All Apps and Add-ons

TA-MS-defender no incident logs

edwardrose
Contributor

Hello All,

I have configured TA-MS-defender and we are collecting ATP logs just fine.  But the Incident logs keep giving me the following error:

 

2021-06-25 09:36:35,832 ERROR pid=4306 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events.
Traceback (most recent call last):
  File "/opt/splunk/etc/apps/TA-MS_Defender/bin/ta_ms_defender/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events
    self.collect_events(ew)
  File "/opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_365_defender_incidents.py", line 72, in collect_events
    input_module.collect_events(self, ew)
  File "/opt/splunk/etc/apps/TA-MS_Defender/bin/input_module_microsoft_365_defender_incidents.py", line 69, in collect_events
    incidents = azutil.get_atp_alerts_odata(helper, access_token, incident_url, user_agent="M365DPartner-Splunk-M365DefenderAddOn/1.3.0")
  File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/utils.py", line 57, in get_atp_alerts_odata
    raise e
  File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/utils.py", line 40, in get_atp_alerts_odata
    r.raise_for_status()
  File "/opt/splunk/etc/apps/TA-MS_Defender/bin/ta_ms_defender/aob_py3/requests/models.py", line 940, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://api.security.microsoft.com/api/incidents?$filter=lastUpdateTime+gt+2000-01-01T00:00:00Z

 

Any ideas or help?

 

thanks

ed

Labels (3)
0 Karma
1 Solution

jaxjohnny2000
Builder

I'm getting the same error.  Did you ever find a solution?  I just set up the incidents input today.  It seems like permissions, so that's where I am starting to look

Prerequisites

  • An Azure Active Directory application registration

Refer to the following article for details on setting up an Azure Active Directory application registration with the appropriate permissions for Microsoft Defender for Endpoint:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/api-hello...

Refer to the following article for details on setting up an Azure Active Directory application registration with the appropriate permissions for Microsoft 365 Defender Incidents:
https://docs.microsoft.com/en-us/microsoft-365/security/defender/api-hello-world?view=o365-worldwide

View solution in original post

0 Karma

jaxjohnny2000
Builder

I'm getting the same error.  Did you ever find a solution?  I just set up the incidents input today.  It seems like permissions, so that's where I am starting to look

Prerequisites

  • An Azure Active Directory application registration

Refer to the following article for details on setting up an Azure Active Directory application registration with the appropriate permissions for Microsoft Defender for Endpoint:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/api-hello...

Refer to the following article for details on setting up an Azure Active Directory application registration with the appropriate permissions for Microsoft 365 Defender Incidents:
https://docs.microsoft.com/en-us/microsoft-365/security/defender/api-hello-world?view=o365-worldwide

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...