Microsoft Defender ATP

Microsoft Defender Advanced Threat Protection (ATP) is a threat detection and response product that is available on a free trial or subscription basis. You can configure Microsoft Defender ATP as a Third Party Alert event source in InsightIDR, which allows you to parse onboarded system logs through an API. This article guides you through the Microsoft Defender ATP event source configuration procedure.

What you should know InsightIDR alerting for this event source:

  • InsightIDR generates alerts for all ATP events with a severity of medium or higher. Events categorized as Malware, Ransomware, or Exploit with a severity of medium or higher will generate virus alerts. All other events with a severity of medium or higher will generate third party alerts.
  • All ATP events with a low severity are sent to Log Search. While we don’t generate alerts for low severity events, you can still access them in Log Search by selecting Unparsed Logs > [Name of the Event Source].
  • InsightIDR suppresses alerts related to remediated threats to reduce the amount of benign alerts that you receive.

This article covers the following topics:

Before You Begin

To configure Microsoft Defender ATP as an event source, verify that your organization meets the following conditions:

Enable SIEM Integration in Microsoft Defender ATP

To configure this event source, you must first enable the SIEM integration option in Microsoft Defender ATP. Enabling this option produces a series of “SIEM application details” that you will copy to InsightIDR when you add the new event source.

Follow the instructions in this Microsoft document to enable SIEM integration:

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration

IMPORTANT

Carefully note the client secret that is produced when you enable the SIEM integration option. For security reasons, your client secret will only display once, so you need to make sure that you copy the client secret at this time. If you need to generate a new secret, see the following Microsoft document:

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-custom-ti#learn-how-to-get-a-new-client-secret

Keep the “SIEM application details” page open and available during the rest of this event source configuration procedure. You will copy these values to InsightIDR in the next step.

Configure Microsoft Defender ATP as an Event Source in InsightIDR

With your SIEM application details open and available, you can add Microsoft Defender ATP as a new Third Party Alert event source in InsightIDR.

To add this event source:

  1. In InsightIDR, open the Data Collection tab in your left menu.
  2. On the “Data Collection Management” page, expand the Setup Event Source dropdown link and click Add Event Source.
  3. Browse to the “Third Party Alerts” section of the “Add Event Source” window and click Microsoft Defender ATP.
  1. Select your collector from the dropdown list.
  2. If desired, give this event source configuration a name.
  3. Expand the dropdown under “Credential” and select Create new.
  4. Name your credential. You will be able to select the credential by this name in other event source configurations.

TIP - Check your SIEM application details

The fields detailed in step 8 require values from the SIEM application details that were generated when you enabled SIEM integration in Microsoft Defender ATP.

  1. Copy the values shown for the following Microsoft Defender ATP fields and paste them into the matching fields provided in the event source configuration of InsightIDR:
  • “Client ID”
  • “Client Secret”
  • “Authorization Server URL”
  1. Select your data region from the dropdown list.
  2. Click Save when finished.

Your Microsoft Defender ATP event source will immediately begin listening for logs generated from onboarded assets.

Verify the Configuration

After you’ve configured the event source, view your raw logs to ensure that events are making it to the Collector. As you will see in the 3 examples below, the location of your log data varies based on data type.

To view your logs:

  1. From the left menu, click Log Search.
  2. Do one of the following:
  • To view anti-virus logs, click Virus Infection > [Name of the Microsoft Defender ATP event source].
  • To view third-party logs, click Third Party Alert > [Name of the Microsoft Defender ATP event source].
  • To view Unparsed logs, click Unparsed > [Name of the Microsoft Defender ATP event source].

Sample Logs

Virus Infection

1
{
2
"timestamp": "2020-06-11T00:40:27.940Z",
3
"asset": "jdoedev042.acme.com",
4
"user": "George Herman Ruth Jr.",
5
"user_domain": "acme.com",
6
"source_address": "jdoedev042.acme.com",
7
"risk": "Trojan:Win32/Ludicrouz.Y",
8
"action": "invalid_action",
9
"source_json": {
10
"AlertTime": "2020-06-11T00:40:27.9406632Z",
11
"ComputerDnsName": "jdoedev042.acme.com",
12
"AlertTitle": "'Ludicrouz' malware was detected",
13
"Category": "Malware",
14
"Severity": "Informational",
15
"AlertId": "da637123456789123456_-1234123400",
16
"Actor": "",
17
"LinkToWDATP": "https://securitycenter.windows.com/alert/da637123456789123456_-1234123400",
18
"IocName": "",
19
"IocValue": "",
20
"CreatorIocName": "",
21
"CreatorIocValue": "",
22
"Sha1": "abcdef0123456789ffffffff0000000012345678",
23
"FileName": "SoftonicDownloader_for_wholockme-explorer-extension.exe",
24
"FilePath": "C:\\Program Files\\Legit Programs",
25
"IpAddress": "",
26
"Url": "",
27
"IoaDefinitionId": "d60f5b90-ecd8-4d77-8186-a801597ec762",
28
"UserName": "",
29
"AlertPart": 0,
30
"FullId": "da637123456789123456_-1234123400:ABC34_FaKE1234EdsoMla8oIAs\+IOx0NjJjtD3M98h8=",
31
"LastProcessedTimeUtc": "2020-06-11T00:42:25.4301645Z",
32
"ThreatCategory": "Trojan",
33
"ThreatFamily": "Ludicrouz",
34
"ThreatName": "Trojan:Win32/Ludicrouz.Y",
35
"RemediationAction": "invalid_action",
36
"RemediationIsSuccess": null,
37
"Source": "Antivirus",
38
"Md5": "",
39
"Sha256": "489d53c2437a4badb8c9d183468987aad182b23d727bc41e5416ca05a643eb97",
40
"WasExecutingWhileDetected": false,
41
"UserDomain": "",
42
"LogOnUsers": "",
43
"MachineDomain": "acme.com",
44
"MachineName": "jdoedev042",
45
"InternalIPv4List": "10.1.100.25;127.0.0.1",
46
"InternalIPv6List": "abcd::1234:fb51:2276:55be;::1",
47
"FileHash": "abcdef0123456789ffffffff0000000012345678",
48
"DeviceID": "aaaaaacc0e50086f0e9a6fa002e6805250bbbbbb",
49
"MachineGroup": "Windows 10 Machines",
50
"Description": "Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nThis detection might indicate that the malware was stopped from delivering its payload. However, it is prudent to check the machine for signs of infection.",
51
"DeviceCreatedMachineTags": "",
52
"CloudCreatedMachineTags": "",
53
"CommandLine": "",
54
"IncidentLinkToWDATP": "https://securitycenter.windows.com/incidents/byalert?alertId=da637123456789123456_-1234123400&source=SIEM",
55
"ReportID": 1234567890,
56
"ExternalId": "04B2FAKENOOZ3BA59BAB866D24BEADA460C39C1F",
57
"IocUniqueId": "ABC34_FaKE1234EdsoMla8oIAs\+IOx0NjJjtD3M98h8="
58
}
59
}

Third Party Alert

1
{
2
"timestamp": "2020-06-11T14:36:23.792Z",
3
"product": "MICROSOFT_DEFENDER_ATP",
4
"type": "Execution",
5
"severity": "Medium",
6
"title": "Suspicious URL clicked",
7
"description": "A user opened a potentially malicious URL. This alert was triggered based on a Office 365 ATP alert.",
8
"alert_id": "d60f5b90-ecd8-4d77-8186-a801597ec761",
9
"user": "George Herman Ruth Jr.",
10
"asset": "companyserver.acmecorp.com",
11
"source_json": {
12
"AlertTime": "2020-06-11T14:36:23.7921017Z",
13
"ComputerDnsName": "companyserver.acmecorp.com",
14
"AlertTitle": "Suspicious URL clicked",
15
"Category": "Execution",
16
"Severity": "Medium",
17
"AlertId": "da637123456789123456_-123412340",
18
"Actor": "",
19
"LinkToWDATP": "https://securitycenter.windows.com/alert/da637123456789123456_-123412340",
20
"IocName": "",
21
"IocValue": "",
22
"CreatorIocName": "",
23
"CreatorIocValue": "",
24
"Sha1": "",
25
"FileName": "",
26
"FilePath": "",
27
"IpAddress": "",
28
"Url": "https://ms.outlook.com/?url=http%3A%2F%2F2google.com%2Freal%2furl&parameter=0",
29
"IoaDefinitionId": "d60f5b90-ecd8-4d77-8186-a801597ec761",
30
"UserName": "babe.ruth",
31
"AlertPart": 0,
32
"FullId": "da637123456789123456_-123412340:ABC34_FaKE1234EdsoMla8oIAs\+IOx0NjJjtD3M98h8=",
33
"LastProcessedTimeUtc": "2020-06-11T15:07:20.475304Z",
34
"ThreatCategory": "",
35
"ThreatFamily": "",
36
"ThreatName": "",
37
"RemediationAction": "",
38
"RemediationIsSuccess": null,
39
"Source": "Microsoft Threat Protection",
40
"Md5": "",
41
"Sha256": "",
42
"WasExecutingWhileDetected": null,
43
"UserDomain": "acmecorp",
44
"LogOnUsers": "acmecorp\\babe.ruth",
45
"MachineDomain": "acmecorp.com",
46
"MachineName": "companyserver",
47
"InternalIPv4List": "10.1.100.25;127.0.0.1",
48
"InternalIPv6List": "abcd::1234:fb51:2276:55be;::1",
49
"FileHash": "",
50
"DeviceID": "4919a03922efd081394504f7ed15c05f5770c4e3",
51
"MachineGroup": "Windows 10 Machines",
52
"Description": "A user opened a potentially malicious URL. This alert was triggered based on a Office 365 ATP alert.",
53
"DeviceCreatedMachineTags": "",
54
"CloudCreatedMachineTags": "",
55
"CommandLine": "\"OUTLOOK.EXE\" ",
56
"IncidentLinkToWDATP": "https://securitycenter.windows.com/incidents/byalert?alertId=da637123456789123456_-123412340&source=SIEM",
57
"ReportID": 1234567890,
58
"ExternalId": "04B2FAKENOOZ3BA59BAB866D24BEADA460C39C1F",
59
"IocUniqueId": "ABC34_FaKE1234EdsoMla8oIAs\+IOx0NjJjtD3M98h8="
60
}
61
}

