Microsoft Defender for Endpoint (Previously Microsoft Windows Defender Advanced Threat Protection (ATP) )
Note: This is a Legacy configuration.
As of November 2021, Microsoft has retired the Microsoft Defender ATP SIEM APIs. Defender ATP has also been relabeled as “Microsoft Defender for Endpoint”. All integrations using the SIEM APIs will cease to function after the Microsoft Defender for Endpoint SIEM API Deprecation date of April 1st, 2022.
Please follow the alternative guide here to configure Defender for Endpoint event forwarding to Azure event hub.
- Integration Points
- Configuring Windows Defender for FortiSIEM REST API Access
- Configuring FortiSIEM for Windows Defender ATP REST API Access
Integration Points
Protocol | Information Discovered | Used For |
---|---|---|
Windows Defender API REST API | Security and Compliance |
Configuring Windows Defender for FortiSIEM REST API Access
Legacy
Microsoft provides ample documentation here.
Follow the steps specified in 'Enabling SIEM integration', repeated here.
- Login to Windows Defender Center.
- Go to Settings > SIEM.
- Select Enable SIEM integration.
- Choose Generic API.
- Click Save Details to File.
- Click Generate Tokens.
Configuring FortiSIEM for Windows Defender ATP REST API Access
Legacy
Use the account in the previous step to enable FortiSIEM access. Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.
-
Define Windows Defender ATP REST API Access Credential in FortiSIEM
-
Create IP Range to Credential Association and Test Connectivity
Define Windows Defender ATP REST API Access Credential in FortiSIEM
- Go to the ADMIN > Setup > Credentials tab.
- In Step 1: Enter Credentials:
- Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential.
- Enter these settings in the Access Method Definition dialog box and click Save:
-
Settings Description Name Enter a name for the credential Device Type Microsoft Windows Defender ATP Access Protocol Windows Defender ATP Alert REST API Tenant ID Enter the Tenant ID for the credential created through the process here. Password config - For Manual, enter the Client ID and Client Secret for the credential created here. For CyberArk SDK, see CyberArk SDK Password Configuration. For CyberArk REST API, see CyberArk REST API Password Configuration.
Organization Choose an organization if it is an MSP deployment and the same credential is to be used for multiple customers. Description Description of the device.
Create IP Range to Credential Association and Test Connectivity
From the FortiSIEM Supervisor node, take the following steps.
- In Step 2: Enter IP Range to Credential Associations, click New.
- Select the name of the credential created in step 2 Configuring FortiSIEM for Windows Defender ATP REST API Access from the Credentials drop-down list.
- The IP/Host Name field will be automatically filled, but if you wish to change the region, click on the IP/Host Name field, and select one of the following:
EU: wdatp-alertexporter-eu.windows.com/api/alerts
US: wdatp-alertexporter-us.windows.com/api/alerts
UK: wdatp-alertexporter-uk.windows.com/api/alerts
If Government Community Cloud (GCC), GCC High, or Deparment of Defense (DoD) is required, enter the appropriate host name in the IP/Host Name field.
GCC: wdatp-alertexporter-us.gcc.securitycenter.windows.usGCC High and DoD: wdatp-alertexporter-us.securitycenter.windows.us
- Click Save.
- Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
- An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from Windows Defender Center using the REST API.
Viewing Events
To view events received via Windows Defender ATP REST API, take the following steps:
- Go to ADMIN > Setup > Pull Events.
- Select the Windows Defender ATP entry and click Report.
The system will take you to the ANALYTICS tab and run a query to display the events received from Windows Defender Center in the last 15 minutes. You can modify the time interval to get more events.