DATP-to-EIQ is a simple Python script that will:
- connect to your Windows Defender ATP and Microsoft Security Center instances;
- download all events that occurred within the given time window;
- import them into your EclecticIQ instance as Sighting or Incident entities.
For configuration options, refer to the settings.py.sample file in the config directory.
- Python 3
- EIQlib module (https://github.com/KPN-CISO/eiqlib)
- Microsoft Azure AD, Defender ATP API access (with SIEM connector permissions)
- Graph API credentials to generate Graph API tokens
- An EclecticIQ account (user+pass) and EIQ 'Source' token
- Clone the repository
- Rename the
settings.py.samplefile in theconfigdirectory tosettings.py - Edit the settings in the
settings.pyfile to reflect your environment - Run ./datp_to_eiq.py -h for help/options
Running ./datp-to-eiq.py with -h will display help:
-v / --verbose will display progress/error info
-s / --simulate do not actually ingest anything into EclecticIQ, just pretend (useful with -v)
-d / --duplicate do not update the existing entity in EclecticIQ, but create duplicates (default: disabled)
(c) 2020 Arnim Eijkhoudt
This software is GPLv3 licensed, except where otherwise indicated.