deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md
Daniel Simpson 9efe39d7be fixing URL for eval link
2019-09-20 11:18:00 -07:00

3.5 KiB
Raw Blame History

title, description, keywords, search.product, search.appverid, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.author, author, ms.localizationpriority, manager, audience, ms.collection, ms.topic
title description keywords search.product search.appverid ms.prod ms.mktglfcycl ms.sitesec ms.pagetype ms.author author ms.localizationpriority manager audience ms.collection ms.topic
Troubleshoot SIEM tool integration issues in Microsoft Defender ATP Troubleshoot issues that might arise when using SIEM tools with Microsoft Defender ATP. troubleshoot, siem, client secret, secret eADQiWindows 10XVcnh met150 w10 deploy library security macapara mjcaparas medium dansimp ITPro M365-security-compliance troubleshooting

Troubleshoot SIEM tool integration issues

Applies to:

You might need to troubleshoot issues while pulling detections in your SIEM tools.

This page provides detailed steps to troubleshoot issues you might encounter.

Learn how to get a new client secret

If your client secret expires or if you've misplaced the copy provided when you were enabling the SIEM tool application, you'll need to get a new secret.

  1. Login to the Azure management portal.

  2. Select Azure Active Directory.

  3. Select your tenant.

  4. Click App registrations. Then in the applications list, select the application:

    • For SIEM: https://WindowsDefenderATPSiemConnector
    • For Threat intelligence API: https://WindowsDefenderATPCustomerTiConnector

  5. Select Keys section, then provide a key description and specify the key validity duration.

  6. Click Save. The key value is displayed.

  7. Copy the value and save it in a safe place.

Error when getting a refresh access token

If you encounter an error when trying to get a refresh token when using the threat intelligence API or SIEM tools, you'll need to add reply URL for relevant application in Azure Active Directory.

  1. Login to the Azure management portal.

  2. Select Azure Active Directory.

  3. Select your tenant.

  4. Click App Registrations. Then in the applications list, select the application:

    • For SIEM: https://WindowsDefenderATPSiemConnector
    • For Threat intelligence API: https://WindowsDefenderATPCustomerTiConnector

  5. Add the following URL:

    • For the European Union: https://winatpmanagement-eu.securitycenter.windows.com/UserAuthenticationCallback
    • For the United Kingdom: https://winatpmanagement-uk.securitycenter.windows.com/UserAuthenticationCallback
    • For the United States: https://winatpmanagement-us.securitycenter.windows.com/UserAuthenticationCallback.

  6. Click Save.

Error while enabling the SIEM connector application

If you encounter an error when trying to enable the SIEM connector application, check the pop-up blocker settings of your browser. It might be blocking the new window being opened when you enable the capability.

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Related topics