Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Getting Data into the Splunk Add-On for Microsoft Security

qzy
New Member
‎06-30-2024 10:41 AM

Hi folks,

I am trying to get Defender logs into the  Splunk Add-On for Microsoft Security but I am struggling a bit.

It "appears" to be configured correctly but I am seeing this error in the logs:
ERROR pid=222717 tid=MainThread file=ms_security_utils.py:get_atp_alerts_odata:261 | Exception occurred while getting data using access token : HTTPSConnectionPool(host='api.securitycenter.microsoft.com', port=443): Max retries exceeded with url: /api/alerts?$expand=evidence&$filter=lastUpdateTime+gt+2024-05-22T12:34:35Z (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x7fe514fa1bd0>, 'Connection to api.securitycenter.microsoft.com timed out. (connect timeout=60)'))

Is this an issue with the way the Azure Connector App is permissioned or something else entirely?

Thanks in advance

Labels (2)
Labels
0 Karma
Reply

qzy
New Member
‎07-04-2024 03:19 AM

Thank you for the response, and it was indeed a Firewall Rule issue! 

I also had to ensure these permissions were granted on the Azure side....
SecurityIncident.Read.all/SecurityIncident.ReadWrite.all 
Incident.Read.All/Incident.ReadWrite.All

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-30-2024 11:02 AM

Connection timeout means that your end tried to establish connection with the destinations server (api.securityserver.microsoft.com) but didn't get any response. This typically means network-level problems (like lack of proper firewall rules allowing outgoing traffic) or (actually it's the same thing but pushed one step further) not configured proxy server when direct outgoing traffic is forbidden.

Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Top