Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

ON THIS PAGE

Microsoft Windows Defender ATP

 

The JSA DSM for Microsoft Windows Defender ATP collects events from a Microsoft Windows Defender ATP system.

To integrate Microsoft Windows Defender ATP with JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs on your JSA console:

    • Protocol Common RPM

    • Windows Defender ATP REST API Protocol RPM

    • DSMCommon RPM

    • Microsoft Windows Defender ATP DSM RPM

  2. Configure your Microsoft Windows Defender ATP appliance to send events to JSA.
  3. Add a Microsoft Windows Defender ATP log source that uses the Microsoft Windows Defender ATP REST API on the JSA Console. JSA does not automatically detect the Microsoft Windows Defender ATP REST API.

Microsoft Windows Defender ATP DSM Specifications

The following table identifies the specifications for the Microsoft Windows Defender ATP DSM.

Table 1: Microsoft Windows Defender ATP DSM Specifications

Specification

Value

Manufacturer

Microsoft

DSM name

Microsoft Windows Defender ATP

RPM file name

DSM-MicrosoftWindowsDefenderATP-

JSA-version-Build_number.noarch.rpm

Supported versions

N/A

Protocol

JSON

Event format

Windows Defender ATP REST API

Recorded event types

Windows Defender ATP

Windows Defender AV

Third Party TI

Customer TI

Bitdefender

Automatically discovered?

No

Includes identity?

No

Includes custom properties?

No

More information

(https://docs.microsoft.com/ en-us/windows/security/threat-protection/windowsdefender- atp/windows-defender-advanced-threatprotection)

Configuring JSA to Collect Events from Microsoft Windows Defender ATP by using the Windows Defender ATP REST API

The Microsoft Windows Defender ATP REST API collects alerts from the Windows Defender Advanced Threat Protection security service.

Before you can add a log source in JSA, you must obtain` the Microsoft Windows Defender ATP connection information by completing the following steps:

  1. Log in to the Windows Defender Security Center.

  2. From the menu on the left, click Settings.

  3. From the Settings window, in the API section, click SIEM.

  4. From the SIEM application details list, copy and record the values for the Client ID and the Authorization server URL and Resource fields. You need these values when you configure a log source in JSA.

Note

You need the Client Secret value to connect to JSA. The Client Secret value is only displayed the first time that you go to the page. If you don't have access to the Client Secret value, contact your Microsoft Azure administrator to request a new client secret.

  1. Click the Admin tab.
  2. Click the Log Sources, and then click Add.
  3. From the Log Source Type list, select Microsoft Windows Defender ATP.
  4. From the Protocol Configuration list, select Windows Defender ATP REST API, and configure the parameters.

    The following table describes the parameters that require specific values to collect alerts from Microsoft Windows Defender ATP by using the Windows Defender ATP REST API.

    Table 2: Windows Defender ATP REST API Log Source Parameters

    Specification

    Value

    Authorization Server URL

    The URL for the server that provides the authorization to obtain an access token. The access token is used as the authorization to obtain events from Windows Defender ATP.

    The Authorization Server URL uses the format, “https://login.windows.net/”[Tenant_ID] “/oauth2/token”

    Where <Tenant ID> is a UUID.

    Resource

    The resource that is used to access Windows Defender ATP events.

    Client ID

    Ensures that the user is authorized to obtain an access token.

    Client Secret

    Ensures that the user is authorized to obtain an access token. The Client Secret value is displayed only one time, and then is no longer visible. If you don't have access to the Client Secret value, contact your Microsoft Azure administrator to request a new client secret.

    Regions

    Select the regions that are associated with Windows Defender ATP that you want to collect logs from.

    Other Region

    Type the names of any additional regions that are associated with Windows Defender ATP that you want to collect logs from.

    Use a comma-separated list; for example, region1,region2.

    Use Proxy

    If a proxy for JSA is configured, all traffic for the log source travels through the proxy for JSA to access Windows Defender ATP.

    Configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, configure the Proxy Server and Proxy Port fields.

      

    Recurrence

    You can specify how often the log collects data. The format is M/H/D for Minutes/Hours/Days.

