Syntax Bearror

Top Menu

  • Home
  • PowerShell Resource
  • SpiceWorld 2019 Resources
  • Contact Us
  • About Us

Main Menu

  • Home
  • Blog
  • IT Guides
  • How-To’s
  • IT Fixes
  • Cybersecurity
  • Reviews
  • Home
  • PowerShell Resource
  • SpiceWorld 2019 Resources
  • Contact Us
  • About Us

logo

Header Banner

Syntax Bearror

  • Home
  • Blog
  • IT Guides
  • How-To’s
  • IT Fixes
  • Cybersecurity
  • Reviews
IT Fixes
Home›IT Fixes›Fixing Sudden Loss of SIEM Synchronization with Windows Defender ATP

Fixing Sudden Loss of SIEM Synchronization with Windows Defender ATP

By Christopher
May 6, 2021
1311
0
Share:
Microsoft Defender ATP Logo

If you suddenly came up with a surprise message from your SIEM solution suggesting “unable able to generate an access token and retries have been exceeded.”, with your API connection to Windows Defender ATP, you are not alone. You may have also received an error when attempting to manually generate tokens on the Windows Defender ATP configuration page for SIEM connectivity.

This seems to stem from a surprise removal or expiration of the secret key related to the API connector. While I don’t recall a change announcement being made regarding this, here’s how you can fix this error.

    1. Log in to the Azure Active Directory Console using a Global Administrator account.
    2. Click on App Registrations.
    3. On the App Registrations page, click on All Applications.
    4. Under All Applications, search for WindowsDefenderATPSiemConnector and click on it to open the overview page for the app.
    5. On the overview page, look on the left-hand menu for, and click on, Certificates & Secrets.
    6. On the Certificates & Secrets page, navigate to the Client Secrets section. It likely contains no secrets! 🙁
    7. Click on the New Client Secret button.
    8. Provide a name in the description, and leave the expiration at the recommendation of 6 months (which I agree with), or to what works for your business. Click Add when done.
    9. The new secret you just created should now be shown in the client secrets section, under the value column. Copy that and paste it into your SIEM, or on the SIEM configuration page for Windows Defender ATP to test the generation of tokens.

That’s all you need to do in order to fix this issue. Also, be sure you set yourself a reminder that you need to follow this process every 6 months or whatever you set the expiration to!

I’ve also made versions for inclusion into your team’s KB system or handbook. PDF version / Word version

TagsAPI KeyKBsSIEMWindows Defender
Previous Article

Bear Security – Security News for Week ...

Next Article

Bear Security – Security News for Week ...

Share:

Christopher

Christopher Clai is a Senior Security Engineer, IT Generalist, and Developer from Chicago, IL with over 20 years of experience in Information Technology ranging from small businesses to Fortune 500's. Chris loves the Pacific Northwest, Sushi, Invader Zim, Rugby, World of Warcraft, raves, and is an avid user of Microsoft and Linux-based technologies.

Related articles More from author

  • IT Fixes

    How to Avoid Frustration With Microsoft Intune MDM on Workstations

    April 6, 2021
    By Christopher
  • Screenshot of Windows Background
    IT Fixes

    Realtek Audio Glitches on Windows Insider Builds 18965 and 18970

    September 3, 2019
    By Christopher
  • IT Fixes

    Dell Laptops Showing “Press Power Button and Volume Down to Login”

    September 13, 2019
    By Christopher
  • IT Fixes

    Taking Control of Your Netwrix Auditor Services with PowerShell

    September 30, 2019
    By Christopher
  • IT Fixes

    Microsoft Azure Site-to-Site VPN: Can Ping Workstations, No RDP After Prior Success

    June 5, 2015
    By Christopher
  • IT Fixes

    Fixing APC PowerChute Personal Edition Not Detecting UPS on Windows 10

    March 15, 2021
    By Christopher

Leave a reply Cancel reply

  • Screenshot of Windows Background
    IT Fixes

    Realtek Audio Glitches on Windows Insider Builds 18965 and 18970

  • Blog

    Tips From a Microsoft Ignite First Timer

  • Collage Photo Representing Story
    Bear Security

    Bear Security – Security News for the Week of July 12th, 2021

Follow Us on Social

See the Syntax at These Events

All appearances for 2020 have been cancelled due to COVID-19. Stay safe out there and see you all at events in 2021!

Like This Content?

Help Sytnax Bearror create more content, videos, podcasts, scripts, and more by contributing to our caffiene and technology addictions.

Subscribe to our Patreon

Buy Us a Coffee

Most Popular

IT Fixes

Dell Laptops Showing “Press Power Button and Volume Down to Login”

  • How to Root AT&T Samsung S5 G900A (Up to Lollipop 5.0)

    By Christopher
    May 21, 2015
  • Fixing APC PowerChute Personal Edition Not Detecting UPS on Windows 10

    By Christopher
    March 15, 2021
  • Windows 10 Locking Up Intermittently with File Operations

    By Christopher
    October 24, 2015
  • PrintNightmare Part II – Print Spooler Remains Vulnerable Across Windows

    By Christopher
    July 3, 2021

Latest Tweets

  • My time on this social network has come to an end. Fair winds my friends. Find me at: https://t.co/G1ygbdZ5Cd:… https://t.co/qEwtgbJlJm

    Nov 20, 2022
  • Midterms must not have been loud enough. Millennials and Gen Z, get louder.

    Nov 14, 2022
  • Given the direction of things, I'll likely be leaving the bird app. Let's connect via other platforms!… https://t.co/4bl04V46mz

    Oct 31, 2022
  • If you are a member of ISC2, this is a good thread to read on the upcoming vote. I agree with the author, these are… https://t.co/O1dFGUbQQG

    Oct 17, 2022
  • Maybe unpopular opinion? Microsoft needs to make Threat Explorer a part of the Defender for 365 P1 License. Threat… https://t.co/1x0qnoMRrb

    Oct 12, 2022

Categories

Bear Security Blog Cybersecurity How To's IT Fixes Reviews

Copyright Statement

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
©2014 - 2021 - SyntaxBearror.io. All rights reserved unless otherwise noted.