integration guide integrate microsoft atp
TRANSCRIPT
© Copyright Netsurion. All Rights Reserved. 1
Integration Guide
Integrate Microsoft ATP
EventTracker v9.x and above
Publication Date:
March 25, 2021
© Copyright Netsurion. All Rights Reserved. 2
Abstract This guide provides instructions to configure a Microsoft ATP to send logs to EventTracker via REST API.
Scope
The configurations detailed in this guide are consistent with EventTracker version v9.x or above and
Microsoft ATP (Windows Defender Security Center).
Audience
Administrators who are assigned the task to monitor Microsoft ATP events using EventTracker.
© Copyright Netsurion. All Rights Reserved. 3
Table of Contents
1. Overview 4
2. Prerequisites 4
3. Integrating Microsoft ATP with EventTracker 4
3.1 Enabling SIEM integration in Microsoft ATP 4
3.2 Configure Microsoft ATP to forward logs to EventTracker. 6
3.3 Getting a new client Secret 7
4. EventTracker Knowledge Pack 8
4.1 Category 8
4.2 Alert 8
4.3 Knowledge Object 8
4.4 Flex Report 8
4.5 Dashboards 9
5. Importing Microsoft ATP knowledge pack into EventTracker 14
5.1 Category 15
5.2 Alert 16
5.3 Parsing Rules 17
5.4 Knowledge Object 17
5.5 Flex Report 19
5.6 Dashboards 20
6. Verifying Microsoft ATP knowledge pack in EventTracker 22
6.1 Category 22
6.2 Alert 23
6.3 Parsing Rules 24
6.4 Knowledge Object 24
6.5 Flex Report 25
6.6 Dashboards 26
About Netsurion 27
Contact Us 27
© Copyright Netsurion. All Rights Reserved. 4
1. Overview
Windows Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent,
detect, investigate, and respond to advanced threats. To help you maximize the effectiveness of the security
platform, you can configure individual capabilities that surface in Windows Defender Security Centre.
EventTracker helps to monitor events from Microsoft ATP. Its knowledge object and flex reports will help you
to detect file less attacks, backdoor drops, and virus/malware.
2. Prerequisites
• EventTracker v9.x or above should be installed.
• Microsoft ATP (Windows Defender Security Center) should be configured.
• EventTracker Agent must be installed.
• PowerShell 5 or above must be installed.
• Windows 2008 r2 or later must be installed.
• Local admin permissions for the workstation.
3. Integrating Microsoft ATP with EventTracker
3.1 Enabling SIEM integration in Microsoft ATP
Enable SIEM integration to pull alerts from Windows Defender Security Center by connecting directly
through alerts REST API.
1. Logon to Windows Defender Security Center portal.
2. In the navigation pane, click Settings.
© Copyright Netsurion. All Rights Reserved. 5
Settings page opens.
3. Click APIs and then click SIEM.
4. Click Enable SIEM integration. This activates the SIEM connector access details section with pre-
populated values and an application is created under your Azure Active Directory (AAD) tenant.
5. Choose the Generic API as SIEM type.
6. Copy & Save the client secret and then click Save details to file to download a file that contains all
the SIEM application values.
© Copyright Netsurion. All Rights Reserved. 6
7. Extract the downloaded GenericProperties.zip for the AuthenticationProperties.JSON file.
8. Open the *.JSON file, you may have to add the client secret (collected on steps 6).
9. Save this file for future use.
3.2 Configure Microsoft ATP to forward logs to EventTracker.
Note: Contact EventTracker support to get the MicotsoftATPIntegrator.exe.
1. Run MicotsoftATPIntegrator.exe as administrator.
© Copyright Netsurion. All Rights Reserved. 7
2. Click on Browse button, navigate to folder where AuthenticationProperties.JSON is located, and
select it.
3. After uploading, click on the validate button. Once credentials are successfully validated, click on
the submit button to complete the integration process.
3.3 Getting a new client Secret
If your client secret expires or if you have misplaced the copy provided when you were enabling the SIEM
tool application, you need to get a new secret.
1. Login to the Azure management portal.
2. Select Azure Active Directory.
3. Select your tenant.
4. Click App registrations. Then in the applications list, select the app for ATP.
5. Navigate to secret & certificate.
6. Select New client secret, then provide a key description and specify the key validity duration.
© Copyright Netsurion. All Rights Reserved. 8
7. Click Save. The key value is displayed.
8. Copy the value and save it in a safe place.
9. If it is empty, then collect from step 6.
4. EventTracker Knowledge Pack
Once logs are received by EventTracker manager, knowledge packs are configured into EventTracker.
The following knowledge packs are available in EventTracker to support Microsoft ATP.
4.1 Category
• Microsoft ATP: Alerts - This category provides information related to alerts triggered by Microsoft
ATP.
4.2 Alert
• Microsoft ATP: Critical threat detected - This alert is generated when critical threats are detected by
Microsoft ATP.
4.3 Knowledge Object
• Microsoft ATP Alerts - This knowledge object helps us to analyze alerts triggered by Microsoft ATP.
4.4 Flex Report
• Microsoft ATP: Threats detected- This report gives the information about all the threats detected by
Microsoft ATP.
© Copyright Netsurion. All Rights Reserved. 9
Logs Considered
4.5 Dashboards
• Microsoft ATP Threats detected by username.
© Copyright Netsurion. All Rights Reserved. 10
• Microsoft ATP Threats detected by hostname.
• MS ATP Threats detected by priority.
© Copyright Netsurion. All Rights Reserved. 11
• MS ATP Threats detected by name.
• MS ATP Action taken on threats.
© Copyright Netsurion. All Rights Reserved. 12
• MS ATP Threat category detected.
• MS ATP Threat detected by agent.
© Copyright Netsurion. All Rights Reserved. 13
• MS ATP Threat detected by filename.
• MS ATP Threat detected by Attacker IP address.
© Copyright Netsurion. All Rights Reserved. 14
• MS ATP Malicious/suspicious URL detected.
5. Importing Microsoft ATP knowledge pack into EventTracker
NOTE: Import knowledge pack items in the following sequence:
• Category
• Parsing Rules
• Alert
• Knowledge Object
• Flex Report
• Dashboard
1. Launch EventTracker Control Panel.
2. Double click Export Import Utility.
© Copyright Netsurion. All Rights Reserved. 15
3. Click the Import tab.
5.1 Category
1. Click Category option, and then click the browse button.
2. Locate Category_Microsoft ATP.iscat file, and then click the Open button.
3. To import categories, click the Import button.
EventTracker displays success message.
© Copyright Netsurion. All Rights Reserved. 16
4. Click OK, and then click the Close button.
5.2 Alert
1. Click Alert option, and then click the browse button.
2. Locate Alert_Microsoft ATP.isalt file, and then click the Open button.
3. To import alerts, click the Import button.
EventTracker displays success message.
4. Click the OK button, and then click the Close button.
© Copyright Netsurion. All Rights Reserved. 17
5.3 Parsing Rules
1. Click Token Value option, and then click the browse button.
2. Locate Alert_Microsoft ATP.isalt file, and then click the Open button.
3. To import alerts, click the Import button.
4. EventTracker displays success message.
5. Click the OK button.
5.4 Knowledge Object
1. Click Knowledge objects under Admin option in the EventTracker manager page.
© Copyright Netsurion. All Rights Reserved. 18
2. Click on Import button as highlighted in the below image:
3. Click on Browse.
4. Locate the file named KO_Microsoft ATP.etko.
5. Select the check box and then click on Import option.
© Copyright Netsurion. All Rights Reserved. 19
6. Knowledge objects are now imported successfully.
5.5 Flex Report
1. Click Reports option and select New (*.etcrx) option.
2. Locate the file named Reports_ Microsoft ATP.etcrx and select the check box.
© Copyright Netsurion. All Rights Reserved. 20
3. Click the Import button to import the report. EventTracker displays success message.
5.6 Dashboards
NOTE- Below steps given are specific to EventTracker 9 and later.
