Hello All,
I have configured TA-MS-defender and we are collecting ATP logs just fine. But the Incident logs keep giving me the following error:
2021-06-25 09:36:35,832 ERROR pid=4306 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-MS_Defender/bin/ta_ms_defender/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_365_defender_incidents.py", line 72, in collect_events
input_module.collect_events(self, ew)
File "/opt/splunk/etc/apps/TA-MS_Defender/bin/input_module_microsoft_365_defender_incidents.py", line 69, in collect_events
incidents = azutil.get_atp_alerts_odata(helper, access_token, incident_url, user_agent="M365DPartner-Splunk-M365DefenderAddOn/1.3.0")
File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/utils.py", line 57, in get_atp_alerts_odata
raise e
File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/utils.py", line 40, in get_atp_alerts_odata
r.raise_for_status()
File "/opt/splunk/etc/apps/TA-MS_Defender/bin/ta_ms_defender/aob_py3/requests/models.py", line 940, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://api.security.microsoft.com/api/incidents?$filter=lastUpdateTime+gt+2000-01-01T00:00:00Z
Any ideas or help?
thanks
ed
I'm getting the same error. Did you ever find a solution? I just set up the incidents input today. It seems like permissions, so that's where I am starting to look
Prerequisites
Refer to the following article for details on setting up an Azure Active Directory application registration with the appropriate permissions for Microsoft Defender for Endpoint:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/api-hello...
Refer to the following article for details on setting up an Azure Active Directory application registration with the appropriate permissions for Microsoft 365 Defender Incidents:
https://docs.microsoft.com/en-us/microsoft-365/security/defender/api-hello-world?view=o365-worldwide
I'm getting the same error. Did you ever find a solution? I just set up the incidents input today. It seems like permissions, so that's where I am starting to look
Prerequisites
Refer to the following article for details on setting up an Azure Active Directory application registration with the appropriate permissions for Microsoft Defender for Endpoint:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/api-hello...
Refer to the following article for details on setting up an Azure Active Directory application registration with the appropriate permissions for Microsoft 365 Defender Incidents:
https://docs.microsoft.com/en-us/microsoft-365/security/defender/api-hello-world?view=o365-worldwide