Getting Data In

How to configure Defender ATP Add On Settings

baz
Observer

Hi,

Trying to configure the Add-On for Microsoft Defender https://splunkbase.splunk.com/app/4959/

Can anyone confirm what settings are needed for:

Login URL

Endpoint

Resource?

Whichever I use, I'm getting 401 errors. Have followed https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/api-hello-world?view=o365-... and confirmed the permissions on the App registration are 100% correct.

 

Cheers

 

Labels (1)
0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

The error code 401 clearly describes the issue with permission. Please recheck the permission.

InputAPIPermissionSourcetypeReference
Microsoft 365 Defender Incidents (input)Microsoft Threat Protection(Application) Incident.Read.Allm365:defender:incidenthttps://docs.microsoft.com/en-us/microsoft-365/security/defender/api-hello-world?view=o365-worldwide
Defender Advanced Hunting (action)Microsoft Threat Protection(Application) AdvancedHunting.Read.Allm365:defender:incident:advanced_huntinghttps://docs.microsoft.com/en-us/microsoft-365/security/defender/api-advanced-hunting?view=o365-worl...
Defender Update Incident (action)Microsoft Threat Protection(Application) Incident.ReadWrite.AllN/Ahttps://docs.microsoft.com/en-us/microsoft-365/security/defender/api-update-incidents?view=o365-worl...
Microsoft Defender for Endpoint Alerts (input)WindowsDefenderATP(Application) Alert.Read.Allms:defender:atp:alertshttps://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/api-hello-world?view=o365-...

 

Please make sure you are using the same App credentials that have the permission as I've done similar mistakes. 😊

------

Please accept the solution if this helps.

0 Karma

baz
Observer

Hey,

Thanks for your response!

Permissions are fine, running through that test script in the knowledge base https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/api-hello-world?view=o365-... is also fine and I can pull results. 

0 Karma

baz
Observer

Further Update, now getting logins successfully, with the below but nothing into Splunk

2022-02-16 06:53:51,353 DEBUG pid=23770 tid=MainThread file=base_modinput.py:log_debug:288 | get access token called
2022-02-16 06:53:51,353 DEBUG pid=23770 tid=MainThread file=base_modinput.py:log_debug:288 | Token genrated last time:2022-02-16 06:53:08.758148
2022-02-16 06:53:51,353 DEBUG pid=23770 tid=MainThread file=base_modinput.py:log_debug:288 | Token elapsed time(in seconds): 42
2022-02-16 06:53:51,353 INFO pid=23770 tid=MainThread file=setup_util.py:log_info:117 | Proxy is not enabled!
2022-02-16 06:53:51,353 DEBUG pid=23770 tid=MainThread file=base_modinput.py:log_debug:288 | Proxies set is : {}
2022-02-16 06:53:51,353 DEBUG pid=23770 tid=MainThread file=base_modinput.py:log_debug:288 | Global SSL Verify settings is: False
2022-02-16 06:53:51,354 DEBUG pid=23770 tid=MainThread file=connectionpool.py:_new_conn:959 | Starting new HTTPS connection (1): api.securitycenter.microsoft.com:443
2022-02-16 06:53:52,122 DEBUG pid=23770 tid=MainThread file=connectionpool.py:_make_request:437 | https://api.securitycenter.microsoft.com:443 "GET //api/alerts?sinceTimeUtc=2022-02-09%2006:53:51.350605 HTTP/1.1" 200 2167
2022-02-16 06:53:52,124 INFO pid=23770 tid=MainThread file=base_modinput.py:log_info:295 | Number of alerts returned: 2

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

I see in the logs that there were 2 alerts returned by the API.

So just make sure you have the right index created. And run the search (index=<defender-atp-index>) in "All Time".

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...