EventTracker v8.x and above Publication Date: August 20, 2018
Abstract This guide provides instructions to configure a Microsoft ATP to send its syslog to EventTracker Enterprise. Scope The configurations detailed in this guide are consistent with EventTracker Enterprise version v8.x or above and Microsoft ATP (Windows Defender Security Center). Audience Administrators who are assigned the task to monitor Microsoft ATP events using EventTracker. The information contained in this document represents the current view of EventTracker. on the issues discussed as of the date of publication. Because EventTracker must respond to changing market conditions, it should not be interpreted to be a commitment on the part of EventTracker, and EventTracker cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. EventTracker MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, this paper may be freely distributed without permission from EventTracker, if its content is unaltered, nothing is added to the content and credit to EventTracker is provided. EventTracker may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from EventTracker, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred. 2018 EventTracker Security LLC. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. 1
Table of Contents Abstract... 1 Scope... 1 Audience... 1 Overview... 3 Prerequisites... 3 Integration of Microsoft ATP with EventTracker... 3 Enable SIEM integration in Microsoft ATP... 3 Configure Microsoft ATP Integrator... 6 EventTracker Knowledge Pack... 10 Category... 10 Alert... 10 Knowledge Object... 10 Flex Report... 10 Import Microsoft ATP knowledge pack into EventTracker... 11 Category... 12 Alert... 13 Parsing Rules... 14 Knowledge Object... 15 Flex Report... 17 Dashboards... 18 Verify Microsoft ATP knowledge pack in EventTracker... 21 Category... 21 Alert... 22 Parsing Rules... 23 Knowledge Object... 24 Flex Report... 25 Dashboards... 26 2
Overview Windows Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. To help you maximize the effectiveness of the security platform, you can configure individual capabilities that surface in Windows Defender Security Center. EventTracker helps to monitor events from Microsoft ATP. It s knowledge object and flex reports will help you to detect file less attacks, backdoor drops and virus/malware. Prerequisites EventTracker v8.x or above should be installed. Microsoft ATP (Windows Defender Security Center) should be configured. EventTracker Agent must be installed. PowerShell 4 or above must be installed. Windows 2008 r2 or later must be installed. Local admin permissions for the workstation. Integration of Microsoft ATP with EventTracker Enable SIEM integration in Microsoft ATP Enable SIEM integration to pull alerts from Windows Defender Security Center by connecting directly through alerts REST API. 1. Logon to Windows Defender Security Center portal. 3
Figure 1 2. In the navigation pane, select Settings > APIs > SIEM. 4
Figure 2 3. Select Enable SIEM integration. This activates the SIEM connector access details section with prepopulated values and an application is created under your Azure Active Directory (AAD) tenant. 4. Choose the Generic API as SIEM type. 5. Select Save details to file to download a file that contains all the SIEM application values. 5
Figure 3 6. Extract the downloaded SplunkProperties.zip to get SplunkAuthenticationProperties.JSON file. 7. Save this file for future use. Figure 4 Configure Microsoft ATP Integrator 1. Navigate to <EventTracker_Manager_Install_Path>\EventTracker\Knowledge Packs\Microsoft ATP\Configuration. 2. Open Integrator folder and copy SplunkAuthenticationProperties.JSON to this path. 3. Run ATP_Intergrator.bat as administrator. 6
Figure 5 4. Pre-Integrator is launched, and prerequisites are checked. Click Upgrade to update PowerShell, if prerequisites are not met. 5. Click Next to proceed, if prerequisites are successfully met. 6. Click OK, in Output Folder Created dialog box. Figure 6 Figure 7 7. Select SplunkAuthenticationProperties.JSON copied earlier and click Open. 7
Figure 8 8. Click OK, in SIEM Application Details File Available dialog box. Figure 9 9. Click OK, in LFM Configuration Complete dialog box. Figure 10 10. Provide credentials for local admin, to schedule hourly task then click OK. 8
Figure 11 11. Click OK, in Task Configuration Complete dialog box. Figure 12 12. Click OK, in Configuration Complete dialog box. Figure 13 13. Wait for pre-integrator dialog box to close. 14. When task runs, output csv will be generated in MSATPReports folder. Figure 14 9
