AttackIQ How-to: Configure Direct Integration with Microsoft Defender ATP

Document Revision: 1.0 Last Revision Date: 15-May-2020

Copyright: © 2019 AttackIQ LLC. All Rights Reserved. 2901 Tasman Dr. Suite 112 Santa Clara, CA 95054 [email protected] +1 (888) 588-9116 Learn more at ​https://w​ ww.attackiq.com/platform/ About AttackIQ: the AttackIQ Platform enables continuous validation that your security controls, processes and people are working as intended and delivering ROI. It seamlessly integrates into any existing network, delivering immediate visibility into your security program so you can uncover gaps in coverage, identify misconfigurations, and quickly prioritize remediation efforts.

1

Table of Contents

Table of Contents

Overview Conventions

Prerequisites

Procedures Enable SIEM integration in Microsoft Defender ATP Assign permissions to the WindowsDefenderATPSiemConnector application Configure and enable the AttackIQ connector for Microsoft Defender ATP

Overview

This document describes the process of configuring a Direct Integration between the AttackIQ platform and Microsoft Defender Advanced Threat Protection (ATP). It is not intended to provide comprehensive information about the components referenced herein nor is it intended to provide an exhaustive explanation of the feature-functionality described in the procedures. Refer to the context-sensitive Help section of the AttackIQ platform UI for more information on feature-functionality. Conventions The following typographical conventions are used throughout this document:

Italics Indicates URLs, DNS domain names, email addresses, file names, and file extensions.

Fixed width with gray background Used for program listings and program elements such as environment variables, functions, variables, data types, and keywords.

Fixed width bold with gray background Used for commands or other text that should be typed exactly as shown.

2

Used for text that should be replaced with user-supplied input or values determined by context. Prerequisites

This document assumes your organization has an active AttackIQ tenancy and has installed Integration Manager. For additional information about installing Integration Manager, consult the context-sensitive Help in the ​Technology Stack section of the AttackIQ platform or contact your ​ AttackIQ account team. This document also assumes you have an active Microsoft Defender ATP tenant.

Before beginning, you will also need: ● A Microsoft Defender Security Center user account (usually an Azure AD account with the Security Administrator role assigned). ● An Azure AD Account with either the ​Application Administrator or the ​Global ​ Administrator Role assigned. ​ ● The Directory (tenant) ID of your Microsoft Azure/ Microsoft Defender ATP tenant. ● The URL of your AttackIQ tenancy. ● An AttackIQ user account with the A​ dmin role assigned. ​ Procedures Enable SIEM integration in Microsoft Defender ATP This procedure is only necessary if the Windows Defender SIEM Connector has not previously been activated. If the Windows Defender SIEM Connector has already been activated, proceed to the next section. To activate the Windows Defender SIEM Connector: 1. Follow steps 1 and 2 of the procedure described at https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender- atp/enable-siem-integration 2. Save the C​ lient ID and ​Client secret for later use; they will be needed in a ​ ​ subsequent procedure. N​ ote:​ the C​ lient secret is displayed only once. Do not leave the ​ SIEM Settings page without saving the ​Client secret. ​ ​

3

Assign permissions to the WindowsDefenderATPSiemConnector application 1. Log in to the Microsoft Azure Portal at h​ ttps://portal.azure.com​ with a user account that has either the A​ pplication Administrator or ​Global Administrator Role assigned. ​ ​ 2. Type A​ pp Registrations in the ​Search bar. ​ ​

3. Click App Registrations in the search results. 4. Click All applications on the App registrations page

4

5. Select ​WindowsDefenderATPSiemConnector from the Application list. ​

5

6. Select ​API permissions from the left-hand menu. ​

7. Click the Add a permission button.

6

8. Select the ​APIs my organization uses tab on the R​ equest API permissions fly-out. ​ ​

9. Type W​ indowsDefender in the ​Search field. ​ ​ 10. Select WindowsDefenderATP from the search results.

11. Select the ​Delegated permissions category. ​

7

12. Expand the ​AdvancedQuery permission and select the ​AdvancedQuery.Read checkbox. ​ ​

13. Select the ​Application permissions category. ​

14. Expand the ​AdvancedQuery permission and select the ​AdvancedQuery.Read.All ​ checkbox.

15. Expand the ​Alerts permission and select the A​ lert.Read.All checkbox. ​ ​

8

16. Expand the ​Machine permission and select the ​Machine.Read.All checkbox. ​ ​

17. Click the A​ dd permissions button. ​

9

18. Click the G​ rant admin consent for button. …​

Configure and enable the AttackIQ connector for Microsoft Defender ATP This procedure requires the Azure Directory (tenant) ID, WindowsDefenderATPSiemConnector Application/ Client ID, and Client secret from the E​ nable SIEM integration in Microsoft Defender ATP​ section of this document. 1. Log in to your AttackIQ Tenancy at ​https://<​ tenancy-id>.attackiq.com (​ where ​ is the subdomain assigned to your AttackIQ tenancy) with a user account with the Admin role. 2. Click the N​ avigation menu in the upper left corner. ​

10

3. Click the chevron next to ​Technology Stack then click I​ ntegration Configuration. ​ ​

11

4. Scroll down to the Microsoft Defender ATP tile in the A​ vailable Integrations section ​ and click the C​ onfigure button. ​

12

5. Type your Microsoft Azure D​ irectory (tenant) ID in the ​Tenant ID field. ​ ​

13

6. Type the A​ pplication (client) ID of the W​ indowsDefenderATPSiemConnector ​ application in the C​ lient ID field. ​

14

7. Type the C​ lient secret for the ​WindowsDefenderATPSiemConnector application in the ​ ​ Client secret field. ​

8. Select a regional API endpoint appropriate to your location from the C​ hoose closest region for API endpoint drop-down menu (this example uses the API endpoint for ​

15

North America).

16

9. Click the Save Configuration button.

Note:​ All other fields are optional and/ or safe to leave at their default values. 10. Scroll up to the Configured Integrations section.

17

11. Click the E​ nable button on the Microsoft Defender ATP tile. ​

18

Note:​ You will see a notification indicating that the integration will be available in 1- 2 minutes and the status will change from D​ isabled to P​ ending to ​Active. ​ ​ ​

Getting additional assistance

For additional assistance, please send an email to [email protected].

19