Unparsed

1
{
2
"AlertTime": "2020-04-06T18:51:07.9071511Z",
3
"ComputerDnsName": "dev-1543",
4
"AlertTitle": "Microsoft Defender ATP detected 'Gen:Heur.Krypt.24' malware",
5
"Category": "Malware",
6
"Severity": "Informational",
7
"AlertId": "da637123456789123456_-1234123400",
8
"Actor": "",
9
"LinkToWDATP": "https://securitycenter.windows.com/alert/da637123456789123456_-1234123400",
10
"IocName": "",
11
"IocValue": "",
12
"CreatorIocName": "",
13
"CreatorIocValue": "",
14
"Sha1": "abcdef0123456789ffffffff0000000012345678",
15
"FileName": "zdravooo.exe",
16
"FilePath": "/Volumes/DEFINITELY/LEGIT/zdravooo.exe/",
17
"IpAddress": "",
18
"Url": "",
19
"IoaDefinitionId": "e9e7c54e-5067-4247-9dd0-ab939a550159",
20
"UserName": "",
21
"AlertPart": 0,
22
"FullId": "da637123456789123456_-1234123400:ABC34_FaKE1234EdsoMla8oIAs\+IOx0NjJjtD3M98h8=",
23
"LastProcessedTimeUtc": "2020-04-06T18:51:09.1541829Z",
24
"ThreatCategory": "",
25
"ThreatFamily": "",
26
"ThreatName": "",
27
"RemediationAction": "",
28
"RemediationIsSuccess": null,
29
"Source": "Antivirus",
30
"Md5": "",
31
"Sha256": "",
32
"WasExecutingWhileDetected": null,
33
"UserDomain": "",
34
"LogOnUsers": "\\babe.ruth",
35
"MachineDomain": "",
36
"MachineName": "dev-1543",
37
"InternalIPv4List": "10.1.100.25;127.0.0.1",
38
"InternalIPv6List": "abcd::1234:fb51:2276:55be;::1",
39
"FileHash": "abcdef0123456789ffffffff0000000012345678",
40
"DeviceID": "23c0b68a058ae0a00006b1b474208616565c749e",
41
"MachineGroup": "Ungrouped machines",
42
"Description": "",
43
"DeviceCreatedMachineTags": "",
44
"CloudCreatedMachineTags": "",
45
"CommandLine": "",
46
"IncidentLinkToWDATP": "https://securitycenter.windows.com/incidents/byalert?alertId=da637123456789123456_-1234123400&source=SIEM",
47
"ReportID": 1234567890,
48
"ExternalId": "04B2FAKENOOZ3BA59BAB866D24BEADA460C39C1F",
49
"IocUniqueId": "ABC34_FaKE1234EdsoMla8oIAs\+IOx0NjJjtD3M98h8="
50
}