EventTracker Knowledge Pack Once logs are received by EventTracker manager, knowledge packs can be configured into EventTracker. The following Knowledge Packs are available in EventTracker Enterprise to support Microsoft ATP. Category Microsoft ATP: Alerts - This category provides information related to alerts triggered by Microsoft ATP. Alert Microsoft ATP: Critical threat detected - This alert is generated when critical threats are detected by Microsoft ATP. Knowledge Object Microsoft ATP Alerts - This knowledge object will help us to analyze alerts triggered by Microsoft ATP. Flex Report Microsoft ATP- Threats detected- This report gives the information about all the threats detected by Microsoft ATP. Figure 15 10
Logs Considered Figure 16 Import Microsoft ATP knowledge pack into EventTracker NOTE: Import knowledge pack items in the following sequence: Category Parsing Rules Alert Knowledge Object Flex Report 1. Launch EventTracker Control Panel. 2. Double click Export Import Utility. 11
Figure 17 3. Click the Import tab. Category 1. Click Category option, and then click the browse button. Figure 18 12
2. Locate Category_Microsoft ATP.iscat file, and then click the Open button. 3. To import categories, click the Import button. EventTracker displays success message. 4. Click OK, and then click the Close button. Alert Figure 19 1. Click Alert option, and then click the browse button. Figure 20 13
2. Locate Alert_Microsoft ATP.isalt file, and then click the Open button. 3. To import alerts, click the Import button. EventTracker displays success message. Figure 21 4. Click the OK button, and then click the Close button. Parsing Rules 1. Click Token Value option, and then click the browse button. Figure 22 14
2. Locate Alert_Microsoft ATP.isalt file, and then click the Open button. 3. To import alerts, click the Import button. 4. EventTracker displays success message. 5. Click the OK button. Knowledge Object Figure 23 1. Click Knowledge objects under Admin option in the EventTracker manager page. Figure 24 2. Click on Import button as highlighted in the below image: 3. Click on Browse. Figure 25 15
4. Locate the file named KO_Microsoft ATP.etko. Figure 26 5. Now select the check box and then click on Import option. Figure 27 16
6. Knowledge objects are now imported successfully. Flex Report Figure 28 1. Click Reports option, and select New (*.etcrx) option. Figure 29 2. Locate the file named Reports_ Microsoft ATP.etcrx and select the check box. 17
Figure 30 3. Click the Import button to import the report. EventTracker displays success message. Dashboards Figure 31 NOTE- Below steps given are specific to EventTracker 9 and later. 1. Open EventTracker Enterprise in browser and logon. 18
Figure 32 2. Navigate to My Dashboard option as shown above. 3. Click on the Import button as show below: Figure 33 4. Import dashboard file Dashboard_Microsoft ATP.etwd and select Select All checkbox. 5. Click on Import as shown below: Figure 34 19
6. Import is now completed successfully. Figure 35 7. In My Dashboard page select to add dashboard. Figure 36 8. Choose appropriate name for Title and Description. Click Save. Figure 37 9. In My Dashboard page select to add dashlets. 10. Select imported dashlets and click Add. Figure 38 20
Figure 39 Verify Microsoft ATP knowledge pack in EventTracker Category 1. Logon to EventTracker Enterprise. 2. Click Admin dropdown, and then click Category. Figure 40 3. In Category Tree to view imported category, scroll down and expand Microsoft ATP group folder to view the imported category. 21
Alert 1. Logon to EventTracker Enterprise. 2. Click the Admin menu, and then click Alerts. Figure 41 Figure 42 3. In the Search box, type ATP, and then click the Go button. Alert Management page will display the imported alert. 22
Figure 43 4. To activate the imported alert, toggle the Active switch. EventTracker displays message box. Figure 44 5. Click OK, and then click the Activate Now button. NOTE: Please specify appropriate system in alert configuration for better performance. Parsing Rules 1. In the EventTracker Enterprise web interface, click the Admin dropdown, and then click Parsing rules. Figure 45 2. On Parsing Rule tab, click on the Microsoft ATP group folder to view the imported token values. 23
Knowledge Object Figure 46 1. In the EventTracker Enterprise web interface, click the Admin dropdown, and then select Knowledge Objects. Figure 47 2. In the Knowledge Object tree, expand Microsoft ATP group folder to view the imported knowledge object. 24
Figure 48 3. Click Activate Now to apply imported knowledge objects. Flex Report 1. In the EventTracker Enterprise web interface, click the Reports menu, and then select Report Configuration. Figure 49 2. In Reports Configuration pane, select Defined option. 3. Click on the Microsoft ATP group folder to view the imported reports. 25
Dashboards Figure 50 WIDGET TITLE: Microsoft ATP- Top threats detected by source username Figure 51 26
WIDGET TITLE: Microsoft ATP- Threats detected by source hostname Figure 52 27