- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- TA-MS_Defender / Microsoft Defender ATP Add-on for...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TA-MS_Defender / Microsoft Defender ATP Add-on for Splunk: Configuration Page / Accounts tab "hangs" endlessly
Installed the TA on a sandbox standalone machine with splunk 7.3.3- If i try to configure stuff in the "Configuration" view, the "Accounts" tab just shows an animated circle and that's it.
A restart of splunkd shows the following message:
Unable to initialize modular input "microsoft_defender_atp_alerts" defined in the app "TA-MS_Defender": Introspecting scheme=microsoft_defender_atp_alerts: script running failed (exited with code 1)I reviewed all permissions on the TA and elevated permissions to read/write/execute for the splunk user and "everybody" with no effect-
This installation is running on a windows server 2016 box.
Anybody got an idea how to fix this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you fix yet?
I have the same error. My sandbox is 7.3.1 running on my test machine (windows 10). It looks like a library import is failing and that may be part of it. I have not configured any inputs so that is one thing. Also, I am going to try going to latest 8.X version of Splunk Enterprise.
C:\Program Files\Splunk\bin>splunk cmd python "\Program Files\Splunk\etc\apps\TA-MS_Defender\bin\microsoft_defender_atp_alerts.py"
Traceback (most recent call last):
File "\Program Files\Splunk\etc\apps\TA-MS_Defender\bin\microsoft_defender_atp_alerts.py", line 14, in <module>
import input_module_microsoft_defender_atp_alerts as input_module
File "C:\Program Files\Splunk\etc\apps\TA-MS_Defender\bin\input_module_microsoft_defender_atp_alerts.py", line 8, in <module>
import dateutil.parser
ImportError: No module named dateutil.parser
C:\Program Files\Splunk\bin>splunk cmd python
Python 2.7.15 (default, Sep 16 2019, 17:08:43) [MSC v.1900 64 bit (AMD64)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import dateutil.parser
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
ImportError: No module named dateutil.parser
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just tried the latest version of Splunk Enterprise and the error persists. I'll likely have to see about alternatives next week. -jB
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have https://splunkbase.splunk.com/app/4564/ working. I only wanted Defender ATP logs for now so I used an OData filter. The documentation links to -- https://github.com/microsoftgraph/security-api-solutions/tree/master/Queries for the Odata filtering. I recommend setting up on a test splunk instance and see what the provider comes in as. Then copy/paste the value into the filter.
The OData filter that worked for me was --
vendorInformation/provider eq 'Microsoft Defender ATP'
-jB
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another update, this addon (graph security) doesn't seem to map into CIM and ES DMs. That is problematic. For example an eicar test didn't show the user or the action as extracted fields to even do a manual mapping for the Malware data model. Unfortunate.
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
