Re: Windows Defender ATP

balcv · ‎09-29-2019

I have followed the various sets of instructions for sending Microsoft Defender ATP logs to Splunk, however I am getting the following errors:

2019-09-30 15:56:57,263 INFO pid=29578
tid=MainThread
file=connectionpool.py:_new_conn:758 |
Starting new HTTPS connection (1):
127.0.0.1 2019-09-30 15:57:00,043 INFO pid=29738 tid=MainThread
file=connectionpool.py:_new_conn:758 |
Starting new HTTPS connection (1):
127.0.0.1 2019-09-30 15:57:01,003 INFO pid=29738 tid=MainThread
file=connectionpool.py:_new_conn:758 |
Starting new HTTPS connection (1):
127.0.0.1 2019-09-30 15:57:02,530 INFO pid=29738 tid=MainThread
file=connectionpool.py:_new_conn:758 |
Starting new HTTPS connection (1):
127.0.0.1 2019-09-30 15:57:04,012 INFO pid=29738 tid=MainThread
file=connectionpool.py:_new_conn:758 |
Starting new HTTPS connection (1):
127.0.0.1 2019-09-30 15:57:05,480 INFO pid=29738 tid=MainThread
file=splunk_rest_client.py:_request_handler:100
| Use HTTP connection pooling
2019-09-30 15:57:05,482 INFO pid=29738
tid=MainThread
file=connectionpool.py:_new_conn:758 |
Starting new HTTPS connection (1):
127.0.0.1 2019-09-30 15:57:05,497 INFO pid=29738 tid=MainThread
file=setup_util.py:log_info:114 |
Proxy is not enabled! 2019-09-30
15:57:05,884 ERROR pid=29738
tid=MainThread
file=base_modinput.py:log_error:307 |
No JSON object could be decoded
2019-09-30 15:57:05,885 ERROR
pid=29738 tid=MainThread
file=base_modinput.py:log_error:307 |
Get error when collecting events.
Traceback (most recent call last):

File
"/opt/splunk/etc/apps/TA_windows-defender/bin/ta_windows_defender/modinput_wrapper/base_modinput.py",
line 127, in stream_events
self.collect_events(ew) File "/opt/splunk/etc/apps/TA_windows-defender/bin/windows_defender_atp_alerts.py",
line 88, in collect_events
input_module.collect_events(self, ew) File
"/opt/splunk/etc/apps/TA_windows-defender/bin/input_module_windows_defender_atp_alerts.py",
line 151, in collect_events
"Authorization": 'Bearer ' + access_token, TypeError: cannot
concatenate 'str' and 'NoneType'
objects

I've googled, I've read, I've configured, re-configured and configured some more all to no avail. Is there any catches or tricks to get this to work.

Thanks
Leigh

rahulhoney · ‎12-11-2019

I am facing same problem. Did you find a solution?

balcv · ‎12-15-2019

@rahulhoney, I did get the issue resolved however it was through installing and configuring the Microsoft Office 365 App for Splunk and then spending some time on a conference call with our Splunk engineer to get it all up and running.

Once we had the data from O365, the ATP logs were coming in as part of that.

Not sure if that helps you, but that's what I've ended up doing.

pmein · ‎01-03-2020

I have also been working to get this up and running. I'd like more detail where you have landed on this. I can attempt to get Microsoft Office 365 App working but would really like to understand what I am missing in my configuration of the Defender TA and what Splunk support ended up doing.

thanks for any additional clarity here.

Windows Defender ATP

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation