This article has been updated to reflect changes to the Azure AD Application registration process and to point users to a new MineMeld output node. The old node will be deprecated.
If you are not familiar with MineMeld, we recommend you start with a Quick Tour.
MineMeld can be used to aggregate multiple threat intelligence feeds and extend to your Windows Defender ATP tenant. Windows Defender ATP can ingest:
There are three steps to connecting MineMeld to Windows Defender ATP:
Azure Active Directory Configuration
Create a name for this application. All of the alerts tied to the threat intelligence coming from MineMeld will be attributed to this application name. We recommend calling this "Palo Alto Networks MineMeld" to avoid any confusion.
NOTE: You do not need to set a redirect URI.
Click Add a Permission.
Click APIs my organization uses, type “Windows” in the search bar, and select WindowsDefendertATP.
Click New Client Secret.
Copy the client secret you created.
Click the GitHub icon in the lower, right-hand corner, then copy this link “https://github.com/PaloAltoNetworks/minemeld-wd-atp.git” and paste into the Repository URL field. Click the dropdown menu for Version and select “master” then click Install.
Click the checkmark to activate the extension.
The extension will activate shortly, and the empty square will signify the extension is active.
NOTE: After the restart completes, make sure you refresh the browser page.
Setting Up the Output Node to Complete the Integration
NOTE: The “microsoft_wd_atp.output” node will be deprecated as it relies on an older API interface. Please do not use that node.
NOTE: To understand the concepts of input nodes and what to connect to this, refer to the MineMeld documentation on LIVEcommunity.
Click NODES on the top menu and search for the node you just created. Click the node to pull up the configuration.
In Azure AD, enter the Client ID (Application), Client Secret, and Tenant (Directory) ID you copied earlier when you created the MineMeld application.
NOTE: After this is done, your configuration will then be complete.
To validate this is hooked up correctly, you will need to verify that an event fires if you try to access a blocked website. We recommend you create an indicator that is tied to a known good website for this, so you are not actively going to a malicious website.
You can find out more information about this capability by reading Pushing custom Indicator of Compromise (IoCs) to Microsoft Defender ATP on the Microsoft website.