This article has been updated to reflect changes to the Azure AD Application registration process and to point users to a new MineMeld output node. The old node will be deprecated.
If you are not familiar with MineMeld, we recommend you start with a Quick Tour.
MineMeld can be used to aggregate multiple threat intelligence feeds and extend to your Windows Defender ATP tenant. Windows Defender ATP can ingest:
Domains and FQDNs
There are three steps to connecting MineMeld to Windows Defender ATP:
Create an application in Azure Active Directory. You will assign scopes from your Windows Defender ATP to this application, and all of the alerts tied to the threat intelligence provided will be tied to this application name. The MineMeld Miner will be associated with this application.
Install the Windows Defender extension in MineMeld.
Configure the extension to connect to the Windows Defender ATP tenant.
Azure Active Directory Configuration
Log in to the Azure Portal (portal.azure.com).
Go to Azure Active Directory.
Navigate to Enterprise Applications > App Registrations > click New Application Registration.
Create a name for this application. All of the alerts tied to the threat intelligence coming from MineMeld will be attributed to this application name. We recommend calling this "Palo Alto Networks MineMeld" to avoid any confusion.
NOTE: You do not need to set a redirect URI.
From the Application page, click API Permissions.
Click Add a Permission.
Click APIs my organization uses, type “Windows” in the search bar, and select WindowsDefendertATP.
Click Application Permissions, select “Ti.ReadWrite” and then click Add Permissions.
Grant admin consent.
From the Application page, click Certificates and Secrets.
Click New Client Secret.
Copy the client secret you created.
You will also need to copy the Application ID and Directory ID.
In MineMeld, go under SYSTEM and click the Extensions icon.
Click the GitHub icon in the lower, right-hand corner, then copy this link “https://github.com/PaloAltoNetworks/minemeld-wd-atp.git” and paste into the Repository URL field. Click the dropdown menu for Version and select “master” then click Install.
Click the checkmark to activate the extension.
The extension will activate shortly, and the empty square will signify the extension is active.
You will need to go back to the SYSTEM page and restart the API.
NOTE: After the restart completes, make sure you refresh the browser page.
Setting Up the Output Node to Complete the Integration
In MineMeld, click CONFIG, then click the Browse Prototype icon.
Type “windows” into the search bar to shorten the list, and select the “microsoft_wd_atp.outputBatch” node.
NOTE: The “microsoft_wd_atp.output” node will be deprecated as it relies on an older API interface. Please do not use that node.
Click Clone on the top, right of the page.
Name the cloned node and add the appropriate threat feeds that you want to send to your Windows Defender ATP tenant in the INPUTS nodes section and then click OK.
NOTE: To understand the concepts of input nodes and what to connect to this, refer to the MineMeld documentation on LIVEcommunity.
Click the COMMIT button in the top left of the CONFIG page.
Click NODES on the top menu and search for the node you just created. Click the node to pull up the configuration.
In Azure AD, enter the Client ID (Application), Client Secret, and Tenant (Directory) ID you copied earlier when you created the MineMeld application.
NOTE: After this is done, your configuration will then be complete.
To validate this is hooked up correctly, you will need to verify that an event fires if you try to access a blocked website. We recommend you create an indicator that is tied to a known good website for this, so you are not actively going to a malicious website.
Click NODES at the top and then click ADD INDICATOR
Enter in a known IP address as an INDICATOR and add it to the Input node (TYPE) you used to configure your microsoft_wd_atp.outputBatch node. Then click OK.
Wait for the indicator to be pushed to your Windows Defender ATP tenant. Then try to load that URL on a client that is running Windows Defender ATP. You should see an event fire in the Windows Defender ATP console.
You can find out more information about this capability by reading Pushing custom Indicator of Compromise (IoCs) to Microsoft Defender ATP on the Microsoft website.