I just got this working TODAY! What most people do not understand (and indeed, neither did I) is that this TA probably won't work for you right out of the box. It generally requires that a custom event handler be written to process the data payload that is returned by your REST endpiont. That is the case here. The default handler cannot handle this payload. Neither can the default JSON handler because it is expecting pure JSON but that is not what the Windows Defender API returns. Its payload is newline-delineated serial JSON lines. Therefore we need a custom handler that can process that kind of payload. Thankfully you can get excellent community support for this app by joining the BaboonBones slack for free here: https://www.baboonbones.com/ Those are the guys that helped me get this all cleared up. First, you need to add this to the existing responsehandler.py file: class WindowsDefenderATPJSONArrayHandler:
def __init__(self,**args):
pass
def __call__(self, response_object,raw_response_output,response_type,req_args,endpoint,oauth2):
if response_type == "json":
output = json.loads(raw_response_output)
for alert in output:
print_xml_stream(json.dumps(alert))
# use/set checkpoint value based on time
if not "params" in req_args:
req_args["params"] = {}
# Increment the checkpoint time for next run to be "now"
# This will get automagically persisted
date_from = datetime.now()
req_args["params"]["sinceTimeUtc"] = date_from
else:
print_xml_stream(raw_response_output) Last, your inputs.conf file should look like this: [rest://Windows Defender ATP]
activation_key = <short distinct redacted>
auth_type = oauth2
client_key_path =
endpoint = https://wdatp-alertexporter-us.windows.com/api/alerts
http_method = GET
index_error_response_codes = 0
oauth2_access_token = <very long distinct redacted>
oauth2_client_id = <short distinct redacted>
oauth2_client_secret = <short distinct redacted>
oauth2_refresh_token = <medium distinct redacted>
oauth2_refresh_url = https://login.windows.net/[short distinct redacted]/oauth2/token
polling_interval = 60
response_handler = WindowsDefenderATPJSONArrayHandler
response_type = json
sequential_mode = 0
sourcetype = wdatp:alerts
streaming_request = 0
disabled = 0
expires_in = 3600
index = foo
... View more