diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index fb18c0081b..09d3a84fe5 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -744,6 +744,7 @@ #### [Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md) #### [Windows Defender ATP service status](service-status-windows-defender-advanced-threat-protection.md) #### [Configure SIEM tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md) +##### [Enable SIEM integration in Windows Defender ATP](enable-siem-connector-windows-defender-advanced-threat-protection.md) ##### [Configure an Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md) ##### [Configure Splunk to consume Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) ##### [Configure HP ArcSight to consume Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md index 5d5ba7a2fb..1d4f0cd4f1 100644 --- a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md @@ -82,14 +82,33 @@ The following steps assume that you have completed all the required steps in [Be 6. Type the following information in the parameter details form. All other values in the form are optional and can be left blank. - Field | Value - :---|:--- - Configuration File | Type in the name of the client property file. It must match the client property file.

For example, if the configuration file in "flexagent" directory is named "WDATP-Connector.jsonparser.properties", the field must be names as the suffix which is "WDATP-Connector". - Events URL | Depending on the location of your datacenter, select either the EU or the US URL:

**For EU**: `https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME`

**For US**: `https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME` - Authentication Type | OAuth 2 - OAuth 2 Client Properties file | Browse to the location of the wdatp-connector.properties file. - Refresh Token | Use either the Windows Defender ATP token URL or the restutil tool to obtain your refresh token. For more information, see [Obtain a refresh token](configure-aad-windows-defender-advanced-threat-protection.md#obtain-a-refresh-token).

**Get your refresh token using the restutil tool:**
a. Open a command prompt. Navigate to C:\\*folder_location*\current\bin where *folder_location* represents the location where you installed the tool.
b. Type: `arcsight restutil token -config` from the bin directory . A Web browser window will open.
c. A web browser will open. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials.
d. A refresh token is provided in the command prompt.
e. Copy and paste it into the **Refresh Token** field. - + + + + + + + + + + + + + + + + + + + + + + + +
FieldValue
Configuration FileType in the name of the client property file. It must match the client property file. + For example, if the configuration file in "flexagent" directory is named "WDATP-Connector.jsonparser.properties", the field must be names as the suffix which is "WDATP-Connector".
Events URLDepending on the location of your datacenter, select either the EU or the US URL:

**For EU**: https://wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME +
**For US:** https://wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
Authentication TypeOAuth 2
OAuth 2 Client Properties fileBrowse to the location of the *wdatp-connector.properties* file.
Refresh TokenUse the Windows Defender ATP events URL or the restutil tool to get obtain a refresh token.
For more information on getting your refresh token using the events URL, see [Obtain a refresh token](configure-aad-windows-defender-advanced-threat-protection.md#obtain-a-refresh-token).

**Get your refresh token using the restutil tool:**
a. Open a command prompt. Navigate to C:\\*folder_location*\current\bin where *folder_location* represents the location where you installed the tool.

b. Type: `arcsight restutil token -config` from the bin directory. A Web browser window will open.

c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials.

d. A refresh token is shown in the command prompt.

e. Copy and paste it into the **Refresh Token** field. +
7. A browser window is opened by the connector. Login with your application credentials. After you log in, you'll be asked to give permission to your OAuth2 Client. You must give permission to your OAuth 2 Client so that the connector configuration can authenticate.

If the `redirect_uri` is a https URL, you'll be redirected to a URL on the local host. You'll see a page that requests for you to trust the certificate supplied by the connector running on the local host. You'll need to trust this certificate if the redirect_uri is a https.

If however you specify a http URL for the redirect_uri, you do not need to provide consent in trusting the certificate. diff --git a/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..075f0d3860 --- /dev/null +++ b/windows/keep-secure/enable-siem-integration-windows-defender-advanced-threat-protection.md @@ -0,0 +1,40 @@ +--- +title: Enable SIEM integration in Windows Defender Advanced Threat Protection +description: Enable SIEM integration to receive alerts in your security information and event management (SIEM) solution. +keywords: enable siem connector, siem, connector, security information and events +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +localizationpriority: high +--- + +# Enable SIEM integration in Windows Defender ATP + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +Enable security information and event management (SIEM) integration so that you can receive alerts in your SIEM solution from the Windows Defender ATP portal. + +1. In the navigation pane, select **Preferences setup** > **SIEM integration**. + +2. Select **Enable SIEM integration**. This activates the **SIEM connector access details** section with pre-populated values and an application is created under you Azure Active Directory (AAD) tenant. + + >[!WARNING] + >The client secret is only displayed once. Make sure you keep a copy of it in a safe place. + >For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret). + +3. Choose the SIEM type you use in your organization. + +4. Copy the individual values or select **Save details to file** to download a file that contains all the values. + +5. Select **Generate tokens** to get an access and refresh token. + +You'll need to use the tokens when configuring your SIEM solution to allow it to receive alerts from the Windows Defender ATP portal.