TA-MS_Defender / Microsoft Defender ATP Add-on for...

cman_sc · ‎08-11-2020

Installed the TA on a sandbox standalone machine with splunk 7.3.3- If i try to configure stuff in the "Configuration" view, the "Accounts" tab just shows an animated circle and that's it.
A restart of splunkd shows the following message:

Unable to initialize modular input "microsoft_defender_atp_alerts" defined in the app "TA-MS_Defender": Introspecting scheme=microsoft_defender_atp_alerts: script running failed (exited with code 1)

I reviewed all permissions on the TA and elevated permissions to read/write/execute for the splunk user and "everybody" with no effect-

This installation is running on a windows server 2016 box.

Anybody got an idea how to fix this?

jgbricker · ‎08-21-2020

Did you fix yet?

I have the same error. My sandbox is 7.3.1 running on my test machine (windows 10). It looks like a library import is failing and that may be part of it. I have not configured any inputs so that is one thing. Also, I am going to try going to latest 8.X version of Splunk Enterprise.

C:\Program Files\Splunk\bin>splunk cmd python "\Program Files\Splunk\etc\apps\TA-MS_Defender\bin\microsoft_defender_atp_alerts.py"
Traceback (most recent call last):
File "\Program Files\Splunk\etc\apps\TA-MS_Defender\bin\microsoft_defender_atp_alerts.py", line 14, in <module>
import input_module_microsoft_defender_atp_alerts as input_module
File "C:\Program Files\Splunk\etc\apps\TA-MS_Defender\bin\input_module_microsoft_defender_atp_alerts.py", line 8, in <module>
import dateutil.parser
ImportError: No module named dateutil.parser

C:\Program Files\Splunk\bin>splunk cmd python
Python 2.7.15 (default, Sep 16 2019, 17:08:43) [MSC v.1900 64 bit (AMD64)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import dateutil.parser
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
ImportError: No module named dateutil.parser

jgbricker · ‎08-21-2020

I just tried the latest version of Splunk Enterprise and the error persists. I'll likely have to see about alternatives next week. -jB

jgbricker · ‎08-26-2020

I have https://splunkbase.splunk.com/app/4564/ working. I only wanted Defender ATP logs for now so I used an OData filter. The documentation links to -- https://github.com/microsoftgraph/security-api-solutions/tree/master/Queries for the Odata filtering. I recommend setting up on a test splunk instance and see what the provider comes in as. Then copy/paste the value into the filter.

The OData filter that worked for me was --
vendorInformation/provider eq 'Microsoft Defender ATP'

-jB

jgbricker · ‎09-02-2020

Another update, this addon (graph security) doesn't seem to map into CIM and ES DMs. That is problematic. For example an eicar test didn't show the user or the action as extracted fields to even do a manual mapping for the Malware data model. Unfortunate.

TA-MS_Defender / Microsoft Defender ATP Add-on for Splunk: Configuration Page / Accounts tab "hangs" endlessly

configuration

installation

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation