AttackIQ How-to: 

Configure Direct Integration with Microsoft Defender ATP       Document Revision: 1.0 Last Revision Date: 15-May-2020   

 

 

 Copyright: © 2019 AttackIQ LLC. All Rights Reserved. 

2901 Tasman Dr. Suite 112  

Santa Clara, CA 95054 

sales@attackiq.com  

+1 (888) 588-9116 

Learn more at https://www.attackiq.com/platform/ 

About AttackIQ: the AttackIQ Platform enables continuous validation that your                   security controls, processes and people are working as intended and delivering                     ROI. It seamlessly integrates into any existing network, delivering immediate                   visibility into your security program so you can uncover gaps in coverage, identify                         misconfigurations, and quickly prioritize remediation efforts.   

1 

http://www.attackiq.com/platform/

 

Table of Contents  

Table of Contents 

Overview Conventions 

Prerequisites 

Procedures Enable SIEM integration in Microsoft Defender ATP Assign permissions to the WindowsDefenderATPSiemConnector application Configure and enable the AttackIQ connector for Microsoft Defender ATP 

  

Overview This document describes the process of configuring a Direct Integration between the AttackIQ platform and Microsoft Defender Advanced Threat Protection (ATP). It is not intended to provide comprehensive information about the components referenced herein nor is it intended to provide an exhaustive explanation of the feature-functionality described in the procedures. Refer to the context-sensitive Help section of the AttackIQ platform UI for more information on feature-functionality. 

Conventions The following typographical conventions are used throughout this document: 

Italics Indicates URLs, DNS domain names, email addresses, file names, and file extensions. 

Fixed width with gray background Used for program listings and program elements such as environment variables, functions, variables, data types, and keywords.  

Fixed width bold with gray background Used for commands or other text that should be typed exactly as shown. 

 

2 

 

Used for text that should be replaced with user-supplied input or values determined by context. 

Prerequisites This document assumes your organization has an active AttackIQ tenancy and has installed Integration Manager. For additional information about installing Integration Manager, consult the context-sensitive Help in the Technology Stack section of the AttackIQ platform or contact your AttackIQ account team. This document also assumes you have an active Microsoft Defender ATP tenant.  Before beginning, you will also need: 

● A Microsoft Defender Security Center user account (usually an Azure AD account with the Security Administrator role assigned). 

● An Azure AD Account with either the Application Administrator or the Global Administrator Role assigned. 

● The Directory (tenant) ID of your Microsoft Azure/ Microsoft Defender ATP tenant. ● The URL of your AttackIQ tenancy. ● An AttackIQ user account with the Admin role assigned. 

Procedures Enable SIEM integration in Microsoft Defender ATP This procedure is only necessary if the Windows Defender SIEM Connector has not previously been activated. If the Windows Defender SIEM Connector has already been activated, proceed to the next section. To activate the Windows Defender SIEM Connector: 

1. Follow steps 1 and 2 of the procedure described at https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration 

2. Save the Client ID and Client secret for later use; they will be needed in a subsequent procedure. Note: the Client secret is displayed only once. Do not leave the SIEM Settings page without saving the Client secret. 

3 

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integrationhttps://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration

 

Assign permissions to the WindowsDefenderATPSiemConnector application 

1. Log in to the Microsoft Azure Portal at https://portal.azure.com with a user account that has either the Application Administrator or Global Administrator Role assigned. 

2. Type App Registrations in the Search bar.

 3. Click App Registrations in the search results. 4. Click All applications on the App registrations page

 

4 

https://portal.azure.com/

 

5. Select WindowsDefenderATPSiemConnector from the Application list.

 

5 

 

6. Select API permissions from the left-hand menu.

 7. Click the Add a permission button.

 

6 

 

8. Select the APIs my organization uses tab on the Request API permissions fly-out.

 9. Type WindowsDefender in the Search field. 10. Select WindowsDefenderATP from the search results.

 11. Select the Delegated permissions category.

 

7 

 

12. Expand the AdvancedQuery permission and select the AdvancedQuery.Read checkbox.

 13. Select the Application permissions category.

 14. Expand the AdvancedQuery permission and select the AdvancedQuery.Read.All 

checkbox.

 15. Expand the Alerts permission and select the Alert.Read.All checkbox.

 

8 

 

16. Expand the Machine permission and select the Machine.Read.All checkbox.

 17. Click the Add permissions button.

 

9 

 

18. Click the Grant admin consent for… button.

 

Configure and enable the AttackIQ connector for Microsoft Defender ATP This procedure requires the Azure Directory (tenant) ID, WindowsDefenderATPSiemConnector Application/ Client ID, and Client secret from the Enable SIEM integration in Microsoft Defender ATP section of this document. 

1. Log in to your AttackIQ Tenancy at https://.attackiq.com (where  is the subdomain assigned to your AttackIQ tenancy) with a user account with the Admin role. 

2. Click the Navigation menu in the upper left corner.

 

10 

 

3. Click the chevron next to Technology Stack then click Integration Configuration.

 

11 

 

4. Scroll down to the Microsoft Defender ATP tile in the Available Integrations section and click the Configure button.

 

12 

 

5. Type your Microsoft Azure Directory (tenant) ID in the Tenant ID field.

 

13 

 

6. Type the Application (client) ID of the WindowsDefenderATPSiemConnector application in the Client ID field.

 

14 

 

7. Type the Client secret for the WindowsDefenderATPSiemConnector application in the Client secret field.

 8. Select a regional API endpoint appropriate to your location from the Choose closest

region for API endpoint drop-down menu (this example uses the API endpoint for 

15 

 

North America).

 

16 

 

9. Click the Save Configuration button.

 Note: All other fields are optional and/ or safe to leave at their default values. 

10. Scroll up to the Configured Integrations section. 

17 

 

11. Click the Enable button on the Microsoft Defender ATP tile.

 

18 

 

Note: You will see a notification indicating that the integration will be available in 1- 2 minutes and the status will change from Disabled to Pending to Active.

 

Getting additional assistance For additional assistance, please send an email to preactive-support@attackiq.com. 

19