Integrate Microsoft ATP. EventTracker v8.x and above

Similar documents
Integrate Palo Alto Traps. EventTracker v8.x and above

Integrate Bluecoat Content Analysis. EventTracker v9.x and above

Integrate Veeam Backup and Replication. EventTracker v9.x and above

Integrate Sophos Appliance. EventTracker v8.x and above

Integrate Symantec Messaging Gateway. EventTracker v9.x and above

Integrate Cb Defense. EventTracker v8.x and above

Integrate Microsoft Antimalware. EventTracker v8.x and above

Integrate Saint Security Suite. EventTracker v8.x and above

Integrate Dell FORCE10 Switch

SECURE FILE TRANSFER PROTOCOL. EventTracker v8.x and above

Integration of Phonefactor or Multi-Factor Authentication

Integrate Sophos Enterprise Console. EventTracker v8.x and above

Integrate Microsoft Office 365. EventTracker v8.x and above

Integrate IIS SMTP server. EventTracker v8.x and above

Integrate NGINX. EventTracker v8.x and above

Integrating Barracuda SSL VPN

Integrate TippingPoint EventTracker Enterprise

Receive and Forward syslog events through EventTracker Agent. EventTracker v9.0

Integrate Fortinet Firewall. EventTracker v8.x and above

Integrate Salesforce. EventTracker v8.x and above

Integrate HP ProCurve Switch

Integrate Akamai Web Application Firewall EventTracker v8.x and above

Integrate Sophos UTM EventTracker v7.x

Integrate Barracuda Spam Firewall

Integrate pfsense EventTracker Enterprise

Integrate Malwarebytes EventTracker Enterprise

Integrate EMC Isilon. EventTracker v8.x and above

Integrate Windows PowerShell

Integrate Viper business antivirus EventTracker Enterprise

Integrate Cisco IOS Publication Date: April 15, 2016

Integrating Terminal Services Gateway EventTracker Enterprise

Integrate F5 BIG-IP LTM

Integrate Cisco IronPort Security Appliance (ESA)

Integrate Microsoft Hyper-V Server

Integrating Imperva SecureSphere

Integrate MySQL Server EventTracker Enterprise

Integrate Meraki WAP. EventTracker Enterprise. EventTracker 8815 Centre Park Drive Columbia MD

Integrate Juniper Secure Access VPN

Integrate Trend Micro InterScan Web Security

How To Embed EventTracker Widget to an External Site

Integrate Check Point Firewall. EventTracker v8.x and above

Integrating Cisco Distributed Director EventTracker v7.x

Integrate Microsoft IIS

Integrate Aventail SSL VPN

Integrating Cyberoam UTM

Integrate McAfee Firewall Enterprise VPN

Product Update: ET82U16-029/ ET81U EventTracker Enterprise

Integrate A10 ADC Publication Date: September 3, 2015

Integrate Citrix NetScaler

Integrate VMware ESX/ESXi and vcenter Server

Integrate Apache Web Server

Integrating Microsoft Forefront Unified Access Gateway (UAG)

Integrate Trend Micro Control Manager. EventTracker v8.x and above

How to Configure ASA 5500-X Series Firewall to send logs to EventTracker. EventTracker

Enhancement in Network monitoring to monitor listening ports EventTracker Enterprise

Port Configuration. Configure Port of EventTracker Website

Integrate Cisco Sourcefire

Integrate Citrix Access Gateway

Integrate Cisco Switch

8815 Centre Park Drive Columbia MD Publication Date: Dec 04, 2014

Geolocation and hostname resolution while Elasticsearch indexing. Update Document

Integrating LOGbinder SP EventTracker v7.x

EventTracker v7.x. Integrating Cisco Catalyst. EventTracker 8815 Centre Park Drive Columbia MD

Agent Installation Using Smart Card Credentials Detailed Document

Configuring TLS 1.2 in EventTracker v9.0

Integrating Microsoft Forefront Threat Management Gateway (TMG)

