Hi
I already have Log Analytics add-on installed and it is working fine and able to get oms logs. and now new requirement has came to get Windows defender ATP logs in splunk and I have configured input in it but unable to receive data in splunk.
1. Is it due to log analytics is using port 443 and same port is trying to use by TA for Microsoft Windows Defender? If yes then how can I change port ?
2. Is it required to set proxy?
3. Is it required to set SSL connection ON? when it is required to set as by default SSL is set to true?
4. I am getting below log -
2019-02-08 11:02:39,280 DEBUG pid=15232 tid=MainThread file=connectionpool.py:_make_request:400 | https://wdatp-alertexporter-eu.securitycenter.windows.com:443 "GET /api/Alerts//api/alerts?sinceTimeUtc=2019-02-01%2011:02:39.097000 HTTP/1.1" 404 1245
From here I thought might be it is trying to use same port 443? also does 404 here means not found?
also Endpoint url which i am using is slightly different-https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts
@thambisetty could you please give me insight here..
Thanks,
Endpoint url:
https://wdatp-alertexporter-eu.securitycenter.windows.com
Not
https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts
It should work on splunk versions below 8.0. Not tested on 8.
Endpoint url:
https://wdatp-alertexporter-eu.securitycenter.windows.com
Not
https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts
great!! Now I can able to see data..Thanks @thambisetty
I checked again on splunk base for endpoint url but it was up till api/alert- https://wdatp-alertexporter-eu.windows.com/api/alerts I think this needs to be updated .
once again thanks a lot.
Thanks.
Endpoint urls updated in TA overview were wrong. I have updated them now.
Hi,
Please use this app https://splunkbase.splunk.com/app/4128/ if you are looking for windows defender ATP developed by me.
follow instructions available at Splunk app base.
@thambisetty is the app supported on splunk 7.2, 7.3 or 8.0?
@thambisetty sorry for tagging different add-on (updated in question)and yes I am using the same addon which is developed by you-
https://splunkbase.splunk.com/app/4128
I did followed the instruction ..could you please answer above questions and help me to understand if I am missing something
thanks.