Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • External Systems Configuration Guide

    Home FortiSIEM 6.4.0 External Systems Configuration Guide
    6.4.0
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.7
    7.1.6
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.7.9
    6.7.8
    6.7.7
    6.7.6
    6.7.5
    6.7.4
    6.7.3
    6.7.2
    6.7.1
    6.7.0
    6.6.5
    6.6.4
    6.6.3
    6.6.2
    6.6.1
    6.6.0
    6.5.3
    6.5.2
    6.5.1
    6.5.0
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    6.1.0
    5.4.0
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.0.0

    Microsoft Windows Defender ATP

    Microsoft Defender for Endpoint (Previously Microsoft Windows Defender Advanced Threat Protection (ATP))

    Configuration

    To configure Microsoft Defender for Endpoint event forwarding to Azure event hub, you will be taking the following general actions.

    1. Create an Event Hub Namespace and Event Hub if one does not already exist.

    2. Create SAS Policy and generate primary SAS key for authentication.

    3. Record the Event Hub Name Space, Event Hub Name, SAS Policy Name, Primary Key, and consumer group for FortiSIEM configuration/authentication.

    4. Configure FortiSIEM for Azure Event hub integration and do test Pull.

    5. Configure Microsoft Defender for Endpoint raw data streaming to allow event forwarding to Azure Event Hub created earlier.

    6. Confirm Raw events are parsed.

    Take the steps here to configure Microsoft Defender for Endpoint.

    Azure Event Hub Configuration

    Create an Event Hub Namespace and Event Hub

    Complete these steps in the Azure Portal:

    Step 1: Create a Resource Group in Azure

    Note: If you already have a Resource Group to use, skip this section

    A resource group is a logical collection of Azure resources. All resources are deployed and managed in a resource group. To create a resource group:

    1. Login to the Azure portal: https://portal.azure.com/
    2. Click Resource groups in the left navigation pane.
    3. Click Add.
    4. For Subscription, select the name of the Azure subscription in which you want to create the resource group.
    5. Enter a unique name for the resource group, The system immediately checks to see if the name is available in the currently selected Azure subscription.
    6. Select a Region for the resource group.
    7. Click Review + Create.
    8. Click Create on the Review + Create page.

    Note: In the example used in Step 2, a Resource Group called fsm1 was created.

    Step 2: Create an Event Hub Namespace

    An Event Hub namespace provides a unique scoping container, referenced by its fully-qualified domain name, in which you create one or more event hubs. To create a namespace in your resource group using the portal, complete the following steps:

    1. In the Azure portal, click Create a resource at the top left of the screen.

    2. In the “Search the Market text box, enter Select All services in the left menu, select star (*) next to Event Hubs, and then click the Create button in the ANALYTICS category.

    3. On the Create namespace page, complete the following steps:
      1. Enter a name for the namespace. The system immediately checks to see if the name is available.
      2. Choose the pricing tier (Basic or Standard).
      3. Select the subscription in which you want to create the namespace.
      4. Select a location for the namespace.
      5. Click Create. You may have to wait a few minutes for the system to fully provision the resources.

    4. Refresh the Event Hubs page to see the event hub namespace. You can check the status of the event hub creation in the alerts.
    5. Select the namespace. You see the home page for your Event Hubs Namespace in the portal.
    Step 3: Create an Event Hub

    To create an event hub within the namespace, follow these steps:

    1. In the Event Hubs Namespace page, click Event Hubs in the left menu.

    2. At the top of the window, click + Event Hub.
    3. Enter a name for your event hub, then click Create.

    4. You can check the status of the event hub creation in alerts. After the event hub is created, you see it in the list of event hubs.
    Step 4: Configure an Event Hub Namespace
    1. Select an event hub namespace and go to Shared access policies, and then click +Add. Enter the Policy name, check the Manage box, and then click Create.

    2. Select one of the Shared Access policies just created.
    3. The Azure Python SDK needs the SAS Policy name (defined in step 4.1) and the Primary key when creating the credential in FortiSIEM. Copy the primary key and policy name to a text editor for later use.

      Note: When the event hub namespace is created, Azure will also create a default Shared Access Policy named RootManageSharedAcessKey.

    4. Select an event hub namespace and go to Event Hubs.
    5. Select an event hub and go to Consumer group. You can click +Consumer group or use default group name $default.

    Note: If you have selected Basic (1 Consumer Group), then there will be no option to add a another Consumer group.

    Configuration in FortiSIEM

    Complete these steps in the FortiSIEM UI:

    1. Go to the ADMIN > Setup > Credentials tab.
    2. In Step 1: Enter Credentials:
      1. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential.
      2. Enter these settings in the Access Method Definition dialog box and click Save:
        SettingsDescription
        Name Enter a name for the credential
        Device Type Microsoft Azure Event Hub
        Access Protocol AZURE PYTHON SDK
        Pull Interval The interval in which FortiSIEM will pull events from Azure Event Hub. Default is 5 minutes.
        Event Hub Namespace The name of the Azure event hub namespace
        Event Hub Name The name of the Azure event hub.
        SAS Policy Name Shared Access (SAS) Policy Name
        Primary Key The name of the primary key
        Consumer Group The name of the consumer group
        Description Description of the device

        Based on the example screenshots, this is the configuration in FortiSIEM:

    3. In Step 2: Enter IP Range to Credential Associations, click New.
      1. Enter a host name, an IP, or an IP range in the IP/Host Name field. For this integration, enter "azure.com".
      2. Select the name of your Azure event hub credential from the Credentials drop-down list.
      3. Click Save.

    4. Click the Test drop-down list and select Test Connectivity to test the connection to Azure event hub.
    5. To see the jobs associated with Azure, select ADMIN > Setup > Pull Events.
    6. To see the received events select ANALYTICS, then enter "Azure" in the search box.

    Note: Azure services must be configured to write to the Event Hub before there are any events to be collected.

    Microsoft Defender for Endpoint Configuration

    For the latest Microsoft Defender for Endpoint information, see https://docs.microsoft.com/en-us/microsoft-365/security/defender/streaming-api-event-hub?view=o365-worldwide.

    Ensure the following steps have been taken before proceeding.

    1. An event hub has been created in your tenant.

    2. Your contributor permissions has been configured.
      Note: If it hasn't, log in to your Azure tenant, navigate to Subscriptions > Your subscription > Resource Providers > Register to Microsoft.insights, and configure your contributor permissions.

    After your event hub namespace has been created, take the following actions.

    1. Define the user who will be logging into Microsoft 365 Defender as Contributor.

    2. If you are connecting to an application, add the App Registration Service Principal as Reader, Azure Event Hub Data Receiver (this can also be done at Resource Group or Subscription level) by navigating to Event hubs namespace > Access control (IAM) > Add and verifying under Role assignments.

    Enable raw data streaming by taking the following steps.

    1. Log in to the Microsoft 365 Defender as a Global Administrator or Security Administrator.

    2. Go to the Data export settings page in the Microsoft Defender portal.

    3. Click on Add data export settings.

    4. Choose a name for your new settings.

    5. Choose Forward events to Azure Event Hubs.

    6. Type your Event Hubs name and your Event Hubs resource ID.

      To get your Event Hubs resource ID, go to your Azure Event Hubs namespace page on Azure > properties tab > copy the text under Resource ID.


    7. Choose the events you want to stream and click Save.

      On the next pull interval, you should see ingested Defender for Endpoint data.

