topic Re: Defender ATP Add On Settings in Getting Data In

How to configure Defender ATP Add On Settings

baz — Wed, 16 Feb 2022 15:19:09 GMT

Hi,

Trying to configure the Add-On for Microsoft Defender https://splunkbase.splunk.com/app/4959/

Can anyone confirm what settings are needed for:

Endpoint

Resource?

Whichever I use, I'm getting 401 errors. Have followed https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/api-hello-world?view=o365-worldwide and confirmed the permissions on the App registration are 100% correct.

Cheers

Re: Defender ATP Add On Settings

VatsalJagani — Wed, 16 Feb 2022 04:53:30 GMT

The error code 401 clearly describes the issue with permission. Please recheck the permission.

Input	API	Permission	Sourcetype	Reference
Microsoft 365 Defender Incidents (input)	Microsoft Threat Protection	(Application) Incident.Read.All	m365:defender:incident	https://docs.microsoft.com/en-us/microsoft-365/security/defender/api-hello-world?view=o365-worldwide
Defender Advanced Hunting (action)	Microsoft Threat Protection	(Application) AdvancedHunting.Read.All	m365:defender:incident:advanced_hunting	https://docs.microsoft.com/en-us/microsoft-365/security/defender/api-advanced-hunting?view=o365-worldwide
Defender Update Incident (action)	Microsoft Threat Protection	(Application) Incident.ReadWrite.All	N/A	https://docs.microsoft.com/en-us/microsoft-365/security/defender/api-update-incidents?view=o365-worldwide
Microsoft Defender for Endpoint Alerts (input)	WindowsDefenderATP	(Application) Alert.Read.All	ms:defender:atp:alerts	https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/api-hello-world?view=o365-worldwide

Please make sure you are using the same App credentials that have the permission as I've done similar mistakes. 😊

------

Please accept the solution if this helps.

Re: Defender ATP Add On Settings

baz — Wed, 16 Feb 2022 06:44:04 GMT

Hey,

Thanks for your response!

Permissions are fine, running through that test script in the knowledge base https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/api-hello-world?view=o365-worldwide is also fine and I can pull results.

Re: Defender ATP Add On Settings

baz — Wed, 16 Feb 2022 06:54:45 GMT

Further Update, now getting logins successfully, with the below but nothing into Splunk

2022-02-16 06:53:51,353 DEBUG pid=23770 tid=MainThread file=base_modinput.py:log_debug:288 | get access token called
2022-02-16 06:53:51,353 DEBUG pid=23770 tid=MainThread file=base_modinput.py:log_debug:288 | Token genrated last time:2022-02-16 06:53:08.758148
2022-02-16 06:53:51,353 DEBUG pid=23770 tid=MainThread file=base_modinput.py:log_debug:288 | Token elapsed time(in seconds): 42
2022-02-16 06:53:51,353 INFO pid=23770 tid=MainThread file=setup_util.py:log_info:117 | Proxy is not enabled!
2022-02-16 06:53:51,353 DEBUG pid=23770 tid=MainThread file=base_modinput.py:log_debug:288 | Proxies set is : {}
2022-02-16 06:53:51,353 DEBUG pid=23770 tid=MainThread file=base_modinput.py:log_debug:288 | Global SSL Verify settings is: False
2022-02-16 06:53:51,354 DEBUG pid=23770 tid=MainThread file=connectionpool.py:_new_conn:959 | Starting new HTTPS connection (1): api.securitycenter.microsoft.com:443
2022-02-16 06:53:52,122 DEBUG pid=23770 tid=MainThread file=connectionpool.py:_make_request:437 | https://api.securitycenter.microsoft.com:443 "GET //api/alerts?sinceTimeUtc=2022-02-09%2006:53:51.350605 HTTP/1.1" 200 2167
2022-02-16 06:53:52,124 INFO pid=23770 tid=MainThread file=base_modinput.py:log_info:295 | Number of alerts returned: 2

Re: Defender ATP Add On Settings

VatsalJagani — Wed, 16 Feb 2022 15:47:08 GMT

I see in the logs that there were 2 alerts returned by the API.

So just make sure you have the right index created. And run the search (index=<defender-atp-index>) in "All Time".