從 MSSP 客戶租使用者提取警示Fetch alerts from MSSP customer tenant

適用於:Applies to:

想要體驗適用於端點的 Microsoft Defender 嗎?Want to experience Microsoft Defender for Endpoint? 注册免費試用版。Sign up for a free trial.

注意

MSSP 會採取此動作。This action is taken by the MSSP.

有兩種方法可供您提取提醒:There are two ways you can fetch alerts:

  • 使用 SIEM 方法Using the SIEM method
  • 使用 APIsUsing APIs

將提醒提取至您的 SIEMFetch alerts into your SIEM

若要將提醒回遷至 SIEM 系統,您必須採取下列步驟:To fetch alerts into your SIEM system, you'll need to take the following steps:

步驟1:建立協力廠商應用程式Step 1: Create a third-party application

步驟2:從客戶的承租人取得存取和重新整理權杖Step 2: Get access and refresh tokens from your customer's tenant

步驟3:允許 Microsoft Defender 資訊安全中心的應用程式Step 3: allow your application on Microsoft Defender Security Center

步驟1:在 Azure Active Directory (Azure AD) 中建立應用程式Step 1: Create an application in Azure Active Directory (Azure AD)

您將需要建立應用程式,並授與其許可權,以取得客戶的 Microsoft Defender for Endpoint 租使用者的提醒。You'll need to create an application and grant it permissions to fetch alerts from your customer's Microsoft Defender for Endpoint tenant.

  1. 登入 AZURE AD 入口網站Sign in to the Azure AD portal.

  2. 選取 [ Azure Active Directory > 應用程式註冊]。Select Azure Active Directory > App registrations.

  3. 按一下 [ 新增註冊]。Click New registration.

  4. 指定下列值:Specify the following values:

    • Name: <Tenant_name> SIEM MSSP Connector (以租使用者顯示名稱取代 Tenant_name) Name: <Tenant_name> SIEM MSSP Connector (replace Tenant_name with the tenant display name)

    • 支援的帳戶類型:僅限此組織目錄中的帳戶Supported account types: Account in this organizational directory only

    • 重新導向 URI:選取 Web 並輸入 https://<domain_name>/SiemMsspConnector (以租使用者名稱取代 <domain_name>) Redirect URI: Select Web and type https://<domain_name>/SiemMsspConnector(replace <domain_name> with the tenant name)

  5. 按一下 [ 註冊]。Click Register. 應用程式會顯示在您所擁有的應用程式清單中。The application is displayed in the list of applications you own.

  6. 選取應用程式,然後按一下 [概述]。Select the application, then click Overview.

  7. 將 [ Application (client) ID ] 欄位中的值複製到安全的地方,您必須在下一個步驟中使用此值。Copy the value from the Application (client) ID field to a safe place, you will need this in the next step.

  8. 在 [新增應用程式] 面板中選取 憑證 & 密碼Select Certificate & secrets in the new application panel.

  9. 按一下 [ 新增用戶端密碼]。Click New client secret.

    • 描述:輸入機碼的描述。Description: Enter a description for the key.
    • 到期:選取 1 年Expires: Select In 1 year
  10. 按一下 [ 新增],將用戶端密碼的值複製到安全的地方,您必須在下一個步驟中執行此操作。Click Add, copy the value of the client secret to a safe place, you will need this in the next step.

步驟2:從客戶的承租人取得存取和重新整理權杖Step 2: Get access and refresh tokens from your customer's tenant

本節會引導您瞭解如何使用 PowerShell 腳本,從客戶的承租人取得標記。This section guides you on how to use a PowerShell script to get the tokens from your customer's tenant. 此腳本會利用上一個步驟中的應用程式,使用 OAuth 的授權碼 Flow 來取得存取和重新整理權杖。This script uses the application from the previous step to get the access and refresh tokens using the OAuth Authorization Code Flow.

在提供認證之後,您必須授與應用程式的同意,以便在客戶的承租人中布建該應用程式。After providing your credentials, you'll need to grant consent to the application so that the application is provisioned in the customer's tenant.

  1. 建立新的資料夾並為其命名: MsspTokensAcquisitionCreate a new folder and name it: MsspTokensAcquisition.

  2. 下載 LoginBrowser sharepointsync.psm1 模組 ,並將它儲存在 MsspTokensAcquisition 資料夾中。Download the LoginBrowser.psm1 module and save it in the MsspTokensAcquisition folder.

    注意

    在30行,取代 authorzationUrl authorizationUrlIn line 30, replace authorzationUrl with authorizationUrl.