      Sample Events 

      {"category":"AdvancedHunting-AlertInfo","operationName":"Publish","properties":{"AlertId":"da637801291442337370_2831234","AttackTechniques":"[\"Ingress Tool Transfer (T1105)\",\"Deobfuscate/Decode Files or Information (T1140)\",\"Signed Script Proxy Execution (T1216)\",\"Signed Binary Proxy Execution (T1218)\",\"CMSTP (T1218.003)\",\"InstallUtil (T1218.004)\",\"Mshta (T1218.005)\",\"Regsvr32 (T1218.010)\",\"Rundll32 (T1218.011)\",\"XSL Script Processing (T1220)\"]","Category":"Execution","DetectionSource":"EDR","MachineGroup":null,"ServiceSource":"Microsoft Defender for Endpoint","Severity":"Low","Timestamp":"2022-02-10T22:29:51.4127262Z","Title":"Use of living-off-the-land binary to run malicious code"},"tenantId":"cdf65b83-41f2-4c0e-97ee-11111111111","time":"2022-02-10T22:32:24.5796030Z"}

    [Legacy] Microsoft Defender for Endpoint (Previously Microsoft Windows Defender Advanced Threat Protection (ATP) )

    Note: This is a Legacy configuration.

    As of November 2021, Microsoft has retired the Microsoft Defender ATP SIEM APIs. Defender ATP has also been relabeled as “Microsoft Defender for Endpoint”. All integrations using the SIEM APIs will cease to function after the Microsoft Defender for Endpoint SIEM API Deprecation date of April 1st, 2022.

    Please follow the configuration guide to configure Defender for Endpoint event forwarding to Azure event hub.

    LEGACY

    Integration Points

    Protocol Information Discovered Used For
    Windows Defender API REST API Security and Compliance

    Configuring Windows Defender for FortiSIEM REST API Access

    Legacy

    Microsoft provides ample documentation here.

    Follow the steps specified in 'Enabling SIEM integration', repeated here.

    1. Login to Windows Defender Center.
    2. Go to Settings > SIEM.
    3. Select Enable SIEM integration.
    4. Choose Generic API.
    5. Click Save Details to File.
    6. Click Generate Tokens.

    Configuring FortiSIEM for Windows Defender ATP REST API Access

    Legacy

    Use the account in the previous step to enable FortiSIEM access. Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.

    Define Windows Defender ATP REST API Access Credential in FortiSIEM
    1. Go to the ADMIN > Setup > Credentials tab.
    2. In Step 1: Enter Credentials:
      1. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential.
      2. Enter these settings in the Access Method Definition dialog box and click Save:

    1. Settings Description
      Name Enter a name for the credential
      Device Type Microsoft Windows Defender ATP
      Access Protocol Windows Defender ATP Alert REST API
      Tenant ID Enter the Tenant ID for the credential created through the process here.
      Password config
    2. For Manual, enter the Client ID and Client Secret for the credential created here. For CyberArk SDK, see CyberArk SDK Password Configuration. For CyberArk REST API, see CyberArk REST API Password Configuration.
      		3.
      Organization Choose an organization if it is an MSP deployment and the same credential is to be used for multiple customers.
      Description Description of the device.
    • Create IP Range to Credential Association and Test Connectivity

    From the FortiSIEM Supervisor node, take the following steps.

    1. In Step 2: Enter IP Range to Credential Associations, click New.
      1. Select the name of the credential created in step 2 Configuring FortiSIEM for Windows Defender ATP REST API Access from the Credentials drop-down list.
      2. The IP/Host Name field will be automatically filled, but if you wish to change the region, click on the IP/Host Name field, and select one of the following:

        EU: wdatp-alertexporter-eu.windows.com/api/alerts

        US: wdatp-alertexporter-us.windows.com/api/alerts

        UK: wdatp-alertexporter-uk.windows.com/api/alerts

        If Government Community Cloud (GCC), GCC High, or Deparment of Defense (DoD) is required, enter the appropriate host name in the IP/Host Name field.
        GCC: wdatp-alertexporter-us.gcc.securitycenter.windows.us

        GCC High and DoD: wdatp-alertexporter-us.securitycenter.windows.us


      3. Click Save.
    2. Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
    3. An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from Windows Defender Center using the REST API.
    Viewing Events

    To view events received via Windows Defender ATP REST API, take the following steps:

    1. Go to ADMIN > Setup > Pull Events.
    2. Select the Windows Defender ATP entry and click Report.

    The system will take you to the ANALYTICS tab and run a query to display the events received from Windows Defender Center in the last 15 minutes. You can modify the time interval to get more events.

    Previous
    Next

    Microsoft Windows Defender ATP

    Microsoft Defender for Endpoint (Previously Microsoft Windows Defender Advanced Threat Protection (ATP))

    Configuration

    To configure Microsoft Defender for Endpoint event forwarding to Azure event hub, you will be taking the following general actions.

    1. Create an Event Hub Namespace and Event Hub if one does not already exist.

    2. Create SAS Policy and generate primary SAS key for authentication.

    3. Record the Event Hub Name Space, Event Hub Name, SAS Policy Name, Primary Key, and consumer group for FortiSIEM configuration/authentication.

    4. Configure FortiSIEM for Azure Event hub integration and do test Pull.

    5. Configure Microsoft Defender for Endpoint raw data streaming to allow event forwarding to Azure Event Hub created earlier.

    6. Confirm Raw events are parsed.

    Take the steps here to configure Microsoft Defender for Endpoint.

    Azure Event Hub Configuration

    Create an Event Hub Namespace and Event Hub

    Complete these steps in the Azure Portal:

    Step 1: Create a Resource Group in Azure

    Note: If you already have a Resource Group to use, skip this section

    A resource group is a logical collection of Azure resources. All resources are deployed and managed in a resource group. To create a resource group:

    1. Login to the Azure portal: https://portal.azure.com/
    2. Click Resource groups in the left navigation pane.
    3. Click Add.
    4. For Subscription, select the name of the Azure subscription in which you want to create the resource group.
    5. Enter a unique name for the resource group, The system immediately checks to see if the name is available in the currently selected Azure subscription.
    6. Select a Region for the resource group.
    7. Click Review + Create.
    8. Click Create on the Review + Create page.

    Note: In the example used in Step 2, a Resource Group called fsm1 was created.

    Step 2: Create an Event Hub Namespace

    An Event Hub namespace provides a unique scoping container, referenced by its fully-qualified domain name, in which you create one or more event hubs. To create a namespace in your resource group using the portal, complete the following steps:

    1. In the Azure portal, click Create a resource at the top left of the screen.

    2. In the “Search the Market text box, enter Select All services in the left menu, select star (*) next to Event Hubs, and then click the Create button in the ANALYTICS category.

    3. On the Create namespace page, complete the following steps:
      1. Enter a name for the namespace. The system immediately checks to see if the name is available.
      2. Choose the pricing tier (Basic or Standard).
      3. Select the subscription in which you want to create the namespace.
      4. Select a location for the namespace.
      5. Click Create. You may have to wait a few minutes for the system to fully provision the resources.

    4. Refresh the Event Hubs page to see the event hub namespace. You can check the status of the event hub creation in the alerts.
    5. Select the namespace. You see the home page for your Event Hubs Namespace in the portal.
    Step 3: Create an Event Hub

    To create an event hub within the namespace, follow these steps:

    1. In the Event Hubs Namespace page, click Event Hubs in the left menu.

    2. At the top of the window, click + Event Hub.
    3. Enter a name for your event hub, then click Create.

    4. You can check the status of the event hub creation in alerts. After the event hub is created, you see it in the list of event hubs.
    Step 4: Configure an Event Hub Namespace
    1. Select an event hub namespace and go to Shared access policies, and then click +Add. Enter the Policy name, check the Manage box, and then click Create.

    2. Select one of the Shared Access policies just created.
    3. The Azure Python SDK needs the SAS Policy name (defined in step 4.1) and the Primary key when creating the credential in FortiSIEM. Copy the primary key and policy name to a text editor for later use.

      Note: When the event hub namespace is created, Azure will also create a default Shared Access Policy named RootManageSharedAcessKey.

    4. Select an event hub namespace and go to Event Hubs.
    5. Select an event hub and go to Consumer group. You can click +Consumer group or use default group name $default.

    Note: If you have selected Basic (1 Consumer Group), then there will be no option to add a another Consumer group.

    Configuration in FortiSIEM

    Complete these steps in the FortiSIEM UI:

    1. Go to the ADMIN > Setup > Credentials tab.
    2. In Step 1: Enter Credentials:
      1. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential.
      2. Enter these settings in the Access Method Definition dialog box and click Save:
        SettingsDescription
        Name Enter a name for the credential
        Device Type Microsoft Azure Event Hub
        Access Protocol AZURE PYTHON SDK
        Pull Interval The interval in which FortiSIEM will pull events from Azure Event Hub. Default is 5 minutes.
        Event Hub Namespace The name of the Azure event hub namespace
        Event Hub Name The name of the Azure event hub.
        SAS Policy Name Shared Access (SAS) Policy Name
        Primary Key The name of the primary key
        Consumer Group The name of the consumer group
        Description Description of the device

        Based on the example screenshots, this is the configuration in FortiSIEM:

    3. In Step 2: Enter IP Range to Credential Associations, click New.
      1. Enter a host name, an IP, or an IP range in the IP/Host Name field. For this integration, enter "azure.com".
      2. Select the name of your Azure event hub credential from the Credentials drop-down list.
      3. Click Save.

    4. Click the Test drop-down list and select Test Connectivity to test the connection to Azure event hub.
    5. To see the jobs associated with Azure, select ADMIN > Setup > Pull Events.
    6. To see the received events select ANALYTICS, then enter "Azure" in the search box.

    Note: Azure services must be configured to write to the Event Hub before there are any events to be collected.

    Microsoft Defender for Endpoint Configuration

    For the latest Microsoft Defender for Endpoint information, see https://docs.microsoft.com/en-us/microsoft-365/security/defender/streaming-api-event-hub?view=o365-worldwide.

    Ensure the following steps have been taken before proceeding.

    1. An event hub has been created in your tenant.

    2. Your contributor permissions has been configured.
      Note: If it hasn't, log in to your Azure tenant, navigate to Subscriptions > Your subscription > Resource Providers > Register to Microsoft.insights, and configure your contributor permissions.

    After your event hub namespace has been created, take the following actions.

    1. Define the user who will be logging into Microsoft 365 Defender as Contributor.

    2. If you are connecting to an application, add the App Registration Service Principal as Reader, Azure Event Hub Data Receiver (this can also be done at Resource Group or Subscription level) by navigating to Event hubs namespace > Access control (IAM) > Add and verifying under Role assignments.

    Enable raw data streaming by taking the following steps.

    1. Log in to the Microsoft 365 Defender as a Global Administrator or Security Administrator.

    2. Go to the Data export settings page in the Microsoft Defender portal.

    3. Click on Add data export settings.

    4. Choose a name for your new settings.

    5. Choose Forward events to Azure Event Hubs.

    6. Type your Event Hubs name and your Event Hubs resource ID.

      To get your Event Hubs resource ID, go to your Azure Event Hubs namespace page on Azure > properties tab > copy the text under Resource ID.


    7. Choose the events you want to stream and click Save.

      On the next pull interval, you should see ingested Defender for Endpoint data.

      Sample Events 

      {"category":"AdvancedHunting-AlertInfo","operationName":"Publish","properties":{"AlertId":"da637801291442337370_2831234","AttackTechniques":"[\"Ingress Tool Transfer (T1105)\",\"Deobfuscate/Decode Files or Information (T1140)\",\"Signed Script Proxy Execution (T1216)\",\"Signed Binary Proxy Execution (T1218)\",\"CMSTP (T1218.003)\",\"InstallUtil (T1218.004)\",\"Mshta (T1218.005)\",\"Regsvr32 (T1218.010)\",\"Rundll32 (T1218.011)\",\"XSL Script Processing (T1220)\"]","Category":"Execution","DetectionSource":"EDR","MachineGroup":null,"ServiceSource":"Microsoft Defender for Endpoint","Severity":"Low","Timestamp":"2022-02-10T22:29:51.4127262Z","Title":"Use of living-off-the-land binary to run malicious code"},"tenantId":"cdf65b83-41f2-4c0e-97ee-11111111111","time":"2022-02-10T22:32:24.5796030Z"}

    [Legacy] Microsoft Defender for Endpoint (Previously Microsoft Windows Defender Advanced Threat Protection (ATP) )

    Note: This is a Legacy configuration.

