Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Microsoft Windows Defender ATP

The JSA DSM for Microsoft Windows Defender ATP collects events from a Microsoft Windows Defender ATP system.

To integrate Microsoft Windows Defender ATP with JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs on your JSA console:

    • Protocol Common RPM

    • Windows Defender ATP REST API Protocol RPM

    • DSMCommon RPM

    • Microsoft Windows Defender ATP DSM RPM

  2. Configure your Microsoft Windows Defender ATP appliance to send events to JSA.

  3. Add a Microsoft Windows Defender ATP log source that uses the Microsoft Windows Defender ATP REST API on the JSA Console. JSA does not automatically detect the Microsoft Windows Defender ATP REST API.

Microsoft Windows Defender ATP DSM Specifications

The following table identifies the specifications for the Microsoft Windows Defender ATP DSM.

Table 1: Microsoft Windows Defender ATP DSM Specifications

Specification

Value

Manufacturer

Microsoft

DSM name

Microsoft Windows Defender ATP

RPM file name

DSM-MicrosoftWindowsDefenderATP-

JSA-version-Build_number.noarch.rpm

Supported versions

N/A

Protocol

JSON

Event format

Windows Defender ATP REST API

Recorded event types

Windows Defender ATP

Windows Defender AV

Third Party TI

Customer TI

Bitdefender

Automatically discovered?

No

Includes identity?

No

Includes custom properties?

No

More information

(https://docs.microsoft.com/ en-us/windows/security/threat-protection/windowsdefender- atp/windows-defender-advanced-threatprotection)

Windows Defender ATP REST API Log Source Parameters for Microsoft Windows Defender ATP

If JSA does not automatically detect the log source, add a Microsoft Windows Defender ATP log source on the JSA Console by using the Windows Defender ATP REST API protocol.

When using the Windows Defender ATP REST API protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect Windows Defender ATP REST API events from Microsoft Windows Defender ATP:

Table 2: Windows Defender ATP REST API Log Source Parameters for the Microsoft Windows Defender ATP DSM

Specification

Value

Log Source type

Microsoft Windows Defender ATP

Protocol Configuration

Windows Defender ATP REST API

Authorization Server URL

The URL for the server that provides the authorization to obtain an access token. The access token is used as the authorization to obtain events from Windows Defender ATP.

The Authorization Server URL uses the format, “https://login.windows.net/”[Tenant_ID] “/oauth2/token”

Where <Tenant ID> is a UUID.

Resource

The resource that is used to access Windows Defender ATP events.

Client ID

Ensures that the user is authorized to obtain an access token.

Client Secret

Ensures that the user is authorized to obtain an access token. The Client Secret value is displayed only one time, and then is no longer visible. If you don't have access to the Client Secret value, contact your Microsoft Azure administrator to request a new client secret.

Regions

Select the regions that are associated with Windows Defender ATP that you want to collect logs from.

Other Region

Type the names of any additional regions that are associated with Windows Defender ATP that you want to collect logs from.

Use a comma-separated list; for example, region1,region2.

Use Proxy

If a proxy for JSA is configured, all traffic for the log source travels through the proxy for JSA to access Windows Defender ATP.

Configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, configure the Proxy Server and Proxy Port fields.

Recurrence

You can specify how often the log collects data. The format is M/H/D for Minutes/Hours/Days.

The default is 5 M.

EPS Throttle

The upper limit for the maximum number of events per second (EPS). The default is 5000.

Microsoft Windows Defender ATP Sample Event Messages

Use these sample event messages as a way of verifying a successful integration with JSA.

The following table provides a sample event message when using the Microsoft Windows Defender ATP REST API protocol for the Microsoft Windows Defender ATP DSM:

Table 3: Microsoft Windows Defender ATP Sample Message Supported by Microsoft Windows Defender ATP

Event name

Low level category

Sample log message

Windows Defender ATP command and control alert

Suspicious Activity

{"AlertTime":"2017-12-27T03: 54:41.1914393Z","ComputerDnsName": " <ComputerDNsName>","AlertTitle": "<AlertTitle>"Category":"CommandAndControl", "Severity":"<Severity>", "AlertId":"<Alertid>”, "Actor":"<Actor>" ,"LinkToWDATP":"<LinkToWDAP>","IocName":"<locName”:<locName>”, ”locValue”:”locValue>”, ”Creatorlocname”: <CreatorlocName>”,”CreatorlocValue”:”<CreatorlocValue>”,"Sha1" :"<Shal>","FileName", "<FileName>","FilePath","<Filepath>","IPAddress","192.0.2.0","Url", "<Url>","loaDefinitionId", "<loadefinitionId>","UerName","qradarl","AlertPart" ,"<AlertPart>","FullId","<FullId>","LastProcessedTimeUtc", "2017-12-27T07:16:34.1412 283Z","ThreatCategory" :"<ThreatCategory>","ThreatFamily","<ThreatFamily>" ,"ThreatName","<ThreatName>", "RemediationAction":"<RemediationAction>","Remed iationIsSuccess":"<RemediationIsSuccess>","Source" :"WindowsDefenderAtp","Md5": "<Md5>","Sha256":"<Sha256>","WasExecutingWhileDetected":"<", "WasExecutingWhileDetected>","UserDomain":"<SuerDomain>","LogO nUsers":"<LogOnUsers>", "MachineDomain":" <machineDomain>","MachineName":"<MachineName>","InternalIP v4List":"192.0.2.0;127.0.0.1","InternalIPv6List": "2001:0DB8:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF","File Ha sh":"<FileHash>","ExternalId":"<ExternalId>","Ioc UniqueId":"IocUniqueId"}

Windows Defender ATP malware alert

Misc. Malware

{"AlertTime":"2017-12-27T03: 54:41.1914393Z","ComputerDnsName": "<ComputerDNsName>","AlertTitle": <AlertTitle>"Category": "CommandAndControl","Severity":"<Severity>", "AlertId":"<Alertid>”, "Actor":"<Actor>", LinkToWDATP":"<LinkToWDAP>","IocName":"<locName”:<locName>”, ”locValue”:”locValue>”,”Creatorlocname”:<CreatorlocName>” ,”CreatorlocValue”:”<CreatorlocValue>”, "Sha1":"<Shal>","FileName", "<FileName>","FilePath","<Filepath>","IPAddress", "192.0.2.0","Url","<Url>" ,"loaDefinitionId" ,"<loadefinitionId> ","UerName","qradarl" ,"AlertPart","<AlertPart >","FullId" ,"<FullId>" ,"LastProcessedTimeUtc","2017-12-27T07:16:34.1412 283Z","ThreatCategory": "<ThreatCategory> ","ThreatFamily","<ThreatFamily>","ThreatName","<ThreatName>" ,"RemediationAction":"<RemediationAction>","Remed iationIsSuccess":"<RemediationIsSuccess>", "Source" :"WindowsDefenderAtp","Md5" :"<Md5>","Sha256":"<Sha256>","WasExecutingWhileDetected" :"<","WasExecutingWhileDetected>" ,"UserDomain":"<SuerDomain>","LogO nUsers":"<LogOnUsers>", "MachineDomain":"<machineDomain>", "MachineName":"<MachineName>","InternalIP v4List":"192.0.2.0;127.0.0.1", "InternalIPv6List": "2001:0DB8:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF","FileHa sh":"<FileHash>" ,"ExternalId":"<ExternalId>","Ioc UniqueId":"IocUniqueId"}

Windows Defender ATP exploit alert

Misc. Exploit

{"AlertTime":"2017-12-26T21 :28:21.5123241Z" ,"ComputerDnsName": "<ComputerDNsName>","AlertTitle" :"<AlertTitle>"Category":"Malware","Severity": <Severity>", "AlertId":"<Alertid>”, "Actor":"<Actor>", "LinkToWDATP":"<LinkToWDAP>","IocName":"<locName”: <locName>”,”locValue”:”locValue>”,”Creatorlocname”: <CreatorlocName>”,”CreatorlocValue”: ”<CreatorlocValue>”,"Sha1":"<Shal>" ,"FileName","<FileName>", "FilePath","<Filepath>" ,"IPAddress","192.0.2.0","Url" ,"<Url>","loaDefinitionId","<loadefinitionId>" ,"UerName","qradarl","AlertPart","<AlertPart>","FullId","<FullId>", "LastProcessedTimeUtc","2017-12-27T04:54:17.1700156 Z","ThreatCategory ":"<ThreatCategory>","ThreatFamily" ,"<ThreatFamily>","ThreatName","<ThreatName>","RemediationAction":" <RemediationAction>","Remed iationIsSuccess":"<RemediationIsSuccess>","Source" : "WindowsDefenderAtp ","Md5":"<Md5>","Sha256":"<Sha256>", "WasExecutingWhileDetected ":"<", "WasExecutingWhileDetected>","UserDomain":"<SuerDomain>" ,"LogO nUsers":"<LogOnUsers>", "MachineDomain":"<machineDomain>","MachineName": "<MachineName>","InternalIP v4List":"192.0.2.0;127.0.0.1","InternalIPv6List": " 2001:0DB8:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF","FileHa sh":"<FileHash>" ,"ExternalId":"<ExternalId>","Ioc UniqueId":"IocUniqueId"}

Windows Defender ATP backdoor alert

Backdoor Detected

{"AlertTime":"2017-11-22T18:01:32. 1887775Z","ComputerDnsName": "<ComputerDNsName>","AlertTitle":"<AlertTitle>"Category":"backdoor" ,"Severity":"<Severity>", "AlertId":"<Alertid>”, "Actor" :"<Actor>", "LinkToWDATP":"<LinkToWDAP>" ,"IocName":"<locName”:<locName> ”,”locValue”:”locValue>”,”Creatorlocname”:<CreatorlocName>”, ”CreatorlocValue”:”<CreatorlocValue>”,"Sha1":"<Shal>","FileName", "<FileName> ","FilePath","<Filepath>","IPAddress","192.0.2.0","Url", "<Url>","loaDefinitionId","<loadefinitionId>","UerName","qradarl", "AlertPart","<AlertPart>","FullId","<FullId>", stProcessedTimeUtc" ,"2017-11-22T18:01:49.873 9015Z", "ThreatCategory":"<ThreatCategory>","ThreatFamily","<ThreatFamily>" ,"ThreatName","<ThreatName>" ,"RemediationAction":"<RemediationAction>", "Remed iationIsSuccess":"<RemediationIsSuccess>","Source" :"WindowsDefenderAtp", "Md5":"<Md5>","Sha256":"<Sha256>" ,"WasExecutingWhileDetected":"<", "WasExecutingWhileDetected>","UserDomain":"<SuerDomain>","LogO nUsers": "<LogOnUsers>","MachineDomain": "<machineDomain>","MachineName":"<MachineName>","InternalIP v4List":"192.0.2.0;127.0.0.1","InternalIPv6List": "2001:0DB8:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF","FileHa sh": "<FileHash>","ExternalId":"<ExternalId>" ,"Ioc UniqueId":"IocUniqueId"}