AttackIQ How-to: Configure Direct Integration with Microsoft Defender ATP Document Revision: 1.0 Last Revision Date: 15-May-2020 Copyright: © 2019 AttackIQ LLC. All Rights Reserved. 2901 Tasman Dr. Suite 112 Santa Clara, CA 95054 [email protected] +1 (888) 588-9116 Learn more at ​https://​www.attackiq.com/platform/ About AttackIQ: the AttackIQ Platform enables continuous validation that your security controls, processes and people are working as intended and delivering ROI. It seamlessly integrates into any existing network, delivering immediate visibility into your security program so you can uncover gaps in coverage, identify misconfigurations, and quickly prioritize remediation efforts. 1 Table of Contents Table of Contents Overview Conventions Prerequisites Procedures Enable SIEM integration in Microsoft Defender ATP Assign permissions to the WindowsDefenderATPSiemConnector application Configure and enable the AttackIQ connector for Microsoft Defender ATP Overview This document describes the process of configuring a Direct Integration between the AttackIQ platform and Microsoft Defender Advanced Threat Protection (ATP). It is not intended to provide comprehensive information about the components referenced herein nor is it intended to provide an exhaustive explanation of the feature-functionality described in the procedures. Refer to the context-sensitive Help section of the AttackIQ platform UI for more information on feature-functionality. Conventions The following typographical conventions are used throughout this document: Italics Indicates URLs, DNS domain names, email addresses, file names, and file extensions. Fixed width with gray background Used for program listings and program elements such as environment variables, functions, variables, data types, and keywords. Fixed width bold with gray background Used for commands or other text that should be typed exactly as shown. <Fixed width in angle brackets with gray background> 2 Used for text that should be replaced with user-supplied input or values determined by context. Prerequisites This document assumes your organization has an active AttackIQ tenancy and has installed Integration Manager. For additional information about installing Integration Manager, consult the context-sensitive Help in the T​ echnology Stack section of the AttackIQ platform or contact your ​ AttackIQ account team. This document also assumes you have an active Microsoft Defender ATP tenant. Before beginning, you will also need: ● A Microsoft Defender Security Center user account (usually an Azure AD account with the Security Administrator role assigned). ● An Azure AD Account with either the A​ pplication Administrator or the G​ lobal ​ Administrator Role assigned. ​ ● The Directory (tenant) ID of your Microsoft Azure/ Microsoft Defender ATP tenant. ● The URL of your AttackIQ tenancy. ● An AttackIQ user account with the A​ dmin role assigned. ​ Procedures Enable SIEM integration in Microsoft Defender ATP This procedure is only necessary if the Windows Defender SIEM Connector has not previously been activated. If the Windows Defender SIEM Connector has already been activated, proceed to the next section. To activate the Windows Defender SIEM Connector: 1. Follow steps 1 and 2 of the procedure described at https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender- atp/enable-siem-integration 2. Save the C​ lient ID and C​ lient secret for later use; they will be needed in a ​ ​ subsequent procedure. ​Note:​ the C​ lient secret is displayed only once. Do not leave the ​ SIEM Settings page without saving the C​ lient secret. ​ ​ 3 Assign permissions to the WindowsDefenderATPSiemConnector application 1. Log in to the Microsoft Azure Portal at ​https://portal.azure.com​ with a user account that has either the A​ pplication Administrator or G​ lobal Administrator Role assigned. ​ ​ 2. Type A​ pp Registrations in the S​ earch bar. ​ ​ 3. Click App Registrations in the search results. 4. Click All applications on the App registrations page 4 5. Select W​ indowsDefenderATPSiemConnector from the Application list. ​ 5 6. Select A​ PI permissions from the left-hand menu. ​ 7. Click the Add a permission button. 6 8. Select the A​ PIs my organization uses tab on the R​ equest API permissions fly-out. ​ ​ 9. Type W​ indowsDefender in the S​ earch field. ​ ​ 10. Select WindowsDefenderATP from the search results. 11. Select the D​ elegated permissions category. ​ 7 12. Expand the A​ dvancedQuery permission and select the A​ dvancedQuery.Read checkbox. ​ ​ 13. Select the A​ pplication permissions category. ​ 14. Expand the A​ dvancedQuery permission and select the A​ dvancedQuery.Read.All ​ checkbox. 15. Expand the A​ lerts permission and select the A​ lert.Read.All checkbox. ​ ​ 8 16. Expand the M​ achine permission and select the M​ achine.Read.All checkbox. ​ ​ 17. Click the A​ dd permissions button. ​ 9 18. Click the G​ rant admin consent for button. …​ Configure and enable the AttackIQ connector for Microsoft Defender ATP This procedure requires the Azure Directory (tenant) ID, WindowsDefenderATPSiemConnector Application/ Client ID, and Client secret from the ​Enable SIEM integration in Microsoft Defender ATP​ section of this document. 1. Log in to your AttackIQ Tenancy at ​https://<​ tenancy-id>.attackiq.com ​(where ​ <tenancy-id> is the subdomain assigned to your AttackIQ tenancy) with a user account with the Admin role. 2. Click the N​ avigation menu in the upper left corner. ​ 10 3. Click the chevron next to T​ echnology Stack then click I​ ntegration Configuration. ​ ​ 11 4. Scroll down to the Microsoft Defender ATP tile in the A​ vailable Integrations section ​ and click the C​ onfigure button. ​ 12 5. Type your Microsoft Azure D​ irectory (tenant) ID in the T​ enant ID field. ​ ​ 13 6. Type the A​ pplication (client) ID of the W​ indowsDefenderATPSiemConnector ​ application in the C​ lient ID field. ​ 14 7. Type the C​ lient secret for the W​ indowsDefenderATPSiemConnector application in the ​ ​ Client secret field. ​ 8. Select a regional API endpoint appropriate to your location from the C​ hoose closest region for API endpoint drop-down menu (this example uses the API endpoint for ​ 15 North America). 16 9. Click the Save Configuration button. Note:​ All other fields are optional and/ or safe to leave at their default values. 10. Scroll up to the Configured Integrations section. 17 11. Click the E​ nable button on the Microsoft Defender ATP tile. ​ 18 Note:​ You will see a notification indicating that the integration will be available in 1- 2 minutes and the status will change from D​ isabled to P​ ending to A​ ctive. ​ ​ ​ Getting additional assistance For additional assistance, please send an email to [email protected]. 19 .