Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Defender ATP App issue

PratikPashte
Explorer
‎01-27-2021 06:39 AM

I am using below app to pull the alerts from ATP to Splunk, which actually gives functionality to pull the data directly from ATP, alert with evidence or with associated user or any of the data that is supported by Advanced Hunting query.

https://splunkbase.splunk.com/app/4623/#/details

But this is not consistent it actually stops in between, then i need to disable and reenabled the inputs to get this work again.

Setup is pretty simple, set the id and then to set the Advanced hunting query from ATP.

This app is really nice and can fulfil lot of use case of pulling the data from ATP other than only alerts, so I really wanted to get this worked consistently as do not wanted to skip the alerts from ATP to Splunk where our entire Ops team relies to take further action on the alert.

Have also raised a case with Splunk support but this add on is not supported by the support so I am raising the concern over here if anyone has the same issue and if have solved the same.

@jorritf If possible can you please help here as I can see you have developed the application, Thank you in advanced.

Labels (1)
Labels
0 Karma
Reply

PratikPashte
Explorer
‎01-28-2021 01:02 AM

I have Splunk Cloud Version: 8.1.2011.1 which was recently upgraded but it was not working on 7.2.9 meaning as stated above the application was stuck until i disabled and re-enabled the same.

I too did not find any error logs under the folder have used below query to check, also with this setup Splunk 8.1 it did works for me at-least pulling logs to Splunk but the main issue remains the same gets stuck in between.

 

Query:

index=_internal (source=/opt/splunk/var/log/splunk/ta_defender_atp_hunting_defender_hunting_query.log* OR source=/opt/splunk/var/log/splunk/ta_ms_defender_microsoft_defender_atp_alerts.log*)
| rex "^.*\,\d{3}\s(?<log_level>\w+)"
| cluster showcount=true labelonly=t
| stats earliest(_time) AS EARLIEST latest(_time) AS LATEST max(cluster_count) AS COUNT values(log_level) AS LEVEL first(_raw) AS MESSAGE BY cluster_label
| convert ctime(EARLIEST) ctime(LATEST)
| table COUNT EARLIEST LATEST LEVEL MESSAGE
| sort - COUNT

 

0 Karma
Reply

jorritf
Path Finder
‎01-28-2021 03:04 AM

Ok thanks, I haven't tested it on Splunk 8.1, and given the other commenters experience I excpect you to experience the same issue, probably in splunkd.log instead of the TA logging because it doesn't even get that far.

If you provide me privately with a client id and client secret to test with I can look into it, but don't expect a quick turnaround as I have other stuff to do as well. 

0 Karma
Reply

jorritf
Path Finder
‎01-27-2021 07:27 AM

I haven't seen this behaviour before. But I must admit that I cancelled the expensive Windows E5 subscription I used for developing. At least 6 months ago I can say "it worked for me".

Can you share some more details about your setup? Splunk version? Any clue-giving errors in var/log/splunk/ta_defender...log?

0 Karma
Reply

dralbaugh
Engager
‎01-27-2021 03:31 PM

Greetings and thank you for raising the questions and to @jorritf  for a quick response.  I'm encountering similar issues unfortunately when attempting to collect Defender ATP telemetry.  I had upgraded to Splunk 8.1.1 and think there may be some issues going on with Python versions after the upgrade.  There was another Splunk Answers post about adding a stanza to set the python version but this didn't help out.   On the heavy forwarder, when attempting to view the configuration tabs in the app, I get the "spinning wheel of doom" and no log file from the app is generated from the path below.  I hope I'm not butting into the original post, but feel the issues could be related and would like to help if possible.

I was able to catch this error from /opt/splunk/var/log//splunk/splunkd.log when accessing the app if this may help:

ERROR ScriptRunner - stderr from '/opt/splunk/bin/python3.7 /opt/splunk/bin/runScript.py setup': File "/opt/splunk/etc/apps/TA-defender-atp-hunting/bin/ta_defender_atp_hunting/splunktaucclib/rest_handler/endpoint/validator.py", line 388

0 Karma
Reply

jorritf
Path Finder
‎01-28-2021 12:34 AM

This seems like a separate issue. I haven't tested it on Splunk 8.1. Given the fact that it defaults to python.version=3, and the fact that some of the libraries in the addon are py2 only, I doubt it will work without additional development work.

Given that this is an easily reproducible issue I'm willing to make it work on for Splunk 8.1 installs, but only if you can provide me privately with a client id and client secret so I can test.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...