Service Pack ET90U Feature Document

Enhancement in Agent syslog collector to resolve sender IP Address EventTracker Enterprise

Integrate Kaspersky Security Center

Event Correlator. EventTracker v8.x

Integrate WatchGuard XTM. EventTracker Enterprise

Integrate Cisco VPN Concentrator

Security Scorecard in Flex Dashboard

Secure IIS Web Server with SSL

Integrate APC Smart UPS

IIS Web Server Configuration Guide EventTracker v8.x

EventTracker v8.2. Install Guide for EventTracker Log Manager. EventTracker 8815 Centre Park Drive Columbia MD

Remote Indexing Feature Guide

Integrate Routing and Remote Access Service (RRAS) EventTracker v8.x and above

Enable Auditing in Open LDAP on Linux Server

IIS Web Server Configuration Guide EventTracker v9.x

EventTracker Upgrade Guide. Upgrade to v9.0

Feature List. EventTracker v9.0

Upgrade Guide. Upgrading to EventTracker v6.4 b50. Upgrade Guide Centre Park Drive Publication Date: Feb 17, 2010.

Process Termination. Feature Guide

Monitoring SharePoint 2007/ 2010/ 2013 Server using EventTracker

Agent health check enhancements Detailed Document

Feature List. EventTracker v7.6. EventTracker 8815 Centre Park Drive Columbia MD Publication Date: Sep 15, 2014

Integrate Grizzly steppe attacks detection script

EventTracker: Backup and Restore Guide Version 9.x

Installation Guide. EventTracker Enterprise. Install Guide Centre Park Drive Publication Date: Aug 03, U.S. Toll Free:

Upgrade Guide. Upgrading to EventTracker v6.4 b50. Upgrade Guide Centre Park Drive Publication Date: Feb 17, 2010.

Upgrade Guide. Upgrading to EventTracker v6.4 b50. Upgrade Guide Centre Park Drive Publication Date: Feb 17, 2010.

Agent Direct Log Archiver Configuration Guide

Integrate Clavister Firewall

Upgrade Guide. Upgrading to EventTracker v7.1 Enterprise. Upgrade Guide Centre Park Drive Publication Date: Apr 11, 2011.

Installation Guide Install Guide Centre Park Drive Publication Date: Feb 11, 2010

EventVault Introduction and Usage Feature Guide Version 6.x

Check Point Guide. Configure ETAgent to read CheckPoint Logs. EventTracker 8815 Centre Park Drive Columbia MD

New Features Guide EventTracker v6.2

Transcription:

EventTracker v8.x and above Publication Date: August 20, 2018

Abstract This guide provides instructions to configure a Microsoft ATP to send its syslog to EventTracker Enterprise. Scope The configurations detailed in this guide are consistent with EventTracker Enterprise version v8.x or above and Microsoft ATP (Windows Defender Security Center). Audience Administrators who are assigned the task to monitor Microsoft ATP events using EventTracker. The information contained in this document represents the current view of EventTracker. on the issues discussed as of the date of publication. Because EventTracker must respond to changing market conditions, it should not be interpreted to be a commitment on the part of EventTracker, and EventTracker cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. EventTracker MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, this paper may be freely distributed without permission from EventTracker, if its content is unaltered, nothing is added to the content and credit to EventTracker is provided. EventTracker may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from EventTracker, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred. 2018 EventTracker Security LLC. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. 1

Table of Contents Abstract... 1 Scope... 1 Audience... 1 Overview... 3 Prerequisites... 3 Integration of Microsoft ATP with EventTracker... 3 Enable SIEM integration in Microsoft ATP... 3 Configure Microsoft ATP Integrator... 6 EventTracker Knowledge Pack... 10 Category... 10 Alert... 10 Knowledge Object... 10 Flex Report... 10 Import Microsoft ATP knowledge pack into EventTracker... 11 Category... 12 Alert... 13 Parsing Rules... 14 Knowledge Object... 15 Flex Report... 17 Dashboards... 18 Verify Microsoft ATP knowledge pack in EventTracker... 21 Category... 21 Alert... 22 Parsing Rules... 23 Knowledge Object... 24 Flex Report... 25 Dashboards... 26 2

