MineMeld can be used to aggregate multiple threat intelligence feeds and extend to your Windows Defender ATP tenant. Windows Defender ATP can ingest:
Domains and FQDNs
There are three steps to connecting MineMeld to Windows Defender ATP:
First, you will need to create an Application in Azure Active Directory. You will assign scopes from your Windows Defender ATP to this application, and all of the alerts tied to the threat intelligence provided will be tied to this application name. The MineMeld Miner will be associated with this application.
You will then install the Windows Defender extension in MineMeld
Finally, you will configure the extension to connect to the Windows Defender ATP tenant.
Login on Azure Portal -- portal.azure.com
Go to Azure Active Directory
Navigate to Enterprise Applications -- App Registrations and click on New Application Registration
You will need to create a name for this application, and all of the alerts tied to the threat intelligence coming from MineMeld will be attributed to this application name. We recommend calling this "Palo Alto Networks MineMeld" to avoid any confusion.
Set the Application type to "Web App / API"
The Sign-on URL is not used, but you still need to put something into this field. It can also be a local URL like http://localhost/test
Please note, the Application ID will be used to configure both the threat feed in your Windows Defender ATP tenant and the MineMeld extension.
Under "Application Permissions" (not Delegated Permissions) select "Read and write IOCs belonging to the app" and click on "Select":
(OPTIONAL) If you want, you can review the effective permissions by navigating to "Azure Active Directory" , "Enterprise Applications" . Find the App you just created (Palo Alto Networks MineMeld in the example), select it and click on "Permissions":
Back to "App Registrations", under "Settings", navigate to "Keys". Create a new Key by providing a name and a duration. Then Click on Save. Write down the value of the key, that is displayed only once in this screen. If you miss it, you will have to delete the old key and create a new one. Copy the value to the key to your notes, you will need this along with the Application ID to configure Minemeld:
If you haven't done already, copy the "Application ID" of your application, that you will need later to configure MineMeld:
Enter the URL of the Github repository : https://github.com/PaloAltoNetworks/minemeld-wd-atp.git and click "Retrieve":
Select the version (Master) and click "Install":
The installation should complete shortly afterwards:
The extension will activate shortly:
Note: the empty square means that the extension is active.
After the restart completes, make sure you refresh the browser page.
Note: to understand the concepts of input nodes and what to connect to this, refer to Minemeld documentation
Under Nodes, search for "atp" (or for the name you gave to your node, Windows_defender_ATP in this example) and click on it:
Look at the SETTINGS page. Edit Client_ID (Azure Application ID), client_secret (Azure Application secret key) and Tenant_ID (Azure Active Directory ID) with the information you previously collected.
The configuration is now complete
If indicators are being sent to WDATP, you can try to reach one indicator and you should see the alerts: