SIEM. This section provides information on how you can use an events URL to obtain the required refresh token. +>[!NOTE] +>For HP ArcSight, you can obtain a refresh token using the restutil tool. + +### Before you begin +Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page: + + - OAuth 2 Client ID + - OAuth 2 Client secret + +You'll use these values to obtain a refresh token. + +>[!IMPORTANT] +>Before using the OAuth 2 Client secret described in the next steps, you **must** encode it. Use a URL encoder to transform the OAuth 2 client secret. + +### Obtain a refresh token +1. Open a web browser and connect to the following URL: `https://DataAccess-PRD.trafficmanager.net:444/api/FetchToken?clientId=&tenantId=&clientSecret=` + + >[!NOTE] + >- Replace the *client ID* value with the one you got from your AAD application. + >- Replace *tenant ID* with your actual tenant ID. + >- Replace *client secret* with your encoded client secret. The client secret **must** be pasted encoded. + +2. Click **Accept**. When you authenticate, a web page opens with your refresh token. + +3. Save the refresh token which you'll find it the ``value. You'll need this value when configuring your SIEM tool. + +After configuring your AAD application and generating a refresh token, you can proceed to configure your SIEM tool. ## Related topics - [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md index 614004d2dc..1c36768862 100644 --- a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md @@ -25,26 +25,36 @@ You'll need to configure HP ArcSight so that it can consume Windows Defender ATP ## Before you begin -- Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page: +- Get the following information from your Azure Active Directory (AAD) application by selecting **View Endpoint** on the application configuration page: - OAuth 2 Token refresh URL - OAuth 2 Client ID - OAuth 2 Client secret -- Create your OAUth 2 Client properties file or get it from your Windows Defender ATP contact. For more information, see the ArcSight FlexConnector Developer's guide. +- Download the [WDATP-connector.properties](http://download.microsoft.com/download/3/9/C/39C703C2-487C-4C3E-AFD8-14C2253C2F12/WDATP-connector.properties) file and update the following values: - > [!NOTE] - > **For the authorization URL**: Append the following to the value you got from the AAD app: ```?resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com```
- > **For the redirect_uri value use**: ```https://localhost:44300/wdatpconnector``` - > -- Get the *wdatp-connector.properties* file from your Windows Defender ATP contact. This file is used to parse the information from Windows Defender ATP to HP ArcSight consumable format. -- Install the HP ArcSight REST FlexConnector package on a server that has access to the Internet. -- Contact the Windows Defender ATP team to get your refresh token or follow the steps in the section "Run restutil to Obtain a Refresh Token for Connector Appliance/ArcSight Management Center" in the ArcSight FlexConnector Developer's guide. + - **client_ID**: OAuth 2 Client ID + - **client_secret**: OAuth 2 Client secret + - **auth_url**: ```https://login.microsoftonline.com/?resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com ``` + + >!NOTE + >Replace *tenantID* with your tenant ID. + + - **token_url**: `https://login.microsoftonline.com//oauth2/token` + + >!NOTE + >Replace the *tenantID* value with your tenant ID. + + - **redirect_uri**: ```https://localhost:44300/wdatpconnector``` + - **scope**: Leave the value blank + +- Download the [WDATP-connector.jsonparser.properties](http://download.microsoft.com/download/0/8/A/08A4957D-0923-4353-B25F-395EAE363E8C/WDATP-connector.jsonparser.properties) file. This file is used to parse the information from Windows Defender ATP to HP ArcSight consumable format. +- Install the HP ArcSight REST FlexConnector package. You can find this in the HPE Software center. Install the package on a server that has access to the Internet. ## Configure HP ArcSight -The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin). +The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin). For more information, see the ArcSight FlexConnector Developer's guide. -1. Copy the *wdatp-connector.jsonparser.properties* file into the `\current\user\agent\flexagent` folder of the connector installation folder. +1. Save the [WDATP-connector.jsonparser.properties file](http://download.microsoft.com/download/0/8/A/08A4957D-0923-4353-B25F-395EAE363E8C/WDATP-connector.jsonparser.properties) file into the connector installation folder. The -2. Save the *wdatp-connector.properties* file into a folder of your choosing. +2. Save the [WDATP-connector.properties](http://download.microsoft.com/download/3/9/C/39C703C2-487C-4C3E-AFD8-14C2253C2F12/WDATP-connector.properties) file into the `\current\user\agent\flexagent` folder of the connector installation folder. 3. Open an elevated command-line: @@ -69,7 +79,7 @@ The following steps assume that you have completed all the required steps in [Be Type in the name of the client property file. It must match the client property file. Events URL - `https://DataAccess-PRD.trafficmanager.net:444/api/alerts` + Depending on the location of your datacenter, select either the EU or the US URL:

**For EU**: https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts
**For US:** https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts Authentication Type OAuth 2 @@ -78,7 +88,8 @@ The following steps assume that you have completed all the required steps in [Be Select *wdatp-connector.properties*. Refresh Token - Paste the refresh token that your Windows Defender ATP contact provided, or run the `restutil` tool to get it. + You can use the Windows Defender ATP events URL or the restutil tool to get obtain a refresh token.
For more information on getting your refresh token using the events URL, see [Obtain a refresh token](configure-aad-windows-defender-advanced-threat-protection.md#obtain-a-refresh-token).

**To get your refresh token using the restutil tool:**
a. Open a command prompt. Navigate to `C:\ArcSightSmartConnectors\\current\bin`.

b. Type: `arcsight restutil token -config C:\ArcSightSmartConnectors_Prod\WDATP\WDATP-connector.properties`. A Web browser window will open.

c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials.

d. A refresh token is shown in the command prompt.

e. Paste the value in the form. + diff --git a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md index 60e1c00469..ee6c76e9b7 100644 --- a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md @@ -25,9 +25,9 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler ## Before you begin -- Install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/) in Splunk -- Contact the Windows Defender ATP team to get your refresh token -- Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page: +- Install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/) in Splunk. +- Obtain your refresh token. For more information, see [Obtain a refresh token](configure-aad-windows-defender-advanced-threat-protection.md#obtain-a-refresh-token). +- Get the following information from your Azure Active Directory (AAD) application by selecting **View Endpoint** on the application configuration page: - OAuth 2 Token refresh URL - OAuth 2 Client ID - OAuth 2 Client secret @@ -56,7 +56,8 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler Endpoint URL - https://DataAccess-PRD.trafficmanager.net:444/api/alerts + Depending on the location of your datacenter, select either the EU or the US URL:

**For EU**: https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts
**For US:** https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts + HTTP Method diff --git a/windows/keep-secure/images/atp-refresh-token.png b/windows/keep-secure/images/atp-refresh-token.png new file mode 100644 index 0000000000..3f7e8c7c69 Binary files /dev/null and b/windows/keep-secure/images/atp-refresh-token.png differ