Integration Guide Integrate Microsoft ATP

© Copyright Netsurion. All Rights Reserved. 1

Integration Guide

Integrate Microsoft ATP

EventTracker v9.x and above

Publication Date:

March 25, 2021


Abstract This guide provides instructions to configure a Microsoft ATP to send logs to EventTracker via REST API.

Scope

The configurations detailed in this guide are consistent with EventTracker version v9.x or above and

Microsoft ATP (Windows Defender Security Center).

Audience

Administrators who are assigned the task to monitor Microsoft ATP events using EventTracker.


Table of Contents

1. Overview 4

2. Prerequisites 4

3. Integrating Microsoft ATP with EventTracker 4

3.1 Enabling SIEM integration in Microsoft ATP 4

3.2 Configure Microsoft ATP to forward logs to EventTracker. 6

3.3 Getting a new client Secret 7

4. EventTracker Knowledge Pack 8

4.1 Category 8

4.2 Alert 8

4.3 Knowledge Object 8

4.4 Flex Report 8

4.5 Dashboards 9

5. Importing Microsoft ATP knowledge pack into EventTracker 14

5.1 Category 15

5.2 Alert 16

5.3 Parsing Rules 17


5.5 Flex Report 19

5.6 Dashboards 20

6. Verifying Microsoft ATP knowledge pack in EventTracker 22

6.1 Category 22

6.2 Alert 23

6.3 Parsing Rules 24


6.5 Flex Report 25

6.6 Dashboards 26

About Netsurion 27

Contact Us 27


1. Overview

Windows Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent,

detect, investigate, and respond to advanced threats. To help you maximize the effectiveness of the security

platform, you can configure individual capabilities that surface in Windows Defender Security Centre.

EventTracker helps to monitor events from Microsoft ATP. Its knowledge object and flex reports will help you

to detect file less attacks, backdoor drops, and virus/malware.

2. Prerequisites

• EventTracker v9.x or above should be installed.

• Microsoft ATP (Windows Defender Security Center) should be configured.

• EventTracker Agent must be installed.

• PowerShell 5 or above must be installed.

• Windows 2008 r2 or later must be installed.

• Local admin permissions for the workstation.

3. Integrating Microsoft ATP with EventTracker

3.1 Enabling SIEM integration in Microsoft ATP

Enable SIEM integration to pull alerts from Windows Defender Security Center by connecting directly

through alerts REST API.

1. Logon to Windows Defender Security Center portal.

2. In the navigation pane, click Settings.

https://securitycenter.windows.com/


Settings page opens.

3. Click APIs and then click SIEM.

4. Click Enable SIEM integration. This activates the SIEM connector access details section with pre-

populated values and an application is created under your Azure Active Directory (AAD) tenant.

5. Choose the Generic API as SIEM type.

6. Copy & Save the client secret and then click Save details to file to download a file that contains all

the SIEM application values.


7. Extract the downloaded GenericProperties.zip for the AuthenticationProperties.JSON file.

8. Open the *.JSON file, you may have to add the client secret (collected on steps 6).

9. Save this file for future use.

3.2 Configure Microsoft ATP to forward logs to EventTracker.

Note: Contact EventTracker support to get the MicotsoftATPIntegrator.exe.

1. Run MicotsoftATPIntegrator.exe as administrator.

mailto:[email protected]


2. Click on Browse button, navigate to folder where AuthenticationProperties.JSON is located, and

select it.

3. After uploading, click on the validate button. Once credentials are successfully validated, click on

the submit button to complete the integration process.

3.3 Getting a new client Secret

If your client secret expires or if you have misplaced the copy provided when you were enabling the SIEM

tool application, you need to get a new secret.

1. Login to the Azure management portal.

2. Select Azure Active Directory.

3. Select your tenant.

4. Click App registrations. Then in the applications list, select the app for ATP.

5. Navigate to secret & certificate.

6. Select New client secret, then provide a key description and specify the key validity duration.

https://portal.azure.com/


7. Click Save. The key value is displayed.

8. Copy the value and save it in a safe place.

9. If it is empty, then collect from step 6.

4. EventTracker Knowledge Pack

Once logs are received by EventTracker manager, knowledge packs are configured into EventTracker.

The following knowledge packs are available in EventTracker to support Microsoft ATP.

4.1 Category

• Microsoft ATP: Alerts - This category provides information related to alerts triggered by Microsoft

ATP.

4.2 Alert

• Microsoft ATP: Critical threat detected - This alert is generated when critical threats are detected by

Microsoft ATP.

4.3 Knowledge Object

• Microsoft ATP Alerts - This knowledge object helps us to analyze alerts triggered by Microsoft ATP.

4.4 Flex Report

• Microsoft ATP: Threats detected- This report gives the information about all the threats detected by

Microsoft ATP.


Logs Considered

4.5 Dashboards

• Microsoft ATP Threats detected by username.


• Microsoft ATP Threats detected by hostname.

• MS ATP Threats detected by priority.


• MS ATP Threats detected by name.

• MS ATP Action taken on threats.


• MS ATP Threat category detected.

• MS ATP Threat detected by agent.


• MS ATP Threat detected by filename.

• MS ATP Threat detected by Attacker IP address.


• MS ATP Malicious/suspicious URL detected.

