- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Windows Defender ATP
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Windows Defender ATP
I have followed the various sets of instructions for sending Microsoft Defender ATP logs to Splunk, however I am getting the following errors:
2019-09-30 15:56:57,263 INFO pid=29578
tid=MainThread
file=connectionpool.py:_new_conn:758 |
Starting new HTTPS connection (1):
127.0.0.1 2019-09-30 15:57:00,043 INFO pid=29738 tid=MainThread
file=connectionpool.py:_new_conn:758 |
Starting new HTTPS connection (1):
127.0.0.1 2019-09-30 15:57:01,003 INFO pid=29738 tid=MainThread
file=connectionpool.py:_new_conn:758 |
Starting new HTTPS connection (1):
127.0.0.1 2019-09-30 15:57:02,530 INFO pid=29738 tid=MainThread
file=connectionpool.py:_new_conn:758 |
Starting new HTTPS connection (1):
127.0.0.1 2019-09-30 15:57:04,012 INFO pid=29738 tid=MainThread
file=connectionpool.py:_new_conn:758 |
Starting new HTTPS connection (1):
127.0.0.1 2019-09-30 15:57:05,480 INFO pid=29738 tid=MainThread
file=splunk_rest_client.py:_request_handler:100
| Use HTTP connection pooling
2019-09-30 15:57:05,482 INFO pid=29738
tid=MainThread
file=connectionpool.py:_new_conn:758 |
Starting new HTTPS connection (1):
127.0.0.1 2019-09-30 15:57:05,497 INFO pid=29738 tid=MainThread
file=setup_util.py:log_info:114 |
Proxy is not enabled! 2019-09-30
15:57:05,884 ERROR pid=29738
tid=MainThread
file=base_modinput.py:log_error:307 |
No JSON object could be decoded
2019-09-30 15:57:05,885 ERROR
pid=29738 tid=MainThread
file=base_modinput.py:log_error:307 |
Get error when collecting events.
Traceback (most recent call last):
File
"/opt/splunk/etc/apps/TA_windows-defender/bin/ta_windows_defender/modinput_wrapper/base_modinput.py",
line 127, in stream_events
self.collect_events(ew) File "/opt/splunk/etc/apps/TA_windows-defender/bin/windows_defender_atp_alerts.py",
line 88, in collect_events
input_module.collect_events(self, ew) File
"/opt/splunk/etc/apps/TA_windows-defender/bin/input_module_windows_defender_atp_alerts.py",
line 151, in collect_events
"Authorization": 'Bearer ' + access_token, TypeError: cannot
concatenate 'str' and 'NoneType'
objects
I've googled, I've read, I've configured, re-configured and configured some more all to no avail. Is there any catches or tricks to get this to work.
Thanks
Leigh
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am facing same problem. Did you find a solution?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@rahulhoney, I did get the issue resolved however it was through installing and configuring the Microsoft Office 365 App for Splunk and then spending some time on a conference call with our Splunk engineer to get it all up and running.
Once we had the data from O365, the ATP logs were coming in as part of that.
Not sure if that helps you, but that's what I've ended up doing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have also been working to get this up and running. I'd like more detail where you have landed on this. I can attempt to get Microsoft Office 365 App working but would really like to understand what I am missing in my configuration of the Defender TA and what Splunk support ended up doing.
thanks for any additional clarity here.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
