SCOM, OMS and Windows Defender Advanced Threat Protection – How to make it work!

In Azure Security Center / Monitoring you have a great way of enlighten the status of your security level by getting information from both on-prem Servers/Agents and objects in Azure (DBs, VMs etc). One of the features on the Security platform are an pretty intelligent Service/AI called WDATP, this service looks into detection, investigation, and response on issues found in the individual object/server/agent that you monitor.
More info: https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp

One of my customers needed to cover two goals for the implementation:

  • All Agents must be connected to both an internal SCOM Management Group and the Windows Defender Advanced Threat Protection
  • All Traffic to the Windows Defender ATP Service must be through a OMS Gateway Server

The Path to make it work

Begin by downloading the OMS Gateway from Microsoft, install – select a port (default TCP:8080) and check the new Event log for any errors.

Install the SCOM Agent and configure with the correct WorkspaceID and WorkspaceKey.  Do not continue until the GW show up in the OMS Console.

The Issue:

When we began to onboard clients nothing went through to the WDATP – and an error showed up in the Event Log – so what we did to fix it:

And the Fix:

Still on the OMS GW and before you onboard any clients you must enable the Allowed Host White List, with the following commands:

  • Add-OMSGatewayAllowedHost –host “winatp-gw-cus.microsoft.com”
  • Add-OMSGatewayAllowedHost –host “winatp-gw-eus.microsoft.com”
  • Add-OMSGatewayAllowedHost –host “winatp-gw-weu.microsoft.com”
  • Add-OMSGatewayAllowedHost –host “[WorkspaceID].ods.opinsights-azure-com”
  • Add-OMSGatewayAllowedHost –host “[WorkspaceID].oms.opinsights-azure-com”

Run a GET-OMSGatewayAllowedHost and check for any errors.

If you want to check the names of your own connections to OMS Hosts please onboard one agent, using the following commands:

  • $WorkspaceID = [“WorkspaceID”]
  • $WorkspaceKey = [“WorkspaceKey”]
  • $mma = New-Object -ComObject ‘AgentConfigManager.MgmtSvcCfg’
  • $mma.AddCloudWorkspace($WorkspaceID,$WorkspaceKey)
  • $mma.SetProxyUrl[(ProxyFQDN/IP addr)]
  • $mma.ReloadConfiguration()

Enable OMS Proxy on the Agent:

Either override the following rule in SCOM: Health Service/Advisor Proxy Setting Rule or Change the OMS GW for all your Agent with the “SCOM Management Properties and Tasks Pack for Agents and Server Roles” from Kevin Holman. (https://gallery.technet.microsoft.com/SCOM-Agent-Management-b96680d5)

See you

Kåre

LEAVE A REPLY

Please enter your comment!
Please enter your name here