Overview Windows Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. To help you maximize the effectiveness of the security platform, you can configure individual capabilities that surface in Windows Defender Security Center. EventTracker helps to monitor events from Microsoft ATP. It s knowledge object and flex reports will help you to detect file less attacks, backdoor drops and virus/malware. Prerequisites EventTracker v8.x or above should be installed. Microsoft ATP (Windows Defender Security Center) should be configured. EventTracker Agent must be installed. PowerShell 4 or above must be installed. Windows 2008 r2 or later must be installed. Local admin permissions for the workstation. Integration of Microsoft ATP with EventTracker Enable SIEM integration in Microsoft ATP Enable SIEM integration to pull alerts from Windows Defender Security Center by connecting directly through alerts REST API. 1. Logon to Windows Defender Security Center portal. 3

Figure 1 2. In the navigation pane, select Settings > APIs > SIEM. 4

Figure 2 3. Select Enable SIEM integration. This activates the SIEM connector access details section with prepopulated values and an application is created under your Azure Active Directory (AAD) tenant. 4. Choose the Generic API as SIEM type. 5. Select Save details to file to download a file that contains all the SIEM application values. 5

Figure 3 6. Extract the downloaded SplunkProperties.zip to get SplunkAuthenticationProperties.JSON file. 7. Save this file for future use. Figure 4 Configure Microsoft ATP Integrator 1. Navigate to <EventTracker_Manager_Install_Path>\EventTracker\Knowledge Packs\Microsoft ATP\Configuration. 2. Open Integrator folder and copy SplunkAuthenticationProperties.JSON to this path. 3. Run ATP_Intergrator.bat as administrator. 6

Figure 5 4. Pre-Integrator is launched, and prerequisites are checked. Click Upgrade to update PowerShell, if prerequisites are not met. 5. Click Next to proceed, if prerequisites are successfully met. 6. Click OK, in Output Folder Created dialog box. Figure 6 Figure 7 7. Select SplunkAuthenticationProperties.JSON copied earlier and click Open. 7

Figure 8 8. Click OK, in SIEM Application Details File Available dialog box. Figure 9 9. Click OK, in LFM Configuration Complete dialog box. Figure 10 10. Provide credentials for local admin, to schedule hourly task then click OK. 8

Figure 11 11. Click OK, in Task Configuration Complete dialog box. Figure 12 12. Click OK, in Configuration Complete dialog box. Figure 13 13. Wait for pre-integrator dialog box to close. 14. When task runs, output csv will be generated in MSATPReports folder. Figure 14 9

EventTracker Knowledge Pack Once logs are received by EventTracker manager, knowledge packs can be configured into EventTracker. The following Knowledge Packs are available in EventTracker Enterprise to support Microsoft ATP. Category Microsoft ATP: Alerts - This category provides information related to alerts triggered by Microsoft ATP. Alert Microsoft ATP: Critical threat detected - This alert is generated when critical threats are detected by Microsoft ATP. Knowledge Object Microsoft ATP Alerts - This knowledge object will help us to analyze alerts triggered by Microsoft ATP. Flex Report Microsoft ATP- Threats detected- This report gives the information about all the threats detected by Microsoft ATP. Figure 15 10

Logs Considered Figure 16 Import Microsoft ATP knowledge pack into EventTracker NOTE: Import knowledge pack items in the following sequence: Category Parsing Rules Alert Knowledge Object Flex Report 1. Launch EventTracker Control Panel. 2. Double click Export Import Utility. 11

