Thanks for the input! I've tried catting my intermediate/root PEM to cacert.pem & restarted Splunk on my Windows HF and the log is:
2020-03-03 14:19:50,694 INFO pid=1140 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2020-03-03 14:20:06,312 INFO pid=1140 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2020-03-03 14:20:16,960 INFO pid=1140 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2020-03-03 14:20:27,624 INFO pid=1140 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2020-03-03 14:20:36,272 DEBUG pid=1140 tid=MainThread file=base_modinput.py:log_debug:286 | Log Level is set to :DEBUG
2020-03-03 14:20:36,273 DEBUG pid=1140 tid=MainThread file=base_modinput.py:log_debug:286 | Checkpoint key:UAB_obj_checkpoint
2020-03-03 14:20:36,273 DEBUG pid=1140 tid=MainThread file=base_modinput.py:log_debug:286 | Login URL:https://login.microsoftonline.com
2020-03-03 14:20:36,273 DEBUG pid=1140 tid=MainThread file=base_modinput.py:log_debug:286 | Endpoint : https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts
2020-03-03 14:20:36,273 DEBUG pid=1140 tid=MainThread file=base_modinput.py:log_debug:286 | Tenant ID:d8999fe4-76af-40b3-b435-1d8977abc08c
2020-03-03 14:20:36,273 DEBUG pid=1140 tid=MainThread file=base_modinput.py:log_debug:286 | Resource:https://graph.windows.net
2020-03-03 14:20:36,273 DEBUG pid=1140 tid=MainThread file=base_modinput.py:log_debug:286 | Client ID:463e0c66-ee95-4031-b430-00ee5a6575b2
2020-03-03 14:20:36,273 DEBUG pid=1140 tid=MainThread file=base_modinput.py:log_debug:286 | Start Date Input:None
2020-03-03 14:20:36,273 INFO pid=1140 tid=MainThread file=splunk_rest_client.py:_request_handler:100 | Use HTTP connection pooling
2020-03-03 14:20:36,273 DEBUG pid=1140 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA_windows-defender/storage/collections/config/TA_windows_defender_checkpointer (body: {})
2020-03-03 14:20:36,275 INFO pid=1140 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2020-03-03 14:20:36,279 DEBUG pid=1140 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA_windows-defender/storage/collections/config/TA_windows_defender_checkpointer HTTP/1.1" 200 5497
2020-03-03 14:20:36,280 DEBUG pid=1140 tid=MainThread file=binding.py:new_f:71 | Operation took 0:00:00.006000
2020-03-03 14:20:36,280 DEBUG pid=1140 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA_windows-defender/storage/collections/config/ (body: {'count': -1, 'search': 'TA_windows_defender_checkpointer', 'offset': 0})
2020-03-03 14:20:36,283 DEBUG pid=1140 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA_windows-defender/storage/collections/config/?count=-1&search=TA_windows_defender_checkpointer&offset=0 HTTP/1.1" 200 4685
2020-03-03 14:20:36,283 DEBUG pid=1140 tid=MainThread file=binding.py:new_f:71 | Operation took 0:00:00.003000
2020-03-03 14:20:36,288 DEBUG pid=1140 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA_windows-defender/storage/collections/data/TA_windows_defender_checkpointer/UAB_obj_checkpoint (body: {})
2020-03-03 14:20:36,312 DEBUG pid=1140 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA_windows-defender/storage/collections/data/TA_windows_defender_checkpointer/UAB_obj_checkpoint HTTP/1.1" 404 140
2020-03-03 14:20:36,313 DEBUG pid=1140 tid=MainThread file=base_modinput.py:log_debug:286 | Max date before getting message: 2020-02-25 14:20:36.314000
2020-03-03 14:20:36,313 DEBUG pid=1140 tid=MainThread file=base_modinput.py:log_debug:286 | UTC Time Now:2020-03-03 20:20:36.314000
2020-03-03 14:20:36,315 DEBUG pid=1140 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA_windows-defender/storage/collections/data/TA_windows_defender_checkpointer/accesstoken (body: {})
2020-03-03 14:20:36,316 DEBUG pid=1140 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA_windows-defender/storage/collections/data/TA_windows_defender_checkpointer/accesstoken HTTP/1.1" 404 140
2020-03-03 14:20:36,318 DEBUG pid=1140 tid=MainThread file=base_modinput.py:log_debug:286 | get access token called
2020-03-03 14:20:36,318 INFO pid=1140 tid=MainThread file=setup_util.py:log_info:114 | Proxy is not enabled!
2020-03-03 14:20:36,318 DEBUG pid=1140 tid=MainThread file=base_modinput.py:log_debug:286 | Proxies set is : {}
2020-03-03 14:20:36,318 DEBUG pid=1140 tid=MainThread file=base_modinput.py:log_debug:286 | Global SSL Verify settings is: True
2020-03-03 14:20:36,342 DEBUG pid=1140 tid=MainThread file=connectionpool.py:_new_conn:809 | Starting new HTTPS connection (1): login.microsoftonline.com
2020-03-03 14:20:36,671 DEBUG pid=1140 tid=MainThread file=connectionpool.py:_make_request:400 | https://login.microsoftonline.com:443 "POST /d8999fe4-76af-40b3-b435-1d8977abc08c/oauth2/token HTTP/1.1" 401 471
2020-03-03 14:20:36,676 ERROR pid=1140 tid=MainThread file=base_modinput.py:log_error:307 | 'access_token'
2020-03-03 14:20:36,677 ERROR pid=1140 tid=MainThread file=base_modinput.py:log_error:307 | Get error when collecting events.
Traceback (most recent call last):
File "C:\Program Files\Splunk\etc\apps\TA_windows-defender\bin\ta_windows_defender\modinput_wrapper\base_modinput.py", line 127, in stream_events
self.collect_events(ew)
File "C:\Program Files\Splunk\etc\apps\TA_windows-defender\bin\windows_defender_atp_alerts.py", line 88, in collect_events
input_module.collect_events(self, ew)
File "C:\Program Files\Splunk\etc\apps\TA_windows-defender\bin\input_module_windows_defender_atp_alerts.py", line 151, in collect_events
"Authorization": 'Bearer ' + access_token,
TypeError: cannot concatenate 'str' and 'NoneType' objects
Pretty frustrating. FYI had a Splunk PS guy onsite for a couple weeks and he was clueless.
... View more