How to configure MineMeld to send Indicators to Microsoft Windows Defender ATP

by fvigo a month ago - edited a month ago (305 Views)

Instructions for sending IOCs to Windows Defender ATP using MineMeld

 

MineMeld can be used to aggregate multiple threat intelligence feeds and extend to your Windows Defender ATP tenant. Windows Defender ATP can ingest:

  • IPv4 addresses

  • File hashes

  • URLs

  • Domains and FQDNs

There are three steps to connecting MineMeld to Windows Defender ATP:

  1. First, you will need to create an Application in Azure Active Directory. You will assign scopes from your Windows Defender ATP to this application, and all of the alerts tied to the threat intelligence provided will be tied to this application name. The MineMeld Miner will be associated with this application.

  2. You will then install the Windows Defender extension in MineMeld

  3. Finally, you will configure the extension to connect to the Windows Defender ATP tenant.

 

Azure Active Directory Configuration

  1. Login on Azure Portal -- portal.azure.com

  2. Go to Azure Active Directory

  3. Navigate to Enterprise Applications -- App Registrations and click on New Application Registration

    image1.png

 

  1. You will need to create a name for this application, and all of the alerts tied to the threat intelligence coming from MineMeld will be attributed to this application name. We recommend calling this "Palo Alto Networks MineMeld" to avoid any confusion.

  2. Set the Application type to "Web App / API"

  3. The Sign-on URL is not used, but you still need to put something into this field. It can also be a local URL like http://localhost/test

    image2.png

Please note, the Application ID will be used to configure both the threat feed in your Windows Defender ATP tenant and the MineMeld extension.

image3.png

 

  1. Under the application "Settings", navigate to "Required Permissions" and click on "Add"

image4.png

 

  1. Select WindowsDefenderATP as an API. First click on "Select an API'. rYou can find this by typing "windows" in the search box, then click on "WindowsDefenderATP".

image5.png

 

  1. Under "Application Permissions" (not Delegated Permissions) select "Read and write IOCs belonging to the app" and click on "Select":

     

    image6.png
  2. Click "Done"

    image7.png

 

  1. Back in the settings page, click "Grant permissions"

image8.png

 

  1. Click "Yes" to grant permissions to this App to publish IOCs to WD-ATP.

image9.png

 

(OPTIONAL) If you want, you can review the effective permissions by navigating to "Azure Active Directory" , "Enterprise Applications" . Find the App you just created (Palo Alto Networks MineMeld in the example), select it and click on "Permissions":

image10.png

 

  1. Back to "App Registrations", under "Settings", navigate to "Keys". Create a new Key by providing a name and a duration. Then Click on Save. Write down the value of the key, that is displayed only once in this screen. If you miss it, you will have to delete the old key and create a new one. Copy the value to the key to your notes, you will need this along with the Application ID to configure Minemeld:

     

image11.png

  1. If you haven't done already, copy the "Application ID" of your application, that you will need later to configure MineMeld:

image12.png

  1. Finally Copy the Tenant ID from Azure Active Directory Properties (called Directory ID), by navigating on the "Properties" page of "Azure Active Directory". Write it in your notes:

image13.png

 

MineMeld Configuration

  1. On MineMeld, go under "System" and "Extensions". Glick on the Git icon

image14.png

 

  1. Enter the URL of the Github repository : https://github.com/PaloAltoNetworks/minemeld-wd-atp.git and click "Retrieve":

     

image15.png

  1. Select the version (Master) and click "Install":

     

image16.png

The installation should complete shortly afterwards:

image17.png

 

  1. Click on the enable button and confirm:

image18.png

 

The extension will activate shortly:

image19.png

 

Note: the empty square means that the extension is active.

  1. Go back to the System page and Restart the API:

image20.png

 

After the restart completes, make sure you refresh the browser page.

 

Integration Configuration

  1. In MineMeld, go to Config - Prototypes

image21.png

 

  1. In the search box type "Microsoft". Find "Microsoft_wd_atp.output" and click on it.

image22.png

 

  1. Click on "Clone":

image23.png

 

  1. Name for the node and collect it to the Input nodes you want it to use (Threat Intel feeds), then click "OK":

image24.png

 

Note: to understand the concepts of input nodes and what to connect to this, refer to Minemeld documentation

 

  1. Click on Commit

image25.png

 

  1. Under Nodes, search for "atp" (or for the name you gave to your node, Windows_defender_ATP in this example) and click on it:

     

image26.png

  1. Look at the SETTINGS page. Edit Client_ID (Azure Application ID), client_secret (Azure Application secret key) and Tenant_ID (Azure Active Directory ID) with the information you previously collected.

image27.png

 

The configuration is now complete

 

Testing

If indicators are being sent to WDATP, you can try to reach one indicator and you should see the alerts:

image28.jpeg

image29.jpeg

 

Ask Questions Get Answers Join the Live Community
Labels
Contributors