    As of November 2021, Microsoft has retired the Microsoft Defender ATP SIEM APIs. Defender ATP has also been relabeled as “Microsoft Defender for Endpoint”. All integrations using the SIEM APIs will cease to function after the Microsoft Defender for Endpoint SIEM API Deprecation date of April 1st, 2022.

    Please follow the configuration guide to configure Defender for Endpoint event forwarding to Azure event hub.

    LEGACY

    Integration Points

    Protocol Information Discovered Used For
    Windows Defender API REST API Security and Compliance

    Configuring Windows Defender for FortiSIEM REST API Access

    Legacy

    Microsoft provides ample documentation here.

    Follow the steps specified in 'Enabling SIEM integration', repeated here.

    1. Login to Windows Defender Center.
    2. Go to Settings > SIEM.
    3. Select Enable SIEM integration.
    4. Choose Generic API.
    5. Click Save Details to File.
    6. Click Generate Tokens.

    Configuring FortiSIEM for Windows Defender ATP REST API Access

    Legacy

    Use the account in the previous step to enable FortiSIEM access. Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.

    Define Windows Defender ATP REST API Access Credential in FortiSIEM
    1. Go to the ADMIN > Setup > Credentials tab.
    2. In Step 1: Enter Credentials:
      1. Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential.
      2. Enter these settings in the Access Method Definition dialog box and click Save:

    1. Settings Description
      Name Enter a name for the credential
      Device Type Microsoft Windows Defender ATP
      Access Protocol Windows Defender ATP Alert REST API
      Tenant ID Enter the Tenant ID for the credential created through the process here.
      Password config
    2. For Manual, enter the Client ID and Client Secret for the credential created here. For CyberArk SDK, see CyberArk SDK Password Configuration. For CyberArk REST API, see CyberArk REST API Password Configuration.
      		3.
      Organization Choose an organization if it is an MSP deployment and the same credential is to be used for multiple customers.
      Description Description of the device.
    • Create IP Range to Credential Association and Test Connectivity

    From the FortiSIEM Supervisor node, take the following steps.

    1. In Step 2: Enter IP Range to Credential Associations, click New.
      1. Select the name of the credential created in step 2 Configuring FortiSIEM for Windows Defender ATP REST API Access from the Credentials drop-down list.
      2. The IP/Host Name field will be automatically filled, but if you wish to change the region, click on the IP/Host Name field, and select one of the following:

        EU: wdatp-alertexporter-eu.windows.com/api/alerts

        US: wdatp-alertexporter-us.windows.com/api/alerts

        UK: wdatp-alertexporter-uk.windows.com/api/alerts

        If Government Community Cloud (GCC), GCC High, or Deparment of Defense (DoD) is required, enter the appropriate host name in the IP/Host Name field.
        GCC: wdatp-alertexporter-us.gcc.securitycenter.windows.us

        GCC High and DoD: wdatp-alertexporter-us.securitycenter.windows.us


      3. Click Save.
    2. Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
    3. An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from Windows Defender Center using the REST API.
    Viewing Events

    To view events received via Windows Defender ATP REST API, take the following steps:

    1. Go to ADMIN > Setup > Pull Events.
    2. Select the Windows Defender ATP entry and click Report.

    The system will take you to the ANALYTICS tab and run a query to display the events received from Windows Defender Center in the last 15 minutes. You can modify the time interval to get more events.

    Previous
    Next