All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Microsoft Windows defender Data not coming

ips_mandar
Builder
‎02-08-2019 03:02 AM

Hi
I already have Log Analytics add-on installed and it is working fine and able to get oms logs. and now new requirement has came to get Windows defender ATP logs in splunk and I have configured input in it but unable to receive data in splunk.
1. Is it due to log analytics is using port 443 and same port is trying to use by TA for Microsoft Windows Defender? If yes then how can I change port ?
2. Is it required to set proxy?
3. Is it required to set SSL connection ON? when it is required to set as by default SSL is set to true?
4. I am getting below log -

 2019-02-08 11:02:39,280 DEBUG pid=15232 tid=MainThread file=connectionpool.py:_make_request:400 | https://wdatp-alertexporter-eu.securitycenter.windows.com:443 "GET /api/Alerts//api/alerts?sinceTimeUtc=2019-02-01%2011:02:39.097000 HTTP/1.1" 404 1245

From here I thought might be it is trying to use same port 443? also does 404 here means not found?
also Endpoint url which i am using is slightly different-https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts
@thambisetty could you please give me insight here..
Thanks,

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎02-08-2019 06:47 AM

Endpoint url:

https://wdatp-alertexporter-eu.securitycenter.windows.com

Not
https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts

————————————
If this helps, give a like below.

View solution in original post

Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎10-23-2019 11:36 AM

It should work on splunk versions below 8.0. Not tested on 8.

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎02-08-2019 06:47 AM

Endpoint url:

https://wdatp-alertexporter-eu.securitycenter.windows.com

Not
https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts

————————————
If this helps, give a like below.
Reply
Solved! Jump to solution

ips_mandar
Builder
‎02-08-2019 07:17 AM

great!! Now I can able to see data..Thanks @thambisetty
I checked again on splunk base for endpoint url but it was up till api/alert- https://wdatp-alertexporter-eu.windows.com/api/alerts I think this needs to be updated .
once again thanks a lot.

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎02-08-2019 09:06 AM

Thanks.

Endpoint urls updated in TA overview were wrong. I have updated them now.

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎02-08-2019 05:36 AM

Hi,

Please use this app https://splunkbase.splunk.com/app/4128/ if you are looking for windows defender ATP developed by me.

follow instructions available at Splunk app base.

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

DBuhler
Explorer
‎10-23-2019 07:54 AM

@thambisetty is the app supported on splunk 7.2, 7.3 or 8.0?

0 Karma
Reply
Solved! Jump to solution

ips_mandar
Builder
‎02-08-2019 06:39 AM

@thambisetty sorry for tagging different add-on (updated in question)and yes I am using the same addon which is developed by you-
https://splunkbase.splunk.com/app/4128
I did followed the instruction ..could you please answer above questions and help me to understand if I am missing something
thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...