We are trying to fetch data from Microsoft ATP using the "Add-on for windows defender" app and we are seeing an error.
App location on Splunkbase is: https://splunkbase.splunk.com/app/4128/
2019-12-17 12:37:22,682 ERROR pid=23927 tid=MainThread file=base_modinput.py:log_error:307 | Get error when collecting events. Traceback (most recent call last): File "/opt/splunk/etc/apps/TA_windows-defender/bin/ta_windows_defender/modinput_wrapper/base_modinput.py", line 127, in stream_events self.collect_events(ew) File "/opt/splunk/etc/apps/TA_windows-defender/bin/windows_defender_atp_alerts.py", line 88, in collect_events input_module.collect_events(self, ew) File "/opt/splunk/etc/apps/TA_windows-defender/bin/input_module_windows_defender_atp_alerts.py", line 151, in collect_events "Authorization": 'Bearer ' + access_token, TypeError: cannot concatenate 'str' and 'NoneType' objects
2019-12-17 12:37:22,681 ERROR pid=23927 tid=MainThread file=base_modinput.py:log_error:307 | No JSON object could be decoded
I believe you have the wrong Login URL.
Wrong URL:
- https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts
- https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts
Correct URL: