Fixing Sudden Loss of SIEM Synchronization with Windows Defender ATP
If you suddenly came up with a surprise message from your SIEM solution suggesting “unable able to generate an access token and retries have been exceeded.”, with your API connection to Windows Defender ATP, you are not alone. You may have also received an error when attempting to manually generate tokens on the Windows Defender ATP configuration page for SIEM connectivity.
This seems to stem from a surprise removal or expiration of the secret key related to the API connector. While I don’t recall a change announcement being made regarding this, here’s how you can fix this error.
- Log in to the Azure Active Directory Console using a Global Administrator account.
- Click on App Registrations.
- On the App Registrations page, click on All Applications.
- Under All Applications, search for WindowsDefenderATPSiemConnector and click on it to open the overview page for the app.
- On the overview page, look on the left-hand menu for, and click on, Certificates & Secrets.
- On the Certificates & Secrets page, navigate to the Client Secrets section. It likely contains no secrets! 🙁
- Click on the New Client Secret button.
- Provide a name in the description, and leave the expiration at the recommendation of 6 months (which I agree with), or to what works for your business. Click Add when done.
- The new secret you just created should now be shown in the client secrets section, under the value column. Copy that and paste it into your SIEM, or on the SIEM configuration page for Windows Defender ATP to test the generation of tokens.
That’s all you need to do in order to fix this issue. Also, be sure you set yourself a reminder that you need to follow this process every 6 months or whatever you set the expiration to!