1. Open EventTracker in browser and logon.
2. Navigate to My Dashboard option as shown above.
3. Click on the Import button as show below:
© Copyright Netsurion. All Rights Reserved. 21
4. Import dashboard file Dashboard_Microsoft ATP.etwd and select Select All checkbox.
5. Click Import as shown below:
6. Import is now completed successfully.
7. In My Dashboard page select to add dashboard.
8. Choose appropriate name for Title and Description. Click Save.
© Copyright Netsurion. All Rights Reserved. 22
9. In My Dashboard page select to add dashlets.
10. Select imported dashlets and click Add.
6. Verifying Microsoft ATP knowledge pack in EventTracker
6.1 Category
1. Logon to EventTracker.
2. Click Admin dropdown, and then click Category.
© Copyright Netsurion. All Rights Reserved. 23
3. In Category Tree, scroll down and expand Microsoft ATP group folder to view the imported
category.
6.2 Alert
1. Logon to EventTracker.
2. Click the Admin menu, and then click Alerts.
3. In the Search box, type ‘ATP, and then click the Go button.
Alert Management page will display the imported alert.
4. To activate the imported alert, toggle the Active switch.
EventTracker displays message box.
© Copyright Netsurion. All Rights Reserved. 24
5. Click OK, and then click the Activate Now button.
NOTE: Specify appropriate system in alert configuration for better performance.
6.3 Parsing Rules
1. In the EventTracker web interface, click the Admin dropdown, and then click Parsing rules.
2. On Parsing Rule tab, click on the Microsoft ATP group folder to view the imported token values.
6.4 Knowledge Object
1. In the EventTracker web interface, click the Admin dropdown, and then select Knowledge Objects.
© Copyright Netsurion. All Rights Reserved. 25
2. In the Knowledge Object tree, expand Microsoft ATP group folder to view the imported knowledge
object.
3. Click Activate Now to apply imported knowledge objects.
6.5 Flex Report
1. In the EventTracker web interface, click the Reports menu, and then select Report Configuration.
2. In Reports Configuration pane, select Defined option.
3. Click on the Microsoft ATP group folder to view the imported reports.
© Copyright Netsurion. All Rights Reserved. 26
6.6 Dashboards
1. In the EventTracker web interface, Click on Home Button and select My Dashboard.
2. In the Microsoft ATP dashboard you should be now able to see something like this.
© Copyright Netsurion. All Rights Reserved. 27
About Netsurion
Flexibility and security within the IT environment are two of the most important factors driving business today. Netsurion’s cybersecurity platforms enable companies to deliver on both. Netsurion’s approach of combining purpose-built technology and an ISO-certified security operations center gives customers the ultimate flexibility to adapt and grow, all while maintaining a secure environment.
Netsurion’s EventTracker cyber threat protection platform provides SIEM, endpoint protection, vulnerability scanning, intrusion detection and more; all delivered as a managed or co-managed service. Netsurion’s BranchSDO delivers purpose-built technology with optional levels of managed services to multi-location businesses that optimize network security, agility, resilience, and compliance for branch locations. Whether you need technology with a guiding hand or a complete outsourcing solution, Netsurion has the model to help drive your business forward. To learn more visit netsurion.com or follow us on Twitter or LinkedIn. Netsurion is #19 among MSSP Alert’s 2020 Top 250 MSSPs.
Contact Us Corporate Headquarters
Netsurion
Trade Centre South
100 W. Cypress Creek Rd
Suite 530
Fort Lauderdale, FL 33309
Contact Numbers
713-929-0200
https://www.netsurion.com/company/contact-us