MineMeld Indicators for Microsoft Defender ATP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
L1 Bithead
No ratings

This article has been updated to reflect changes to the Azure AD Application registration process and to point users to a new MineMeld output node. The old node will be deprecated.

 

If you are not familiar with MineMeld, we recommend you start with a Quick Tour.

 

MineMeld can be used to aggregate multiple threat intelligence feeds and extend to your Windows Defender ATP tenant. Windows Defender ATP can ingest:

  • IPv4 addresses
  • File hashes
  • URLs
  • Domains and FQDNs

There are three steps to connecting MineMeld to Windows Defender ATP:

  1. Create an application in Azure Active Directory. You will assign scopes from your Windows Defender ATP to this application, and all of the alerts tied to the threat intelligence provided will be tied to this application name. The MineMeld Miner will be associated with this application.
  2. Install the Windows Defender extension in MineMeld.
  3. Configure the extension to connect to the Windows Defender ATP tenant.

 

Azure Active Directory Configuration

  1. Log in to the Azure Portal (portal.azure.com).
  2. Go to Azure Active Directory.
  3. Navigate to Enterprise Applications > App Registrations > click New Application Registration.

Azure Active Directory.png

 

  1. Create a name for this application. All of the alerts tied to the threat intelligence coming from MineMeld will be attributed to this application name. We recommend calling this "Palo Alto Networks MineMeld" to avoid any confusion.

NOTE: You do not need to set a redirect URI.

Register an Application.png

 

  1. Click Register.
  2. From the Application page, click API Permissions.

Palo Alto Networks MineMeld.png

 

  1. Click Add a Permission.

API Permissions.png

 

  1. Click APIs my organization uses, type “Windows” in the search bar, and select WindowsDefendertATP.

Request API Permissions.png

 

  1. Click Application Permissions, select “Ti.ReadWrite” and then click Add Permissions.

Add API Permissions.png

 

  1. Grant admin consent.

Grant admin consent.png

 

  1. From the Application page, click Certificates and Secrets.

Certificates and Secrets MineMeld.png

 

  1. Click New Client Secret.

New Client Secret MineMeld.png

 

  1. Copy the client secret you created.

Client Secrets MineMeld.png

 

  1. You will also need to copy the Application ID and Directory ID.

Application ID and Directory ID MineMeld.png

 

 

MineMeld Configuration

  1. In MineMeld, go under SYSTEM and click the Extensions icon.

MineMeld System.png

 

  1. Click the GitHub icon in the lower, right-hand corner, then copy this link “https://github.com/PaloAltoNetworks/minemeld-wd-atp.git” and paste into the Repository URL field. Click the dropdown menu for Version and select “master” then click Install.

Install Extension from GIT.png

 

  1. Click the checkmark to activate the extension.

minemeld-wd-atp extension.png

 

The extension will activate shortly, and the empty square will signify the extension is active.

minemeld-wd-atp extension active.png

 

  1. You will need to go back to the SYSTEM page and restart the API.

NOTEAfter the restart completes, make sure you refresh the browser page.

MineMeld System Restart.png

 

 

Setting Up the Output Node to Complete the Integration

  1. In MineMeld, click CONFIG, then click the Browse Prototype icon.

MineMeld Config.png

 

  1. Type “windows” into the search bar to shorten the list, and select the “microsoft_wd_atp.outputBatch” node.

NOTE: The “microsoft_wd_atp.output” node will be deprecated as it relies on an older API interface. Please do not use that node.

MineMeld Prototype microsoft_wd_atp.outputBatch.png

 

  1. Click Clone on the top, right of the page.

MineMeld Clone.png

 

  1. Name the cloned node and add the appropriate threat feeds that you want to send to your Windows Defender ATP tenant in the INPUTS nodes section and then click OK.

NOTE: To understand the concepts of input nodes and what to connect to this, refer to the MineMeld documentation on LIVEcommunity.

MineMeld Add Node.png

 

  1. Click the COMMIT button in the top left of the CONFIG page.

MineMeld Commit.png

 

  1. Click NODES on the top menu and search for the node you just created. Click the node to pull up the configuration.

MineMeld Nodes.png

 

  1. In Azure AD, enter the Client ID (Application), Client Secret, and Tenant (Directory) ID you copied earlier when you created the MineMeld application.

NOTE: After this is done, your configuration will then be complete.

MineMeld Node Output Batch.png

 

 

Testing

To validate this is hooked up correctly, you will need to verify that an event fires if you try to access a blocked website. We recommend you create an indicator that is tied to a known good website for this, so you are not actively going to a malicious website.

 

  1. Click NODES at the top and then click ADD INDICATOR

MineMeld Test Node Add Indicator.png

 

  1. Enter in a known IP address as an INDICATOR and add it to the Input node (TYPE) you used to configure your microsoft_wd_atp.outputBatch node. Then click OK.

MineMeld Add Indicator.png

 

  1. Wait for the indicator to be pushed to your Windows Defender ATP tenant. Then try to load that URL on a client that is running Windows Defender ATP. You should see an event fire in the Windows Defender ATP console.

MineMeld Alert in Windows Defender ATP.png

 

Windows Defender Security Center.png

 

Additional Information

You can find out more information about this capability by reading Pushing custom Indicator of Compromise (IoCs) to Microsoft Defender ATP on the Microsoft website.

Rate this article:
Comments
L0 Member

Does anyone have any ideas on how to troubleshoot this?

 

I have everything configured as it should be, I think and I'm not seeing any errors, I just don't see any alerts coming through into WDATP when I do my testing? 

 

Anyone have any tips?

 

**EDIT** - Seems like this was user error, I'd configured the wrong output plugin 🙂

 

 

 

L0 Member

Update: ran pip install adal and then restarted Minemeld and it worked.

 

I get an error when it tries to load the API. I have no idea what this means:

 

microsoftWDATPWebui not loadable: adal not installed

 

Anyone come across this?

I am facing an issue with Setting Up the Output Node to Complete the Integration

After successfully cloning the git to minemeld,

restarted the API

refreshed browser

clicked on CONFIG, and clicked on the Browse Prototype icon.

 

searched 'windows' to find  “microsoft_wd_atp.outputBatch” node but couldnt find it. only stdlib.aggregatorWindowsRegistryValue PROCESSOR  is visible in search results.

L0 Member

I have the same issue as rakeshnarayanan1993,  no prototype to select on step 2 of Setting Up the Output Node to Complete the Integration. 

 

I only have this option when typing Windows into the search box : 

stdlib.aggregatorWindowsRegistryValue 

L1 Bithead

If the extension is correctly installed and you don't see the OutputBatch node in the configuration, please try restarting minemeld from the CLI: 

 

sudo systemctl restart minemeld

 

Also, please  make sure you fully refresh the browser (Ctrl-F5 on Chrome)

L0 Member

That fixed it, the command didn't work but I rebooted the whole vm, after it came up i had the needed prototypes.  When in doubt reboot I guess, lol.  Thanks for your help fvigo.

L2 Linker

Hello Fvigo,

Thanks for your contribution. But I have an issue about the IPs.

Currently I can sync the URL/Domain and SHA256 from Minemeld to MDATP. But only IP doesn't work. The IP list is a local custom IP list.  MINER configuration is following:

  2020-10-02_12-00-49.jpg

I can successfully OUTPUT the list, but MDATP doesn't work. Both used same PROCESSOR.

2020-10-02_12-06-20.jpg

L1 Bithead

Hi,

Will this work in a Multitenant setup?

I am think about this setting.

Skjermbilde 2020-11-13 130235.png

 

Br

Christopher Hagberg

L0 Member

Hi,

Just installed the extension from official Github repository but some reasons when I go to the nodes after cloning the batch output prototype, I don't see the fields to set the client ID, secret and Tenant ID.

Have you already encountered this "bug" ?

  • 43865 Views
  • 9 comments
  • 0 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎10-28-2019 08:44 AM
Updated by:
Retired Member