Figure 17 3. Click the Import tab. Category 1. Click Category option, and then click the browse button. Figure 18 12

2. Locate Category_Microsoft ATP.iscat file, and then click the Open button. 3. To import categories, click the Import button. EventTracker displays success message. 4. Click OK, and then click the Close button. Alert Figure 19 1. Click Alert option, and then click the browse button. Figure 20 13

2. Locate Alert_Microsoft ATP.isalt file, and then click the Open button. 3. To import alerts, click the Import button. EventTracker displays success message. Figure 21 4. Click the OK button, and then click the Close button. Parsing Rules 1. Click Token Value option, and then click the browse button. Figure 22 14

2. Locate Alert_Microsoft ATP.isalt file, and then click the Open button. 3. To import alerts, click the Import button. 4. EventTracker displays success message. 5. Click the OK button. Knowledge Object Figure 23 1. Click Knowledge objects under Admin option in the EventTracker manager page. Figure 24 2. Click on Import button as highlighted in the below image: 3. Click on Browse. Figure 25 15

4. Locate the file named KO_Microsoft ATP.etko. Figure 26 5. Now select the check box and then click on Import option. Figure 27 16

6. Knowledge objects are now imported successfully. Flex Report Figure 28 1. Click Reports option, and select New (*.etcrx) option. Figure 29 2. Locate the file named Reports_ Microsoft ATP.etcrx and select the check box. 17

Figure 30 3. Click the Import button to import the report. EventTracker displays success message. Dashboards Figure 31 NOTE- Below steps given are specific to EventTracker 9 and later. 1. Open EventTracker Enterprise in browser and logon. 18

Figure 32 2. Navigate to My Dashboard option as shown above. 3. Click on the Import button as show below: Figure 33 4. Import dashboard file Dashboard_Microsoft ATP.etwd and select Select All checkbox. 5. Click on Import as shown below: Figure 34 19

6. Import is now completed successfully. Figure 35 7. In My Dashboard page select to add dashboard. Figure 36 8. Choose appropriate name for Title and Description. Click Save. Figure 37 9. In My Dashboard page select to add dashlets. 10. Select imported dashlets and click Add. Figure 38 20

Figure 39 Verify Microsoft ATP knowledge pack in EventTracker Category 1. Logon to EventTracker Enterprise. 2. Click Admin dropdown, and then click Category. Figure 40 3. In Category Tree to view imported category, scroll down and expand Microsoft ATP group folder to view the imported category. 21

Alert 1. Logon to EventTracker Enterprise. 2. Click the Admin menu, and then click Alerts. Figure 41 Figure 42 3. In the Search box, type ATP, and then click the Go button. Alert Management page will display the imported alert. 22

Figure 43 4. To activate the imported alert, toggle the Active switch. EventTracker displays message box. Figure 44 5. Click OK, and then click the Activate Now button. NOTE: Please specify appropriate system in alert configuration for better performance. Parsing Rules 1. In the EventTracker Enterprise web interface, click the Admin dropdown, and then click Parsing rules. Figure 45 2. On Parsing Rule tab, click on the Microsoft ATP group folder to view the imported token values. 23

Knowledge Object Figure 46 1. In the EventTracker Enterprise web interface, click the Admin dropdown, and then select Knowledge Objects. Figure 47 2. In the Knowledge Object tree, expand Microsoft ATP group folder to view the imported knowledge object. 24

Figure 48 3. Click Activate Now to apply imported knowledge objects. Flex Report 1. In the EventTracker Enterprise web interface, click the Reports menu, and then select Report Configuration. Figure 49 2. In Reports Configuration pane, select Defined option. 3. Click on the Microsoft ATP group folder to view the imported reports. 25

Dashboards Figure 50 WIDGET TITLE: Microsoft ATP- Top threats detected by source username Figure 51 26

WIDGET TITLE: Microsoft ATP- Threats detected by source hostname Figure 52 27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback