Security

Sending On-Prem Windows Defender AV DATA to On Splunk

tarungupta0311
Explorer

How to send On-Prem Windows Defender AV DATA to On Splunk

Labels (1)
0 Karma
1 Solution

tarungupta0311
Explorer

Solution - If you want to Send On-Prem Windows Defender AV DATA to On Splunk, we need to send it to  Splunk Enterprise via DB Connect.
Also below solution will work when we are doing Windows Authentication against the database, please follow the below steps, on Ubuntu to set up the connection

  • Follow the steps @ https://docs.splunk.com/Documentation/DBX/3.5.1/ReleaseNotes/Releasenotes
  • install DB Connect DBX 3.4.2 software via Splunkbase, or browse more apps and download from there.
  • Now it comes to installing Java on Splunk DB-Connect,
    1. 1st check if java is already installed on the server, for that type java – version, if java is not installed follow
    2. Run 
      sudo apt update 
      sudo apt install default-jre
      sudo apt install openjdk-11-jre-headless
    3. Validate Java is installed and running in server mode with java -version It should look something like this:

$ java -version openjdk version "11.0.7" 2020-04-14 OpenJDK Runtime Environment (build 11.0.7+10-post-Ubuntu-3ubuntu1) OpenJDK 64-Bit Server VM (build 11.0.7+10-post-Ubuntu-3ubuntu1, mixed mode, sharing)

    1. Set the JAVA_HOME Environment Variable
      • OpenJDK 11 is located at /usr/lib/jvm/java-11-openjdk-amd64
      • Set the variable globally by adding JAVA_HOME="/usr/lib/jvm/java-11-openjdk-amd64" to /etc/environment.
    2. Save and exit VIM
    3. Type reboot to reboot the Ubuntu machine.
    4. Now Access to Db Connect – Configuration – settings – General – in JRE Installation Path, enter
      /usr/lib/jvm/java-11-openjdk-amd64
    5. Hit Save and let DB Connect Ap detect the JAVA.
  • Now it comes for Java Drivers
    1. Since you have installed java version 11, we need to install Java Drivers 11
    2. Install 8.2.1 already tested JDBC Ms Generic Driver from https://docs.microsoft.com/en-us/sql/connect/jdbc/release-notes-for-the-jdbc-driver?view=sql-server-...
    3. Install JTDC JDBC drivers from https://sourceforge.net/projects/jtds/files/ (link is mentioned in Splunk Documentation)
    4. Both are required as for Windows Authentication we will be doing a mix of them
    5. Now Access to Db Connect – Configuration – settings – Drivers – Click Reload and you should see 8.2 Generic and 1.3 JTDS drivers
    6. Reboot the Splunk Ubuntu Server.
  • Now it comes to Setting up the Identity in DB Connection – Configuration – Database – Identities
    1. Identity Name – Any user-friendly name
    2. Username – Account which will have access to the Database
    3. Password – Password of that account
    4. Check Use Windows Authentication Domain
    5. Enter the Domain
    6. Hit Save
  • Now it comes to Setting up the Connection in DB Connection – Configuration – Database – Connections
    1. This is the most tricky part
    2. Connection Name – Any user-friendly name
    3. Identity – Select the account, which will do authentication against a database
    4. Connection Type – MS-SQL Server Using JTDS Driver with Windows Authentication
    5. Timezone – appropriate Timezone
    6. JDBC URL Setting
      • Enter the manauyl JDBC URL - jdbc:jtds:sqlserver://serverIP:1433/databasename;useCursors=true;domain=domainname;useNTLMv2=true
    7. Advance Read only - checked
  • Now Make a database connection and send it to the Index created on Splunk Cloud.

View solution in original post

0 Karma

tarungupta0311
Explorer

Solution - If you want to Send On-Prem Windows Defender AV DATA to On Splunk, we need to send it to  Splunk Enterprise via DB Connect.
Also below solution will work when we are doing Windows Authentication against the database, please follow the below steps, on Ubuntu to set up the connection

  • Follow the steps @ https://docs.splunk.com/Documentation/DBX/3.5.1/ReleaseNotes/Releasenotes
  • install DB Connect DBX 3.4.2 software via Splunkbase, or browse more apps and download from there.
  • Now it comes to installing Java on Splunk DB-Connect,
    1. 1st check if java is already installed on the server, for that type java – version, if java is not installed follow
    2. Run 
      sudo apt update 
      sudo apt install default-jre
      sudo apt install openjdk-11-jre-headless
    3. Validate Java is installed and running in server mode with java -version It should look something like this:

$ java -version openjdk version "11.0.7" 2020-04-14 OpenJDK Runtime Environment (build 11.0.7+10-post-Ubuntu-3ubuntu1) OpenJDK 64-Bit Server VM (build 11.0.7+10-post-Ubuntu-3ubuntu1, mixed mode, sharing)

    1. Set the JAVA_HOME Environment Variable
      • OpenJDK 11 is located at /usr/lib/jvm/java-11-openjdk-amd64
      • Set the variable globally by adding JAVA_HOME="/usr/lib/jvm/java-11-openjdk-amd64" to /etc/environment.
    2. Save and exit VIM
    3. Type reboot to reboot the Ubuntu machine.
    4. Now Access to Db Connect – Configuration – settings – General – in JRE Installation Path, enter
      /usr/lib/jvm/java-11-openjdk-amd64
    5. Hit Save and let DB Connect Ap detect the JAVA.
  • Now it comes for Java Drivers
    1. Since you have installed java version 11, we need to install Java Drivers 11
    2. Install 8.2.1 already tested JDBC Ms Generic Driver from https://docs.microsoft.com/en-us/sql/connect/jdbc/release-notes-for-the-jdbc-driver?view=sql-server-...
    3. Install JTDC JDBC drivers from https://sourceforge.net/projects/jtds/files/ (link is mentioned in Splunk Documentation)
    4. Both are required as for Windows Authentication we will be doing a mix of them
    5. Now Access to Db Connect – Configuration – settings – Drivers – Click Reload and you should see 8.2 Generic and 1.3 JTDS drivers
    6. Reboot the Splunk Ubuntu Server.
  • Now it comes to Setting up the Identity in DB Connection – Configuration – Database – Identities
    1. Identity Name – Any user-friendly name
    2. Username – Account which will have access to the Database
    3. Password – Password of that account
    4. Check Use Windows Authentication Domain
    5. Enter the Domain
    6. Hit Save
  • Now it comes to Setting up the Connection in DB Connection – Configuration – Database – Connections
    1. This is the most tricky part
    2. Connection Name – Any user-friendly name
    3. Identity – Select the account, which will do authentication against a database
    4. Connection Type – MS-SQL Server Using JTDS Driver with Windows Authentication
    5. Timezone – appropriate Timezone
    6. JDBC URL Setting
      • Enter the manauyl JDBC URL - jdbc:jtds:sqlserver://serverIP:1433/databasename;useCursors=true;domain=domainname;useNTLMv2=true
    7. Advance Read only - checked
  • Now Make a database connection and send it to the Index created on Splunk Cloud.
0 Karma

venkatasri
SplunkTrust
SplunkTrust

Hi @tarungupta0311 

Have you tried this add-on Add-on for Microsoft Defender ATP Known As Windows Defender ATP | Splunkbase developer supported not official with Splunk.

---

An upvote would be appreciated if this reply helps!

0 Karma

tarungupta0311
Explorer

This is for ATP not for the old legacy windows defender AV

0 Karma

venkatasri
SplunkTrust
SplunkTrust
Tags (1)
0 Karma

tarungupta0311
Explorer

This is not useful when Windows Defender data is going to a Database.

0 Karma
Get Updates on the Splunk Community!

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...