Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to configure Defender ATP Add On Settings

baz
Observer
‎02-14-2022 10:53 PM

Hi,

Trying to configure the Add-On for Microsoft Defender https://splunkbase.splunk.com/app/4959/

Can anyone confirm what settings are needed for:

Login URL

Endpoint

Resource?

Whichever I use, I'm getting 401 errors. Have followed https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/api-hello-world?view=o365-... and confirmed the permissions on the App registration are 100% correct.

 

Cheers

 

Labels (1)
Labels
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎02-15-2022 08:53 PM

The error code 401 clearly describes the issue with permission. Please recheck the permission.

InputAPIPermissionSourcetypeReference
Microsoft 365 Defender Incidents (input)Microsoft Threat Protection(Application) Incident.Read.Allm365:defender:incidenthttps://docs.microsoft.com/en-us/microsoft-365/security/defender/api-hello-world?view=o365-worldwide
Defender Advanced Hunting (action)Microsoft Threat Protection(Application) AdvancedHunting.Read.Allm365:defender:incident:advanced_huntinghttps://docs.microsoft.com/en-us/microsoft-365/security/defender/api-advanced-hunting?view=o365-worl...
Defender Update Incident (action)Microsoft Threat Protection(Application) Incident.ReadWrite.AllN/Ahttps://docs.microsoft.com/en-us/microsoft-365/security/defender/api-update-incidents?view=o365-worl...
Microsoft Defender for Endpoint Alerts (input)WindowsDefenderATP(Application) Alert.Read.Allms:defender:atp:alertshttps://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/api-hello-world?view=o365-...

 

Please make sure you are using the same App credentials that have the permission as I've done similar mistakes. 😊

------

Please accept the solution if this helps.

Reply

baz
Observer
‎02-15-2022 10:44 PM

Hey,

Thanks for your response!

Permissions are fine, running through that test script in the knowledge base https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/api-hello-world?view=o365-... is also fine and I can pull results. 

0 Karma
Reply

baz
Observer
‎02-15-2022 10:54 PM

Further Update, now getting logins successfully, with the below but nothing into Splunk

2022-02-16 06:53:51,353 DEBUG pid=23770 tid=MainThread file=base_modinput.py:log_debug:288 | get access token called
2022-02-16 06:53:51,353 DEBUG pid=23770 tid=MainThread file=base_modinput.py:log_debug:288 | Token genrated last time:2022-02-16 06:53:08.758148
2022-02-16 06:53:51,353 DEBUG pid=23770 tid=MainThread file=base_modinput.py:log_debug:288 | Token elapsed time(in seconds): 42
2022-02-16 06:53:51,353 INFO pid=23770 tid=MainThread file=setup_util.py:log_info:117 | Proxy is not enabled!
2022-02-16 06:53:51,353 DEBUG pid=23770 tid=MainThread file=base_modinput.py:log_debug:288 | Proxies set is : {}
2022-02-16 06:53:51,353 DEBUG pid=23770 tid=MainThread file=base_modinput.py:log_debug:288 | Global SSL Verify settings is: False
2022-02-16 06:53:51,354 DEBUG pid=23770 tid=MainThread file=connectionpool.py:_new_conn:959 | Starting new HTTPS connection (1): api.securitycenter.microsoft.com:443
2022-02-16 06:53:52,122 DEBUG pid=23770 tid=MainThread file=connectionpool.py:_make_request:437 | https://api.securitycenter.microsoft.com:443 "GET //api/alerts?sinceTimeUtc=2022-02-09%2006:53:51.350605 HTTP/1.1" 200 2167
2022-02-16 06:53:52,124 INFO pid=23770 tid=MainThread file=base_modinput.py:log_info:295 | Number of alerts returned: 2

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎02-16-2022 07:47 AM

I see in the logs that there were 2 alerts returned by the API.

So just make sure you have the right index created. And run the search (index=<defender-atp-index>) in "All Time".

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...