You can create a normalization policy in a Fabric-enabled LogPoint using the NormalizationPolicy - Create API.
Endpoint URL:
https://api-server-host-name/configapi/{pool_UUID}/{logpoint_identifier}/NormalizationPolicy
Method:
POST
Parameters:
FIELD |
LABEL IN UI |
TYPE |
DESCRIPTION |
Required |
|---|---|---|---|---|
name |
Policy Name |
String |
Name for the normalization policy. |
Mandatory |
compiled_normalizer |
Compiled Normalizer |
String |
Name of the compiled normalizer. Value must be “MicrosoftDefenderATPCompiledNormalizer.” Use this compiled normalizer to normalize the event logs from an AMP for Endpoints deployment. |
Mandatory |
Request Example:
{
"data": {
"name": "MicrosoftDefenderATP_Norm_Policy",
"compiled_normalizer": "MicrosoftDefenderATPCompiledNormalizer"
"norm_packages": ""
}
}
Success Response:
{
"status": "Success",
"message": "monitorapi/{pool_UUID}/{logpoint_identifier}/orders/{request_id}"
}
You can configure the Microsoft Defender ATP Fetcher in a Fabric-enabled LogPoint using the PluginConfiguration - Create API.
Endpoint URL:
https://api-server-host-name/configapi/{pool_UUID}/{logpoint_identifier}/PluginConfiguration/MicrosoftDefenderATPFetcher
Method:
POST
Parameters:
FIELD |
LABEL IN UI |
TYPE |
DESCRIPTION |
Required |
|---|---|---|---|---|
fetch_interval |
Fetch Interval (minutes) |
Integer |
Fetch interval in minutes. |
Mandatory |
charset |
Charset |
String |
Existing LogPoint charset. Obtain the value of the required charset using the Charsets - List API. |
Mandatory |
processpolicy |
Processing Policy |
String |
Processing policy ID. Obtain the value of the processing policy that includes the previously created normalization policy using the ProcessingPolicy - List API. |
Mandatory |
client_id |
Client ID |
String |
Application ID provided by the Azure Active Directory to the registered clients. |
Mandatory |
client_secret |
Client Secret |
String |
Secret password created for the application. |
Mandatory |
authorization_server_url |
Authorization server URL |
String |
Azure Active Directory Authorization server URL. |
Mandatory |
events_url |
Events URL |
String |
Events URL. The application pulls logs from the event. |
Mandatory |
device_id |
Device ID |
String |
Device ID. Use the value of the ID parameter of the localhost device from the Devices - List API. |
Mandatory |
st_proxy |
Proxy Configuration |
json |
Proxy configuration of the Microsoft Defender ATP server: status: Parameter to enable or disable the proxy server. IP: IP of the proxy server. port: Port of the proxy server. protocol: “HTTP” or “HTTPS” protocol used by the proxy server. |
Mandatory |
Request Example:
{
"data": {
"authorization_url": "https://login.microsoftonline.com/{tenantid}/oauth2/token",
"charset": "utf_8",
"client_id": “test",
"client_secret": “test",
"events_url": "https://wdatp-alertexporter-eu.windows.com/api/alerts",
"fetch_interval": 2,
"proxy": {
"status": true,
"port": 80,
"ip": "192.168.1.1",
"protocol": "http"
},
"processpolicy": “test",
"device_id": “test"
}
}
Success Response:
{
"status": "Success",
"message": "monitorapi/{pool_UUID}/{logpoint_identifier}/orders/{request_id}"
}
You can edit a Microsoft Defender ATP Fetcher configuration in a Fabric-enabled LogPoint using the PluginConfiguration - Edit API.
Endpoint URL:
https://api-server-host-name/configapi/{pool_UUID}/{logpoint_identifier}/PluginConfiguration/MicrosoftDefenderATPFetcher/{id}
Method:
PUT
Parameters:
FIELD |
LABEL IN UI |
TYPE |
DESCRIPTION |
Required |
|---|---|---|---|---|
fetch_interval |
Fetch Interval (minutes) |
Integer |
An interval between the adjacent fetches. |
Mandatory |
charset |
Charset |
String |
Existing LogPoint charset. Obtain the value of the required charset using the Charsets - List API. |
Mandatory |
processpolicy |
Processing Policy |
String |
Processing policy ID. Obtain the value of the processing policy that includes the previously created normalization policy using the ProcessingPolicy - List API. |
Mandatory |
client_id |
Client ID |
String |
Application ID provided by the Azure Active Directory to the registered clients. |
Mandatory |
client_secret |
Client Secret |
String |
Secret password created for the application. |
Mandatory |
authorization_server_url |
Authorization server URL |
String |
Azure Active Directory Authorization server URL. |
Mandatory |
events_url |
Events URL |
String |
Events URL. |
Mandatory |
device_id |
Device ID |
String |
Device ID. Use the value of the ID parameter of the localhost device from the Devices - List API. |
Mandatory |
st_proxy |
Proxy Configuration |
json |
Proxy configuration of the Microsoft Defender ATP server: status: Parameter to enable or disable the proxy server. IP: IP of the proxy server. port: Port of the proxy server. protocol: “HTTP” or “HTTPS” protocol used by the proxy server. |
Mandatory |
id |
– |
String |
Microsoft Defender ATP Fetcher UUID. Obtain the UUID of the required Microsoft Defender ATP Fetcher configuration using the Devices - List API. |
Mandatory |
Request Example:
{
"data": {
"authorization_url": "https://login.microsoftonline.com/{tenantid}/oauth2/token",
"charset": "utf_8",
"client_id": “test",
"client_secret": “test",
"events_url": "https://wdatp-alertexporter-eu.windows.com/api/alerts",
"fetch_interval": 2,
"proxy": {
"status": true,
"port": 80,
"ip": "192.168.1.1",
"protocol": "http"
},
"processpolicy": “test",
"device_id": “test"
}
}
Success Response:
{
"status": "Success",
"message": "monitorapi/{pool_UUID}/{logpoint_identifier}/orders/{request_id}"
}
You can delete a Microsoft Defender ATP Fetcher configuration in a Fabric-enabled LogPoint using the PluginConfiguration - Trash API.
Endpoint URL:
https://api-server-host-name/configapi/{pool_UUID}/{logpoint_identifier}/PluginConfiguration/MicrosoftDefenderATPFetcher/{id}
Method:
Delete
Parameters:
FIELD |
LABEL IN UI |
TYPE |
DESCRIPTION |
Required |
|---|---|---|---|---|
id |
– |
String |
Microsoft Defender ATP Fetcher UUID. Obtain the UUID of the required Microsoft Defender ATP Fetcher configuration using the Devices - List API. |
Mandatory |
Success Response:
{
"status": "Success",
"message": "monitorapi/{pool_UUID}/{logpoint_identifier}/orders/{request_id}"
}