https://community.splunk.com/t5/Security/Sending-On-Prem-Windows-Defender-AV-DATA-to-On-Splunk/m-p/559336#M12409 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234967">@tarungupta0311</a>&nbsp;other one here - little outdated -&nbsp;<A href="https://splunkbase.splunk.com/app/3734/" target="_blank">TA for Microsoft Windows Defender | Splunkbase</A></P> Wed, 14 Jul 2021 02:20:06 GMT venkatasri 2021-07-14T02:20:06Z https://community.splunk.com/t5/Security/Sending-On-Prem-Windows-Defender-AV-DATA-to-On-Splunk/m-p/559334#M12407 <P>How to send&nbsp;On-Prem Windows Defender AV DATA to On Splunk</P> Wed, 14 Jul 2021 02:04:39 GMT https://community.splunk.com/t5/Security/Sending-On-Prem-Windows-Defender-AV-DATA-to-On-Splunk/m-p/559334#M12407 tarungupta0311 2021-07-14T02:04:39Z https://community.splunk.com/t5/Security/Sending-On-Prem-Windows-Defender-AV-DATA-to-On-Splunk/m-p/559335#M12408 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234967">@tarungupta0311</a>&nbsp;</P><P>Have you tried this add-on&nbsp;<A href="https://splunkbase.splunk.com/app/5038/#/details" target="_blank">Add-on for Microsoft Defender ATP Known As Windows Defender ATP | Splunkbase</A>&nbsp;developer supported not official with Splunk.</P><P>---</P><P>An upvote would be appreciated if this reply helps!</P> Wed, 14 Jul 2021 02:16:11 GMT https://community.splunk.com/t5/Security/Sending-On-Prem-Windows-Defender-AV-DATA-to-On-Splunk/m-p/559335#M12408 venkatasri 2021-07-14T02:16:11Z https://community.splunk.com/t5/Security/Sending-On-Prem-Windows-Defender-AV-DATA-to-On-Splunk/m-p/559336#M12409 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/234967">@tarungupta0311</a>&nbsp;other one here - little outdated -&nbsp;<A href="https://splunkbase.splunk.com/app/3734/" target="_blank">TA for Microsoft Windows Defender | Splunkbase</A></P> Wed, 14 Jul 2021 02:20:06 GMT https://community.splunk.com/t5/Security/Sending-On-Prem-Windows-Defender-AV-DATA-to-On-Splunk/m-p/559336#M12409 venkatasri 2021-07-14T02:20:06Z https://community.splunk.com/t5/Security/Sending-On-Prem-Windows-Defender-AV-DATA-to-On-Splunk/m-p/559342#M12411 <P>This is for ATP not for the old legacy windows defender AV</P> Wed, 14 Jul 2021 03:02:56 GMT https://community.splunk.com/t5/Security/Sending-On-Prem-Windows-Defender-AV-DATA-to-On-Splunk/m-p/559342#M12411 tarungupta0311 2021-07-14T03:02:56Z https://community.splunk.com/t5/Security/Sending-On-Prem-Windows-Defender-AV-DATA-to-On-Splunk/m-p/559343#M12412 <P>This is not useful when Windows Defender data is going to a Database.</P> Wed, 14 Jul 2021 03:04:37 GMT https://community.splunk.com/t5/Security/Sending-On-Prem-Windows-Defender-AV-DATA-to-On-Splunk/m-p/559343#M12412 tarungupta0311 2021-07-14T03:04:37Z https://community.splunk.com/t5/Security/Sending-On-Prem-Windows-Defender-AV-DATA-to-On-Splunk/m-p/559399#M12415 <P>Solution - If you want to&nbsp;Send On-Prem Windows Defender AV DATA to On Splunk, we need to send it to&nbsp; Splunk Enterprise via DB Connect.<BR />Also below solution will work when we are doing Windows Authentication against the database, please follow the below steps, on<SPAN>&nbsp;</SPAN><STRONG>Ubuntu</STRONG><STRONG><SPAN>&nbsp;</SPAN>to set up the connection</STRONG></P><UL><LI>Follow the steps&nbsp;@&nbsp;<A href="https://docs.splunk.com/Documentation/DBX/3.5.1/ReleaseNotes/Releasenotes" target="_blank" rel="noopener nofollow noreferrer">https://docs.splunk.com/Documentation/DBX/3.5.1/ReleaseNotes/Releasenotes</A></LI><LI>install DB Connect&nbsp;DBX 3.4.2 software via Splunkbase, or browse more apps and download from there.</LI><LI>Now it comes to installing Java on Splunk DB-Connect,</LI><OL><LI>1st check if java is already installed on the server, for that type java – version, if java is not installed follow</LI><LI>Run&nbsp;<BR />sudo apt update&nbsp;<BR />sudo apt install default-jre<BR />sudo apt install openjdk-11-jre-headless</LI><LI>Validate Java is installed and running in server mode with&nbsp;java -version&nbsp;It should look something like this:</LI></OL></UL><P>$ java -version openjdk version "11.0.7" 2020-04-14 OpenJDK Runtime Environment (build 11.0.7+10-post-Ubuntu-3ubuntu1) OpenJDK 64-Bit&nbsp;<STRONG>Server VM</STRONG>&nbsp;(build 11.0.7+10-post-Ubuntu-3ubuntu1, mixed mode, sharing)</P><UL><OL><LI>Set the JAVA_HOME Environment Variable</LI><UL><LI>OpenJDK 11 is located at&nbsp;/usr/lib/jvm/java-11-openjdk-amd64</LI><LI>Set the variable globally by adding&nbsp;JAVA_HOME="/usr/lib/jvm/java-11-openjdk-amd64"&nbsp;to&nbsp;/etc/environment.</LI></UL><LI>Save and exit VIM</LI><LI>Type reboot to reboot the Ubuntu machine.</LI><LI>Now Access to Db Connect – Configuration – settings – General – in JRE Installation Path, enter<BR />/usr/lib/jvm/java-11-openjdk-amd64</LI><LI>Hit Save and let DB Connect Ap detect the JAVA.</LI></OL><LI>Now it comes for Java Drivers</LI><OL><LI>Since you have installed java version 11, we need to install Java Drivers 11</LI><LI>Install 8.2.1 already tested JDBC Ms Generic Driver from<SPAN>&nbsp;</SPAN><A href="https://docs.microsoft.com/en-us/sql/connect/jdbc/release-notes-for-the-jdbc-driver?view=sql-server-ver15#previous-releases" target="_blank" rel="noopener nofollow noreferrer">https://docs.microsoft.com/en-us/sql/connect/jdbc/release-notes-for-the-jdbc-driver?view=sql-server-...</A></LI><LI>Install JTDC JDBC drivers from<SPAN>&nbsp;</SPAN><A href="https://sourceforge.net/projects/jtds/files/" target="_blank" rel="noopener nofollow noreferrer">https://sourceforge.net/projects/jtds/files/</A><SPAN>&nbsp;</SPAN>(link is mentioned in Splunk Documentation)</LI><LI>Both are required as for Windows Authentication we will be doing a mix of them</LI><LI>Now Access to Db Connect – Configuration – settings – Drivers – Click Reload and you should see 8.2 Generic and 1.3 JTDS drivers</LI><LI>Reboot the Splunk Ubuntu Server.</LI></OL><LI>Now it comes to Setting up the Identity in DB Connection – Configuration – Database – Identities</LI><OL><LI>Identity Name – Any user-friendly name</LI><LI>Username – Account which will have access to the Database</LI><LI>Password – Password of that account</LI><LI>Check Use Windows Authentication Domain</LI><LI>Enter the Domain</LI><LI>Hit Save</LI></OL><LI>Now it comes to Setting up the Connection in DB Connection – Configuration – Database – Connections</LI><OL><LI>This is the most tricky part</LI><LI>Connection Name – Any user-friendly name</LI><LI>Identity – Select the account, which will do authentication against a database</LI><LI>Connection Type – MS-SQL Server Using JTDS Driver with Windows Authentication</LI><LI>Timezone – appropriate Timezone</LI><LI>JDBC URL Setting</LI><UL><LI>Enter the manauyl<SPAN>&nbsp;</SPAN><STRONG>JDBC URL - jdbc:jtds:sqlserver://serverIP:1433/databasename;useCursors=true;domain=domainname;useNTLMv2=true</STRONG></LI></UL><LI>Advance Read only - checked</LI></OL><LI>Now Make a database connection and send it to the Index created on Splunk Cloud.</LI></UL> Wed, 14 Jul 2021 11:53:12 GMT https://community.splunk.com/t5/Security/Sending-On-Prem-Windows-Defender-AV-DATA-to-On-Splunk/m-p/559399#M12415 tarungupta0311 2021-07-14T11:53:12Z