    The default is 5 M.

    EPS Throttle

    The upper limit for the maximum number of events per second (EPS). The default is 5000.

  5. Click Save.
  6. On the Admin tab, click Deploy Changes.

Sample Event Messages

Use these sample event messages as a way of verifying a successful integration with JSA.

The following table provides a sample event message when using the Microsoft Windows Defender ATP REST API protocol for the Microsoft Windows Defender ATP DSM:

Table 3: Microsoft Windows Defender ATP Sample Message Supported by Microsoft Windows Defender ATP

Event name

Low level category

Sample log message

Windows Defender ATP command and control alert

Suspicious Activity

{"AlertTime":"2017-12-27T03: 54:41.1914393Z","ComputerDnsName":

"

<ComputerDNsName>","AlertTitle":

"<AlertTitle>"Category":"CommandAndControl",

"Severity":"<Severity>", "AlertId":"<Alertid>”, "Actor":"<Actor>"

,"LinkToWDATP":"<LinkToWDAP>","IocName":"<locName”:<locName>”,

”locValue”:”locValue>”,

”Creatorlocname”:

<CreatorlocName>”,”CreatorlocValue”:”<CreatorlocValue>”,"Sha1"

:"<Shal>","FileName",

"<FileName>","FilePath","<Filepath>","IPAddress","192.0.2.0","Url",

"<Url>","loaDefinitionId",

"<loadefinitionId>","UerName","qradarl","AlertPart"

,"<AlertPart>","FullId","<FullId>","LastProcessedTimeUtc",

"2017-12-27T07:16:34.1412

283Z","ThreatCategory"

:"<ThreatCategory>","ThreatFamily","<ThreatFamily>"

,"ThreatName","<ThreatName>",

"RemediationAction":"<RemediationAction>","Remed iationIsSuccess":"<RemediationIsSuccess>","Source" :"WindowsDefenderAtp","Md5":

"<Md5>","Sha256":"<Sha256>","WasExecutingWhileDetected":"<",

"WasExecutingWhileDetected>","UserDomain":"<SuerDomain>","LogO nUsers":"<LogOnUsers>",

"MachineDomain":"

<machineDomain>","MachineName":"<MachineName>","InternalIP v4List":"192.0.2.0;127.0.0.1","InternalIPv6List": "2001:0DB8:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF","File

Ha sh":"<FileHash>","ExternalId":"<ExternalId>","Ioc UniqueId":"IocUniqueId"}

Windows Defender ATP malware alert

Misc. Malware

{"AlertTime":"2017-12-27T03: 54:41.1914393Z","ComputerDnsName":

"<ComputerDNsName>","AlertTitle":

<AlertTitle>"Category":

"CommandAndControl","Severity":"<Severity>", "AlertId":"<Alertid>”, "Actor":"<Actor>",

LinkToWDATP":"<LinkToWDAP>","IocName":"<locName”:<locName>”,

”locValue”:”locValue>”,”Creatorlocname”:<CreatorlocName>”

,”CreatorlocValue”:”<CreatorlocValue>”,

"Sha1":"<Shal>","FileName",

"<FileName>","FilePath","<Filepath>","IPAddress",

"192.0.2.0","Url","<Url>"

,"loaDefinitionId"

,"<loadefinitionId>

","UerName","qradarl"

,"AlertPart","<AlertPart

>","FullId"

,"<FullId>"

,"LastProcessedTimeUtc","2017-12-27T07:16:34.1412 283Z","ThreatCategory":

"<ThreatCategory>

","ThreatFamily","<ThreatFamily>","ThreatName","<ThreatName>"

,"RemediationAction":"<RemediationAction>","Remed iationIsSuccess":"<RemediationIsSuccess>",

"Source" :"WindowsDefenderAtp","Md5"

:"<Md5>","Sha256":"<Sha256>","WasExecutingWhileDetected"

:"<","WasExecutingWhileDetected>"

