Windows Defender ATP

balcv — Wed, 30 Sep 2020 02:21:25 GMT

I have followed the various sets of instructions for sending Microsoft Defender ATP logs to Splunk, however I am getting the following errors:

2019-09-30 15:56:57,263 INFO pid=29578
tid=MainThread
file=connectionpool.py:_new_conn:758 |
Starting new HTTPS connection (1):
127.0.0.1 2019-09-30 15:57:00,043 INFO pid=29738 tid=MainThread
file=connectionpool.py:_new_conn:758 |
Starting new HTTPS connection (1):
127.0.0.1 2019-09-30 15:57:01,003 INFO pid=29738 tid=MainThread
file=connectionpool.py:_new_conn:758 |
Starting new HTTPS connection (1):
127.0.0.1 2019-09-30 15:57:02,530 INFO pid=29738 tid=MainThread
file=connectionpool.py:_new_conn:758 |
Starting new HTTPS connection (1):
127.0.0.1 2019-09-30 15:57:04,012 INFO pid=29738 tid=MainThread
file=connectionpool.py:_new_conn:758 |
Starting new HTTPS connection (1):
127.0.0.1 2019-09-30 15:57:05,480 INFO pid=29738 tid=MainThread
file=splunk_rest_client.py:_request_handler:100
| Use HTTP connection pooling
2019-09-30 15:57:05,482 INFO pid=29738
tid=MainThread
file=connectionpool.py:_new_conn:758 |
Starting new HTTPS connection (1):
127.0.0.1 2019-09-30 15:57:05,497 INFO pid=29738 tid=MainThread
file=setup_util.py:log_info:114 |
Proxy is not enabled! 2019-09-30
15:57:05,884 ERROR pid=29738
tid=MainThread
file=base_modinput.py:log_error:307 |
No JSON object could be decoded
2019-09-30 15:57:05,885 ERROR
pid=29738 tid=MainThread
file=base_modinput.py:log_error:307 |
Get error when collecting events.
Traceback (most recent call last):

File
"/opt/splunk/etc/apps/TA_windows-defender/bin/ta_windows_defender/modinput_wrapper/base_modinput.py",
line 127, in stream_events
self.collect_events(ew) File "/opt/splunk/etc/apps/TA_windows-defender/bin/windows_defender_atp_alerts.py",
line 88, in collect_events
input_module.collect_events(self, ew) File
"/opt/splunk/etc/apps/TA_windows-defender/bin/input_module_windows_defender_atp_alerts.py",
line 151, in collect_events
"Authorization": 'Bearer ' + access_token, TypeError: cannot
concatenate 'str' and 'NoneType'
objects

I've googled, I've read, I've configured, re-configured and configured some more all to no avail. Is there any catches or tricks to get this to work.

Thanks
Leigh

Re: Windows Defender ATP

rahulhoney — Thu, 12 Dec 2019 04:02:15 GMT

I am facing same problem. Did you find a solution?

Re: Windows Defender ATP

balcv — Mon, 16 Dec 2019 00:00:45 GMT

@rahulhoney, I did get the issue resolved however it was through installing and configuring the Microsoft Office 365 App for Splunk and then spending some time on a conference call with our Splunk engineer to get it all up and running.

Once we had the data from O365, the ATP logs were coming in as part of that.

Not sure if that helps you, but that's what I've ended up doing.

Re: Windows Defender ATP

pmein — Fri, 03 Jan 2020 16:33:10 GMT

I have also been working to get this up and running. I'd like more detail where you have landed on this. I can attempt to get Microsoft Office 365 App working but would really like to understand what I am missing in my configuration of the Defender TA and what Splunk support ended up doing.

thanks for any additional clarity here.

topic Re: Windows Defender ATP in Getting Data In

Windows Defender ATP

Re: Windows Defender ATP

Re: Windows Defender ATP

Re: Windows Defender ATP