Microsoft Defender ATP Setup

Just curious if anyone has been able to get the Microsoft Defender ATP Event Source setup since the ‘SIEM Integration’ changed on the MCAS side? I have had this setup for about a year and back in November-December, MCAS changed how they do SIEM Integration and API tokens. It appears that we now need to do an ‘API Token’ so that IDR can ‘Pull’ the events from MCAS. If you try to use the actual ‘SIEM Agent Integration’ now, it requires an ‘IP’ and ‘Port’ for the the system that is receiving these logs; instead of IDR pulling them.

I tried using the API token (since it is the closest to what is already configured) but that does not seem to work.

Any help would be greatly beneficial.

Thank you

Hi Tony,

could you open a support ticket so we can investigate this with you over a screen share session?

David Smith
Rapid7

I’m also struggling getting this setup. Honestly, the Instructions are not very clear.

Hi, I suggest opening a support ticket and we can take a look where you might be having difficulty.

Thanks

Sean
Rapid7

I hope this is okay, I copied and pasted some instructions provided to me by creating a R7 support ticket.

Incase anyone is wondering and just wants to get this working:

Step 1 - Configuring API Permissions

  • Go to Azure AD
  • Go to App Registrations
  • Search for the WindowsDefenderATPSiemConnector
  • Click on API permissions, then Add A Permission
  • Go to the tab APIs my organization uses
  • Search for WindowsDefenderATP (Case Sensitive-All together) and click on
  • WindowsDefenderATP (NOT WindowsDefenderAtpSiemConnector)
  • Go to Application Permissions
  • Search for Alert Category and enable the Alert.Read.All permission ONLY
  • Click Add permissions
  • Click on Grant admin consent for to have the new permissions take effect
  • Click on Yes

Step 2 (Optional) - Obtain Client ID

  • Go to Overview on Azure
  • Copy Application (client) ID field
  • Insert client ID into Client ID field on the new credentials

Step 3 (Optional) - Generate Secret Key

  • Go to Certificates & secrets
  • Click New client secret
  • Enter any name for the Description field
  • Choose any date for Expires field
  • Copy the entire value key (NOT the Secret ID)
  • Insert value key into new Credentials Client ID field

Step 4 (Optional) - Locate the Authorization Server URL

  • Go to Overview
  • Click on Endpoints to view
  • Copy OAuth 2.0 token endpoint (v1) URL
    CredentialSetup

I wonder when they will update the instructions so users can get this enabled without having to reach out to R7 support.

1 Like

Does anyone know if it is also possible to use an existing azure application and add the Alert.Read.All permission to the app? Or do we really need to use the WindowsDefenderATPSiemConnector app. Because I can’t see this app in my environment.

You would only see the WindowsDefenderATPSiemConnector app if you have provisioned the integration before November 2021.

If you don’t have the the app, you can create one. Perhaps it’s possible to piggy back on an existing one too but it’s not something I can recommend.

The process for creating an app, granting API permissions and generating a client secret are described here in steps one through seven: Create an app to access Microsoft Defender for Endpoint without a user | Microsoft Docs

You can then grab the “OAuth 2.0 token endpoint (v1)” URL from the Overview > Endpoints page and you should be all set to register the event source in IDR.