Getting Data In

Windows Defender ATP

balcv
Contributor

I have followed the various sets of instructions for sending Microsoft Defender ATP logs to Splunk, however I am getting the following errors:

2019-09-30 15:56:57,263 INFO pid=29578
tid=MainThread
file=connectionpool.py:_new_conn:758 |
Starting new HTTPS connection (1):
127.0.0.1 2019-09-30 15:57:00,043 INFO pid=29738 tid=MainThread
file=connectionpool.py:_new_conn:758 |
Starting new HTTPS connection (1):
127.0.0.1 2019-09-30 15:57:01,003 INFO pid=29738 tid=MainThread
file=connectionpool.py:_new_conn:758 |
Starting new HTTPS connection (1):
127.0.0.1 2019-09-30 15:57:02,530 INFO pid=29738 tid=MainThread
file=connectionpool.py:_new_conn:758 |
Starting new HTTPS connection (1):
127.0.0.1 2019-09-30 15:57:04,012 INFO pid=29738 tid=MainThread
file=connectionpool.py:_new_conn:758 |
Starting new HTTPS connection (1):
127.0.0.1 2019-09-30 15:57:05,480 INFO pid=29738 tid=MainThread
file=splunk_rest_client.py:_request_handler:100
| Use HTTP connection pooling
2019-09-30 15:57:05,482 INFO pid=29738
tid=MainThread
file=connectionpool.py:_new_conn:758 |
Starting new HTTPS connection (1):
127.0.0.1 2019-09-30 15:57:05,497 INFO pid=29738 tid=MainThread
file=setup_util.py:log_info:114 |
Proxy is not enabled! 2019-09-30
15:57:05,884 ERROR pid=29738
tid=MainThread
file=base_modinput.py:log_error:307 |
No JSON object could be decoded
2019-09-30 15:57:05,885 ERROR
pid=29738 tid=MainThread
file=base_modinput.py:log_error:307 |
Get error when collecting events.
Traceback (most recent call last):

File
"/opt/splunk/etc/apps/TA_windows-defender/bin/ta_windows_defender/modinput_wrapper/base_modinput.py",
line 127, in stream_events
self.collect_events(ew) File "/opt/splunk/etc/apps/TA_windows-defender/bin/windows_defender_atp_alerts.py",
line 88, in collect_events
input_module.collect_events(self, ew) File
"/opt/splunk/etc/apps/TA_windows-defender/bin/input_module_windows_defender_atp_alerts.py",
line 151, in collect_events
"Authorization": 'Bearer ' + access_token, TypeError: cannot
concatenate 'str' and 'NoneType'
objects

I've googled, I've read, I've configured, re-configured and configured some more all to no avail. Is there any catches or tricks to get this to work.

Thanks
Leigh

rahulhoney
New Member

I am facing same problem. Did you find a solution?

0 Karma

balcv
Contributor

@rahulhoney, I did get the issue resolved however it was through installing and configuring the Microsoft Office 365 App for Splunk and then spending some time on a conference call with our Splunk engineer to get it all up and running.

Once we had the data from O365, the ATP logs were coming in as part of that.

Not sure if that helps you, but that's what I've ended up doing.

0 Karma

pmein
Explorer

I have also been working to get this up and running. I'd like more detail where you have landed on this. I can attempt to get Microsoft Office 365 App working but would really like to understand what I am missing in my configuration of the Defender TA and what Splunk support ended up doing.

thanks for any additional clarity here.

Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...