All Apps and Add-ons

TA-MS-defender no incident logs

edwardrose
Contributor

Hello All,

I have configured TA-MS-defender and we are collecting ATP logs just fine.  But the Incident logs keep giving me the following error:

 

2021-06-25 09:36:35,832 ERROR pid=4306 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events.
Traceback (most recent call last):
  File "/opt/splunk/etc/apps/TA-MS_Defender/bin/ta_ms_defender/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events
    self.collect_events(ew)
  File "/opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_365_defender_incidents.py", line 72, in collect_events
    input_module.collect_events(self, ew)
  File "/opt/splunk/etc/apps/TA-MS_Defender/bin/input_module_microsoft_365_defender_incidents.py", line 69, in collect_events
    incidents = azutil.get_atp_alerts_odata(helper, access_token, incident_url, user_agent="M365DPartner-Splunk-M365DefenderAddOn/1.3.0")
  File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/utils.py", line 57, in get_atp_alerts_odata
    raise e
  File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/utils.py", line 40, in get_atp_alerts_odata
    r.raise_for_status()
  File "/opt/splunk/etc/apps/TA-MS_Defender/bin/ta_ms_defender/aob_py3/requests/models.py", line 940, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://api.security.microsoft.com/api/incidents?$filter=lastUpdateTime+gt+2000-01-01T00:00:00Z

 

Any ideas or help?

 

thanks

ed

Labels (3)
0 Karma
1 Solution

jaxjohnny2000
Builder

I'm getting the same error.  Did you ever find a solution?  I just set up the incidents input today.  It seems like permissions, so that's where I am starting to look

Prerequisites

  • An Azure Active Directory application registration

Refer to the following article for details on setting up an Azure Active Directory application registration with the appropriate permissions for Microsoft Defender for Endpoint:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/api-hello...

Refer to the following article for details on setting up an Azure Active Directory application registration with the appropriate permissions for Microsoft 365 Defender Incidents:
https://docs.microsoft.com/en-us/microsoft-365/security/defender/api-hello-world?view=o365-worldwide

View solution in original post

0 Karma

jaxjohnny2000
Builder

I'm getting the same error.  Did you ever find a solution?  I just set up the incidents input today.  It seems like permissions, so that's where I am starting to look

Prerequisites

  • An Azure Active Directory application registration

Refer to the following article for details on setting up an Azure Active Directory application registration with the appropriate permissions for Microsoft Defender for Endpoint:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/api-hello...

Refer to the following article for details on setting up an Azure Active Directory application registration with the appropriate permissions for Microsoft 365 Defender Incidents:
https://docs.microsoft.com/en-us/microsoft-365/security/defender/api-hello-world?view=o365-worldwide

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...