Fortinet black logo

External Systems Configuration Guide

Microsoft Defender for Endpoint/Microsoft Windows Defender ATP

Microsoft Defender for Endpoint (Previously Microsoft Windows Defender Advanced Threat Protection (ATP) )

Note: This is a Legacy configuration.

As of November 2021, Microsoft has retired the Microsoft Defender ATP SIEM APIs. Defender ATP has also been relabeled as “Microsoft Defender for Endpoint”. All integrations using the SIEM APIs will cease to function after the Microsoft Defender for Endpoint SIEM API Deprecation date of April 1st, 2022.

Please follow the alternative guide here to configure Defender for Endpoint event forwarding to Azure event hub.

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/raw-data-export-event-hub?view=o365-worldwide

Integration Points

Protocol Information Discovered Used For
Windows Defender API REST API Security and Compliance

Configuring Windows Defender for FortiSIEM REST API Access

Legacy

Microsoft provides ample documentation here.

Follow the steps specified in 'Enabling SIEM integration', repeated here.

  1. Login to Windows Defender Center.
  2. Go to Settings > SIEM.
  3. Select Enable SIEM integration.
  4. Choose Generic API.
  5. Click Save Details to File.
  6. Click Generate Tokens.

Configuring FortiSIEM for Windows Defender ATP REST API Access

Legacy

Use the account in the previous step to enable FortiSIEM access. Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.

Define Windows Defender ATP REST API Access Credential in FortiSIEM
  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials:
    1. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box and click Save:
    1. Settings Description
      Name Enter a name for the credential
      Device Type Microsoft Windows Defender ATP
      Access Protocol Windows Defender ATP Alert REST API
      Tenant ID Enter the Tenant ID for the credential created through the process here.
      Password config
    2. For Manual, enter the Client ID and Client Secret for the credential created here. For CyberArk SDK, see CyberArk SDK Password Configuration. For CyberArk REST API, see CyberArk REST API Password Configuration.
    3. Organization Choose an organization if it is an MSP deployment and the same credential is to be used for multiple customers.
      Description Description of the device.
  • Create IP Range to Credential Association and Test Connectivity

    From the FortiSIEM Supervisor node, take the following steps.

    1. In Step 2: Enter IP Range to Credential Associations, click New.
      1. Select the name of the credential created in step 2 Configuring FortiSIEM for Windows Defender ATP REST API Access from the Credentials drop-down list.
      2. The IP/Host Name field will be automatically filled, but if you wish to change the region, click on the IP/Host Name field, and select one of the following:

        EU: wdatp-alertexporter-eu.windows.com/api/alerts

        US: wdatp-alertexporter-us.windows.com/api/alerts

        UK: wdatp-alertexporter-uk.windows.com/api/alerts

        If Government Community Cloud (GCC), GCC High, or Deparment of Defense (DoD) is required, enter the appropriate host name in the IP/Host Name field.
        GCC: wdatp-alertexporter-us.gcc.securitycenter.windows.us

        GCC High and DoD: wdatp-alertexporter-us.securitycenter.windows.us


      3. Click Save.
    2. Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
    3. An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from Windows Defender Center using the REST API.
    Viewing Events

    To view events received via Windows Defender ATP REST API, take the following steps:

    1. Go to ADMIN > Setup > Pull Events.
    2. Select the Windows Defender ATP entry and click Report.

    The system will take you to the ANALYTICS tab and run a query to display the events received from Windows Defender Center in the last 15 minutes. You can modify the time interval to get more events.

    Microsoft Defender for Endpoint (Previously Microsoft Windows Defender Advanced Threat Protection (ATP) )

    Note: This is a Legacy configuration.

    As of November 2021, Microsoft has retired the Microsoft Defender ATP SIEM APIs. Defender ATP has also been relabeled as “Microsoft Defender for Endpoint”. All integrations using the SIEM APIs will cease to function after the Microsoft Defender for Endpoint SIEM API Deprecation date of April 1st, 2022.

    Please follow the alternative guide here to configure Defender for Endpoint event forwarding to Azure event hub.

    https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/raw-data-export-event-hub?view=o365-worldwide

    Integration Points

    Protocol Information Discovered Used For
    Windows Defender API REST API Security and Compliance

    Configuring Windows Defender for FortiSIEM REST API Access

    Legacy

    Microsoft provides ample documentation here.

    Follow the steps specified in 'Enabling SIEM integration', repeated here.

    1. Login to Windows Defender Center.
    2. Go to Settings > SIEM.
    3. Select Enable SIEM integration.
    4. Choose Generic API.
    5. Click Save Details to File.
    6. Click Generate Tokens.

    Configuring FortiSIEM for Windows Defender ATP REST API Access

    Legacy

    Use the account in the previous step to enable FortiSIEM access. Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.

    Define Windows Defender ATP REST API Access Credential in FortiSIEM
    1. Go to the ADMIN > Setup > Credentials tab.
    2. In Step 1: Enter Credentials:
      1. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential.
      2. Enter these settings in the Access Method Definition dialog box and click Save:
    1. Settings Description
      Name Enter a name for the credential
      Device Type Microsoft Windows Defender ATP
      Access Protocol Windows Defender ATP Alert REST API
      Tenant ID Enter the Tenant ID for the credential created through the process here.
      Password config
    2. For Manual, enter the Client ID and Client Secret for the credential created here. For CyberArk SDK, see CyberArk SDK Password Configuration. For CyberArk REST API, see CyberArk REST API Password Configuration.
    3. Organization Choose an organization if it is an MSP deployment and the same credential is to be used for multiple customers.
      Description Description of the device.
  • Create IP Range to Credential Association and Test Connectivity

    From the FortiSIEM Supervisor node, take the following steps.

    1. In Step 2: Enter IP Range to Credential Associations, click New.
      1. Select the name of the credential created in step 2 Configuring FortiSIEM for Windows Defender ATP REST API Access from the Credentials drop-down list.
      2. The IP/Host Name field will be automatically filled, but if you wish to change the region, click on the IP/Host Name field, and select one of the following:

        EU: wdatp-alertexporter-eu.windows.com/api/alerts

        US: wdatp-alertexporter-us.windows.com/api/alerts

        UK: wdatp-alertexporter-uk.windows.com/api/alerts

        If Government Community Cloud (GCC), GCC High, or Deparment of Defense (DoD) is required, enter the appropriate host name in the IP/Host Name field.
        GCC: wdatp-alertexporter-us.gcc.securitycenter.windows.us

        GCC High and DoD: wdatp-alertexporter-us.securitycenter.windows.us


      3. Click Save.
    2. Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
    3. An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from Windows Defender Center using the REST API.
    Viewing Events

    To view events received via Windows Defender ATP REST API, take the following steps:

    1. Go to ADMIN > Setup > Pull Events.
    2. Select the Windows Defender ATP entry and click Report.

    The system will take you to the ANALYTICS tab and run a query to display the events received from Windows Defender Center in the last 15 minutes. You can modify the time interval to get more events.