,"UserDomain":"<SuerDomain>","LogO nUsers":"<LogOnUsers>",

"MachineDomain":"<machineDomain>",

"MachineName":"<MachineName>","InternalIP v4List":"192.0.2.0;127.0.0.1",

"InternalIPv6List": "2001:0DB8:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF","FileHa sh":"<FileHash>"

,"ExternalId":"<ExternalId>","Ioc UniqueId":"IocUniqueId"}

Windows Defender ATP exploit alert

Misc. Exploit

{"AlertTime":"2017-12-26T21 :28:21.5123241Z"

,"ComputerDnsName":

"<ComputerDNsName>","AlertTitle"

:"<AlertTitle>"Category":"Malware","Severity":

<Severity>", "AlertId":"<Alertid>”, "Actor":"<Actor>",

"LinkToWDATP":"<LinkToWDAP>","IocName":"<locName”:

<locName>”,”locValue”:”locValue>”,”Creatorlocname”:

<CreatorlocName>”,”CreatorlocValue”:

”<CreatorlocValue>”,"Sha1":"<Shal>"

,"FileName","<FileName>",

"FilePath","<Filepath>"

,"IPAddress","192.0.2.0","Url"

,"<Url>","loaDefinitionId","<loadefinitionId>"

,"UerName","qradarl","AlertPart","<AlertPart>","FullId","<FullId>",

"LastProcessedTimeUtc","2017-12-27T04:54:17.1700156 Z","ThreatCategory

":"<ThreatCategory>","ThreatFamily"

,"<ThreatFamily>","ThreatName","<ThreatName>","RemediationAction":"

<RemediationAction>","Remed iationIsSuccess":"<RemediationIsSuccess>","Source" :

"WindowsDefenderAtp

","Md5":"<Md5>","Sha256":"<Sha256>",

"WasExecutingWhileDetected

":"<",

"WasExecutingWhileDetected>","UserDomain":"<SuerDomain>"

,"LogO nUsers":"<LogOnUsers>",

"MachineDomain":"<machineDomain>","MachineName":

"<MachineName>","InternalIP v4List":"192.0.2.0;127.0.0.1","InternalIPv6List": "

2001:0DB8:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF","FileHa sh":"<FileHash>"

,"ExternalId":"<ExternalId>","Ioc UniqueId":"IocUniqueId"}

Windows Defender ATP backdoor alert

Backdoor Detected

{"AlertTime":"2017-11-22T18:01:32. 1887775Z","ComputerDnsName":

"<ComputerDNsName>","AlertTitle":"<AlertTitle>"Category":"backdoor"

,"Severity":"<Severity>", "AlertId":"<Alertid>”, "Actor"

:"<Actor>",

"LinkToWDATP":"<LinkToWDAP>"

,"IocName":"<locName”:<locName>

”,”locValue”:”locValue>”,”Creatorlocname”:<CreatorlocName>”,

”CreatorlocValue”:”<CreatorlocValue>”,"Sha1":"<Shal>","FileName",

"<FileName>

","FilePath","<Filepath>","IPAddress","192.0.2.0","Url",

"<Url>","loaDefinitionId","<loadefinitionId>","UerName","qradarl",

"AlertPart","<AlertPart>","FullId","<FullId>",

stProcessedTimeUtc"

,"2017-11-22T18:01:49.873 9015Z",

"ThreatCategory":"<ThreatCategory>","ThreatFamily","<ThreatFamily>"

,"ThreatName","<ThreatName>"

,"RemediationAction":"<RemediationAction>",

"Remed iationIsSuccess":"<RemediationIsSuccess>","Source" :"WindowsDefenderAtp",

"Md5":"<Md5>","Sha256":"<Sha256>"

,"WasExecutingWhileDetected":"<",

"WasExecutingWhileDetected>","UserDomain":"<SuerDomain>","LogO nUsers":

"<LogOnUsers>","MachineDomain":

"<machineDomain>","MachineName":"<MachineName>","InternalIP

v4List":"192.0.2.0;127.0.0.1","InternalIPv6List": "2001:0DB8:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF","FileHa sh":

"<FileHash>","ExternalId":"<ExternalId>"

,"Ioc UniqueId":"IocUniqueId"}