All Apps and Add-ons

TA-MS_Defender / Microsoft Defender ATP Add-on for Splunk: Configuration Page / Accounts tab "hangs" endlessly

cman_sc
Loves-to-Learn

Installed the TA on  a sandbox standalone machine with splunk 7.3.3- If i try to configure stuff in the "Configuration" view, the "Accounts" tab just shows an animated circle and that's it.
A restart of splunkd shows the following message:

Unable to initialize modular input "microsoft_defender_atp_alerts" defined in the app "TA-MS_Defender": Introspecting scheme=microsoft_defender_atp_alerts: script running failed (exited with code 1)

I reviewed all permissions on the TA and elevated permissions to read/write/execute for the splunk user and "everybody" with no effect-

This installation is running on a windows server 2016 box.

Anybody got an idea how to fix this?

Labels (2)
0 Karma

jgbricker
Contributor

Did you fix yet?

I have the same error. My sandbox is 7.3.1 running on my test machine (windows 10). It looks like a library import is failing and that may be part of it. I have not configured any inputs so that is one thing. Also, I am going to try going to latest 8.X version of Splunk Enterprise. 

C:\Program Files\Splunk\bin>splunk cmd python "\Program Files\Splunk\etc\apps\TA-MS_Defender\bin\microsoft_defender_atp_alerts.py"
Traceback (most recent call last):
File "\Program Files\Splunk\etc\apps\TA-MS_Defender\bin\microsoft_defender_atp_alerts.py", line 14, in <module>
import input_module_microsoft_defender_atp_alerts as input_module
File "C:\Program Files\Splunk\etc\apps\TA-MS_Defender\bin\input_module_microsoft_defender_atp_alerts.py", line 8, in <module>
import dateutil.parser
ImportError: No module named dateutil.parser

C:\Program Files\Splunk\bin>splunk cmd python
Python 2.7.15 (default, Sep 16 2019, 17:08:43) [MSC v.1900 64 bit (AMD64)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import dateutil.parser
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
ImportError: No module named dateutil.parser

0 Karma

jgbricker
Contributor

I just tried the latest version of Splunk Enterprise and the error persists. I'll likely have to see about alternatives next week. -jB

0 Karma

jgbricker
Contributor

I have https://splunkbase.splunk.com/app/4564/ working. I only wanted Defender ATP logs for now so I used an OData filter. The documentation links to -- https://github.com/microsoftgraph/security-api-solutions/tree/master/Queries for the Odata filtering. I recommend setting up on a test splunk instance and see what the provider comes in as. Then copy/paste the value into the filter.

The OData filter that worked for me was --
vendorInformation/provider eq 'Microsoft Defender ATP'

-jB

0 Karma

jgbricker
Contributor

Another update, this addon (graph security) doesn't seem to map into CIM and ES DMs. That is problematic. For example an eicar test didn't show the user or the action as extracted fields to even do a manual mapping for the Malware data model. Unfortunate.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!