All Apps and Add-ons

TA-MS-defender no incident logs

edwardrose
Contributor

Hello All,

I have configured TA-MS-defender and we are collecting ATP logs just fine.  But the Incident logs keep giving me the following error:

 

2021-06-25 09:36:35,832 ERROR pid=4306 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events.
Traceback (most recent call last):
  File "/opt/splunk/etc/apps/TA-MS_Defender/bin/ta_ms_defender/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events
    self.collect_events(ew)
  File "/opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_365_defender_incidents.py", line 72, in collect_events
    input_module.collect_events(self, ew)
  File "/opt/splunk/etc/apps/TA-MS_Defender/bin/input_module_microsoft_365_defender_incidents.py", line 69, in collect_events
    incidents = azutil.get_atp_alerts_odata(helper, access_token, incident_url, user_agent="M365DPartner-Splunk-M365DefenderAddOn/1.3.0")
  File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/utils.py", line 57, in get_atp_alerts_odata
    raise e
  File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/utils.py", line 40, in get_atp_alerts_odata
    r.raise_for_status()
  File "/opt/splunk/etc/apps/TA-MS_Defender/bin/ta_ms_defender/aob_py3/requests/models.py", line 940, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://api.security.microsoft.com/api/incidents?$filter=lastUpdateTime+gt+2000-01-01T00:00:00Z

 

Any ideas or help?

 

thanks

ed

Labels (3)
0 Karma
1 Solution

jaxjohnny2000
Builder

I'm getting the same error.  Did you ever find a solution?  I just set up the incidents input today.  It seems like permissions, so that's where I am starting to look

Prerequisites

  • An Azure Active Directory application registration

Refer to the following article for details on setting up an Azure Active Directory application registration with the appropriate permissions for Microsoft Defender for Endpoint:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/api-hello...

Refer to the following article for details on setting up an Azure Active Directory application registration with the appropriate permissions for Microsoft 365 Defender Incidents:
https://docs.microsoft.com/en-us/microsoft-365/security/defender/api-hello-world?view=o365-worldwide

View solution in original post

0 Karma

jaxjohnny2000
Builder

I'm getting the same error.  Did you ever find a solution?  I just set up the incidents input today.  It seems like permissions, so that's where I am starting to look

Prerequisites

  • An Azure Active Directory application registration

Refer to the following article for details on setting up an Azure Active Directory application registration with the appropriate permissions for Microsoft Defender for Endpoint:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/api-hello...

Refer to the following article for details on setting up an Azure Active Directory application registration with the appropriate permissions for Microsoft 365 Defender Incidents:
https://docs.microsoft.com/en-us/microsoft-365/security/defender/api-hello-world?view=o365-worldwide

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...