Microsoft Defender for Endpoint (Previously Microsoft Windows Defender Advanced Threat Protection (ATP))
Note: This is a Legacy configuration.
As of November 2021, Microsoft has retired the Microsoft Defender ATP SIEM APIs. Defender ATP has also been relabeled as “Microsoft Defender for Endpoint”. All integrations using the SIEM APIs will cease to function after the Microsoft Defender for Endpoint SIEM API Deprecation date of April 1st, 2022.
Please follow the alternative guide here to configure Defender for Endpoint event forwarding to Azure event hub.
- Integration points
- Configuring Windows Defender for FortiSIEM REST API Access
- Configuring FortiSIEM for Windows Defender ATP REST API Access
Integration points
Protocol | Information Discovered | Used For |
---|---|---|
Windows Defender API REST API | Security and Compliance |
Configuring Windows Defender for FortiSIEM REST API Access
Legacy
Microsoft provides ample documentation here.
Follow the steps specified in 'Enabling SIEM integration', repeated here.
- Login to Windows Defender Center.
- Go to Settings > SIEM.
- Select Enable SIEM integration.
- Choose Generic API.
- Click Save Details to File.
- Click Generate Tokens.
Configuring FortiSIEM for Windows Defender ATP REST API Access
Legacy
Use the account in previous step to enable FortiSIEM access.
- Login to FortiSIEM.
- Go to ADMIN > Setup > Credential.
- Click New to create Windows Defender REST API credential:
- Choose Device Type = Microsoft Windows Defender ATP (Vendor = Microsoft, Model = Windows Defender ATP).
- Choose Access Protocol = Windows Defender ATP Alert REST API.
- Enter the Tenant ID for the credential created in Section 10.2.
- Password Config: for Manual, enter the Client ID and Client Secret for the credential created here. For CyberArk, see CyberArk Password Configuration.
- Choose the Organization if it is an MSP deployment and the same credential is to be used for multiple customers.
- Click Save.
- Enter an IP Range to Credential Association:
- Set Hostname to
wdatp-alertexporter-us.windows.com
. - Select the Credential created in step 3 above.
- Click Save.
- Set Hostname to
- Select the entry in step 4 and click Test Connectivity. If it succeeds, then the credential is correct.
- An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from Windows Defender Center using the REST API.
To test for events received via Windows Defender ATP REST API:
- Go to ADMIN > Setup > Pull Events.
- Select the Windows Defender ATP entry and click Report.
The system will take you to the Analytics tab and run a query to display the events received from Windows Defender Center in the last 15 minutes. You can modify the time interval to get more events.