Windows Defender ATP Integration with Palo Alto Wildfire

If you leverage Palo Alto Wildfire and Windows Defender ATP, Microsoft developed a  powershell script that will export the events from your Firewalls or Panorama and upload it to the Windows Defender ATP security console.

The first item to take care of is setting up the the API to push and pull alerts from Windows Defender ATP.

You will need to have rights to create an application in Azure and have a Admin approve rights to access the API's for Windows Defender. You will also need to setup a powershell script to pull down the API Token.

The next step is to setup the script to pull alerts from the firewall and push them to Windows Defender ATP.

You can down the script here

The script will need to be modified as the Advanced hunting has schema changes.

The following items need to be modified, MachineId needs to be changed to DeviceId, EventTime needs to be changed to Timestamp and NetworkCommunicationEvents needs to be changed to DeviceNetworkEvents.

Once you make those modifications, the script will work and when wildfire flags a machine accessing some that might be malicious, it will show up in the Windows Defender console.

I struggled with this script until I realized that the schema had changed and I thought I would share what I did to save from the frustration I had.

You can find details about the Schema change here. Advanced hunting data schema changes - Microsoft Tech Community

TBJ Consulting

TBJ Consulting