  3. 使用下列內容建立檔案,並將其儲存為 MsspTokensAcquisition.ps1 資料夾中的名稱:Create a file with the following content and save it with the name MsspTokensAcquisition.ps1 in the folder:

    param (
        [Parameter(Mandatory=$true)][string]$clientId,
        [Parameter(Mandatory=$true)][string]$secret,
        [Parameter(Mandatory=$true)][string]$tenantId
    )
    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
    
    # Load our Login Browser Function
    Import-Module .\LoginBrowser.psm1
    
    # Configuration parameters
    $login = "https://login.microsoftonline.com"
    $redirectUri = "https://SiemMsspConnector"
    $resourceId = "https://graph.windows.net"
    
    Write-Host 'Prompt the user for his credentials, to get an authorization code'
    $authorizationUrl = ("{0}/{1}/oauth2/authorize?prompt=select_account&response_type=code&client_id={2}&redirect_uri={3}&resource={4}" -f
                        $login, $tenantId, $clientId, $redirectUri, $resourceId)
    Write-Host "authorzationUrl: $authorizationUrl"
    
    # Fake a proper endpoint for the Redirect URI
    $code = LoginBrowser $authorizationUrl $redirectUri
    
    # Acquire token using the authorization code
    
    $Body = @{
        grant_type = 'authorization_code'
        client_id = $clientId
        code = $code
        redirect_uri = $redirectUri
        resource = $resourceId
        client_secret = $secret
    }
    
    $tokenEndpoint = "$login/$tenantId/oauth2/token?"
    $Response = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -Body $Body
    $token = $Response.access_token
    $refreshToken= $Response.refresh_token
    
    Write-Host " -----------------------------------  TOKEN ---------------------------------- "
    Write-Host $token
    
    Write-Host " -----------------------------------  REFRESH TOKEN ---------------------------------- "
    Write-Host $refreshToken 
    
  4. 在資料夾中開啟提升許可權的 PowerShell 命令提示字元 MsspTokensAcquisitionOpen an elevated PowerShell command prompt in the MsspTokensAcquisition folder.

  5. 執行下列命令:Set-ExecutionPolicy -ExecutionPolicy BypassRun the following command: Set-ExecutionPolicy -ExecutionPolicy Bypass

  6. 輸入下列命令: .\MsspTokensAcquisition.ps1 -clientId <client_id> -secret <app_key> -tenantId <customer_tenant_id>Enter the following commands: .\MsspTokensAcquisition.ps1 -clientId <client_id> -secret <app_key> -tenantId <customer_tenant_id>

    • <client_id>以您從上一個步驟獲得的 應用程式 (用戶端) 識別碼 取代。Replace <client_id> with the Application (client) ID you got from the previous step.
    • 取代 <app_key> 您在上一個步驟中建立的 用戶端密碼Replace <app_key> with the Client Secret you created from the previous step.
    • 取代 <customer_tenant_id> 您的客戶 租使用者識別碼Replace <customer_tenant_id> with your customer's Tenant ID.
  7. 系統會要求您提供您的認證與同意。You'll be asked to provide your credentials and consent. 忽略頁面重新導向。Ignore the page redirect.

  8. 在 [PowerShell] 視窗中,您將會收到存取權杖和重新整理權杖。In the PowerShell window, you'll receive an access token and a refresh token. 儲存重新整理權杖以設定您的 SIEM 連接器。Save the refresh token to configure your SIEM connector.

步驟3:允許 Microsoft Defender 資訊安全中心的應用程式Step 3: Allow your application on Microsoft Defender Security Center

您將需要允許在 Microsoft Defender 資訊安全中心中建立的應用程式。You'll need to allow the application you created in Microsoft Defender Security Center.

您必須具有「 管理入口系統設定 」許可權,才能允許應用程式。You'll need to have Manage portal system settings permission to allow the application. 否則,您必須要求客戶允許您的應用程式。Otherwise, you'll need to request your customer to allow the application for you.

  1. 移至 https://securitycenter.windows.com?tid=<customer_tenant_id> (會 <customer_tenant_id> 以客戶的租使用者識別碼取代。Go to https://securitycenter.windows.com?tid=<customer_tenant_id> (replace <customer_tenant_id> with the customer's tenant ID.

  2. 按一下 [設定 > SIEM]。Click Settings > SIEM.

  3. 選取 [ MSSP ] 索引標籤。Select the MSSP tab.

  4. 從第一個步驟和您的 租使用者識別碼 輸入 應用程式識別碼Enter the Application ID from the first step and your Tenant ID.

  5. 按一下 [ 授權應用程式]。Click Authorize application.

您現在可以下載 SIEM 的相關設定檔,並連接到 Endpoint for Endpoint API。You can now download the relevant configuration file for your SIEM and connect to the Defender for Endpoint API. 如需詳細資訊,請參閱 SIEM 工具的「拉入警示」。For more information, see, Pull alerts to your SIEM tools.

  • 在 [ArcSight 設定檔/Splunk 驗證屬性] 檔案中,透過設定機密值手動寫入您的應用程式金鑰。In the ArcSight configuration file / Splunk Authentication Properties file, write your application key manually by setting the secret value.
  • 除了在入口網站中取得重新整理權杖之外,您還可以使用上一個步驟中的腳本來取得重新整理權杖 (或透過其他方式) 取得更新。Instead of acquiring a refresh token in the portal, use the script from the previous step to acquire a refresh token (or acquire it by other means).

使用 APIs 從 MSSP 客戶的承租人取得警示Fetch alerts from MSSP customer's tenant using APIs

如需如何使用 REST API 提取提醒的詳細資訊,請參閱 使用 REST api 的 Pull 警示For information on how to fetch alerts using REST API, see Pull alerts using REST API.

另請參閱See also