All Apps and Add-ons

TA-MS-defender no incident logs

edwardrose
Contributor

Hello All,

I have configured TA-MS-defender and we are collecting ATP logs just fine.  But the Incident logs keep giving me the following error:

 

2021-06-25 09:36:35,832 ERROR pid=4306 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events.
Traceback (most recent call last):
  File "/opt/splunk/etc/apps/TA-MS_Defender/bin/ta_ms_defender/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events
    self.collect_events(ew)
  File "/opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_365_defender_incidents.py", line 72, in collect_events
    input_module.collect_events(self, ew)
  File "/opt/splunk/etc/apps/TA-MS_Defender/bin/input_module_microsoft_365_defender_incidents.py", line 69, in collect_events
    incidents = azutil.get_atp_alerts_odata(helper, access_token, incident_url, user_agent="M365DPartner-Splunk-M365DefenderAddOn/1.3.0")
  File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/utils.py", line 57, in get_atp_alerts_odata
    raise e
  File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/utils.py", line 40, in get_atp_alerts_odata
    r.raise_for_status()
  File "/opt/splunk/etc/apps/TA-MS_Defender/bin/ta_ms_defender/aob_py3/requests/models.py", line 940, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://api.security.microsoft.com/api/incidents?$filter=lastUpdateTime+gt+2000-01-01T00:00:00Z

 

Any ideas or help?

 

thanks

ed

Labels (3)
0 Karma
1 Solution

jaxjohnny2000
Builder

I'm getting the same error.  Did you ever find a solution?  I just set up the incidents input today.  It seems like permissions, so that's where I am starting to look

Prerequisites

  • An Azure Active Directory application registration

Refer to the following article for details on setting up an Azure Active Directory application registration with the appropriate permissions for Microsoft Defender for Endpoint:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/api-hello...

Refer to the following article for details on setting up an Azure Active Directory application registration with the appropriate permissions for Microsoft 365 Defender Incidents:
https://docs.microsoft.com/en-us/microsoft-365/security/defender/api-hello-world?view=o365-worldwide

View solution in original post

0 Karma

jaxjohnny2000
Builder

I'm getting the same error.  Did you ever find a solution?  I just set up the incidents input today.  It seems like permissions, so that's where I am starting to look

Prerequisites

  • An Azure Active Directory application registration

Refer to the following article for details on setting up an Azure Active Directory application registration with the appropriate permissions for Microsoft Defender for Endpoint:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/api-hello...

Refer to the following article for details on setting up an Azure Active Directory application registration with the appropriate permissions for Microsoft 365 Defender Incidents:
https://docs.microsoft.com/en-us/microsoft-365/security/defender/api-hello-world?view=o365-worldwide

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...