Installed the TA on a sandbox standalone machine with splunk 7.3.3- If i try to configure stuff in the "Configuration" view, the "Accounts" tab just shows an animated circle and that's it. A restart of splunkd shows the following message:
Unable to initialize modular input "microsoft_defender_atp_alerts" defined in the app "TA-MS_Defender": Introspecting scheme=microsoft_defender_atp_alerts: script running failed (exited with code 1)
I reviewed all permissions on the TA and elevated permissions to read/write/execute for the splunk user and "everybody" with no effect-
This installation is running on a windows server 2016 box.
I have the same error. My sandbox is 7.3.1 running on my test machine (windows 10). It looks like a library import is failing and that may be part of it. I have not configured any inputs so that is one thing. Also, I am going to try going to latest 8.X version of Splunk Enterprise.
C:\Program Files\Splunk\bin>splunk cmd python "\Program Files\Splunk\etc\apps\TA-MS_Defender\bin\microsoft_defender_atp_alerts.py" Traceback (most recent call last): File "\Program Files\Splunk\etc\apps\TA-MS_Defender\bin\microsoft_defender_atp_alerts.py", line 14, in <module> import input_module_microsoft_defender_atp_alerts as input_module File "C:\Program Files\Splunk\etc\apps\TA-MS_Defender\bin\input_module_microsoft_defender_atp_alerts.py", line 8, in <module> import dateutil.parser ImportError: No module named dateutil.parser
C:\Program Files\Splunk\bin>splunk cmd python Python 2.7.15 (default, Sep 16 2019, 17:08:43) [MSC v.1900 64 bit (AMD64)] on win32 Type "help", "copyright", "credits" or "license" for more information. >>> import dateutil.parser Traceback (most recent call last): File "<stdin>", line 1, in <module> ImportError: No module named dateutil.parser
Another update, this addon (graph security) doesn't seem to map into CIM and ES DMs. That is problematic. For example an eicar test didn't show the user or the action as extracted fields to even do a manual mapping for the Malware data model. Unfortunate.