- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Defender ATP Add On Settings
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to configure Defender ATP Add On Settings
Hi,
Trying to configure the Add-On for Microsoft Defender https://splunkbase.splunk.com/app/4959/
Can anyone confirm what settings are needed for:
Login URL
Endpoint
Resource?
Whichever I use, I'm getting 401 errors. Have followed https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/api-hello-world?view=o365-... and confirmed the permissions on the App registration are 100% correct.
Cheers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The error code 401 clearly describes the issue with permission. Please recheck the permission.
| Input | API | Permission | Sourcetype | Reference |
| Microsoft 365 Defender Incidents (input) | Microsoft Threat Protection | (Application) Incident.Read.All | m365:defender:incident | https://docs.microsoft.com/en-us/microsoft-365/security/defender/api-hello-world?view=o365-worldwide |
| Defender Advanced Hunting (action) | Microsoft Threat Protection | (Application) AdvancedHunting.Read.All | m365:defender:incident:advanced_hunting | https://docs.microsoft.com/en-us/microsoft-365/security/defender/api-advanced-hunting?view=o365-worl... |
| Defender Update Incident (action) | Microsoft Threat Protection | (Application) Incident.ReadWrite.All | N/A | https://docs.microsoft.com/en-us/microsoft-365/security/defender/api-update-incidents?view=o365-worl... |
| Microsoft Defender for Endpoint Alerts (input) | WindowsDefenderATP | (Application) Alert.Read.All | ms:defender:atp:alerts | https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/api-hello-world?view=o365-... |
Please make sure you are using the same App credentials that have the permission as I've done similar mistakes. 😊
------
Please accept the solution if this helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey,
Thanks for your response!
Permissions are fine, running through that test script in the knowledge base https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/api-hello-world?view=o365-... is also fine and I can pull results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Further Update, now getting logins successfully, with the below but nothing into Splunk
2022-02-16 06:53:51,353 DEBUG pid=23770 tid=MainThread file=base_modinput.py:log_debug:288 | get access token called
2022-02-16 06:53:51,353 DEBUG pid=23770 tid=MainThread file=base_modinput.py:log_debug:288 | Token genrated last time:2022-02-16 06:53:08.758148
2022-02-16 06:53:51,353 DEBUG pid=23770 tid=MainThread file=base_modinput.py:log_debug:288 | Token elapsed time(in seconds): 42
2022-02-16 06:53:51,353 INFO pid=23770 tid=MainThread file=setup_util.py:log_info:117 | Proxy is not enabled!
2022-02-16 06:53:51,353 DEBUG pid=23770 tid=MainThread file=base_modinput.py:log_debug:288 | Proxies set is : {}
2022-02-16 06:53:51,353 DEBUG pid=23770 tid=MainThread file=base_modinput.py:log_debug:288 | Global SSL Verify settings is: False
2022-02-16 06:53:51,354 DEBUG pid=23770 tid=MainThread file=connectionpool.py:_new_conn:959 | Starting new HTTPS connection (1): api.securitycenter.microsoft.com:443
2022-02-16 06:53:52,122 DEBUG pid=23770 tid=MainThread file=connectionpool.py:_make_request:437 | https://api.securitycenter.microsoft.com:443 "GET //api/alerts?sinceTimeUtc=2022-02-09%2006:53:51.350605 HTTP/1.1" 200 2167
2022-02-16 06:53:52,124 INFO pid=23770 tid=MainThread file=base_modinput.py:log_info:295 | Number of alerts returned: 2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see in the logs that there were 2 alerts returned by the API.
So just make sure you have the right index created. And run the search (index=<defender-atp-index>) in "All Time".
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