5. Importing Microsoft ATP knowledge pack into EventTracker

NOTE: Import knowledge pack items in the following sequence:

• Category

• Parsing Rules

• Alert

• Knowledge Object

• Flex Report

• Dashboard

1. Launch EventTracker Control Panel.

2. Double click Export Import Utility.


3. Click the Import tab.

5.1 Category

1. Click Category option, and then click the browse button.

2. Locate Category_Microsoft ATP.iscat file, and then click the Open button.

3. To import categories, click the Import button.

EventTracker displays success message.


4. Click OK, and then click the Close button.

5.2 Alert

1. Click Alert option, and then click the browse button.

2. Locate Alert_Microsoft ATP.isalt file, and then click the Open button.

3. To import alerts, click the Import button.

EventTracker displays success message.

4. Click the OK button, and then click the Close button.


5.3 Parsing Rules

1. Click Token Value option, and then click the browse button.

2. Locate Alert_Microsoft ATP.isalt file, and then click the Open button.

3. To import alerts, click the Import button.

4. EventTracker displays success message.

5. Click the OK button.


1. Click Knowledge objects under Admin option in the EventTracker manager page.


2. Click on Import button as highlighted in the below image:

3. Click on Browse.

4. Locate the file named KO_Microsoft ATP.etko.

5. Select the check box and then click on Import option.


6. Knowledge objects are now imported successfully.

5.5 Flex Report

1. Click Reports option and select New (*.etcrx) option.

2. Locate the file named Reports_ Microsoft ATP.etcrx and select the check box.


3. Click the Import button to import the report. EventTracker displays success message.

5.6 Dashboards

NOTE- Below steps given are specific to EventTracker 9 and later.

1. Open EventTracker in browser and logon.

2. Navigate to My Dashboard option as shown above.

3. Click on the Import button as show below:


4. Import dashboard file Dashboard_Microsoft ATP.etwd and select Select All checkbox.

5. Click Import as shown below:

6. Import is now completed successfully.

7. In My Dashboard page select to add dashboard.

8. Choose appropriate name for Title and Description. Click Save.


9. In My Dashboard page select to add dashlets.

10. Select imported dashlets and click Add.

6. Verifying Microsoft ATP knowledge pack in EventTracker

6.1 Category

1. Logon to EventTracker.

2. Click Admin dropdown, and then click Category.


3. In Category Tree, scroll down and expand Microsoft ATP group folder to view the imported

category.

6.2 Alert

1. Logon to EventTracker.

2. Click the Admin menu, and then click Alerts.

3. In the Search box, type ‘ATP, and then click the Go button.

Alert Management page will display the imported alert.

4. To activate the imported alert, toggle the Active switch.

EventTracker displays message box.


5. Click OK, and then click the Activate Now button.

NOTE: Specify appropriate system in alert configuration for better performance.

6.3 Parsing Rules

1. In the EventTracker web interface, click the Admin dropdown, and then click Parsing rules.

2. On Parsing Rule tab, click on the Microsoft ATP group folder to view the imported token values.


1. In the EventTracker web interface, click the Admin dropdown, and then select Knowledge Objects.


2. In the Knowledge Object tree, expand Microsoft ATP group folder to view the imported knowledge

object.

3. Click Activate Now to apply imported knowledge objects.

6.5 Flex Report

1. In the EventTracker web interface, click the Reports menu, and then select Report Configuration.

2. In Reports Configuration pane, select Defined option.

3. Click on the Microsoft ATP group folder to view the imported reports.


6.6 Dashboards

1. In the EventTracker web interface, Click on Home Button and select My Dashboard.

2. In the Microsoft ATP dashboard you should be now able to see something like this.


About Netsurion

Flexibility and security within the IT environment are two of the most important factors driving business today. Netsurion’s cybersecurity platforms enable companies to deliver on both. Netsurion’s approach of combining purpose-built technology and an ISO-certified security operations center gives customers the ultimate flexibility to adapt and grow, all while maintaining a secure environment.

Netsurion’s EventTracker cyber threat protection platform provides SIEM, endpoint protection, vulnerability scanning, intrusion detection and more; all delivered as a managed or co-managed service. Netsurion’s BranchSDO delivers purpose-built technology with optional levels of managed services to multi-location businesses that optimize network security, agility, resilience, and compliance for branch locations. Whether you need technology with a guiding hand or a complete outsourcing solution, Netsurion has the model to help drive your business forward. To learn more visit netsurion.com or follow us on Twitter or LinkedIn. Netsurion is #19 among MSSP Alert’s 2020 Top 250 MSSPs.

Contact Us Corporate Headquarters

Netsurion

Trade Centre South

100 W. Cypress Creek Rd

Suite 530

Fort Lauderdale, FL 33309

Contact Numbers

713-929-0200

https://www.netsurion.com/company/contact-us

https://www.netsurion.com/managed-threat-protection

https://www.netsurion.com/secure-edge-networking

https://www.netsurion.com/

https://twitter.com/netsurion

https://www.linkedin.com/company/netsurion/

https://www.netsurion.com/news/netsurion-named-to-2020-mssp-alert-top-250-managed-security-services-providers-list

https://www.netsurion.com/company/contact-us

Documents

Integration Guide Integrate Microsoft ATP