All Apps and Add-ons

Windows Defender ATP - error after configuring connection

rene_securelink
Engager

Issue when configure connection string for Windows Defender ATP.

Shows this in log file ta_windows_defender_windows_defender_atp_alerts.log:

2019-08-02 14:46:37,060 INFO pid=18110 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2019-08-02 14:46:38,018 INFO pid=18110 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2019-08-02 14:46:39,513 INFO pid=18110 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2019-08-02 14:46:41,071 INFO pid=18110 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2019-08-02 14:46:42,585 INFO pid=18110 tid=MainThread file=splunk_rest_client.py:_request_handler:100 | Use HTTP connection pooling
2019-08-02 14:46:42,586 INFO pid=18110 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2019-08-02 14:46:42,600 INFO pid=18110 tid=MainThread file=setup_util.py:log_info:114 | Proxy is not enabled!
2019-08-02 14:46:42,770 ERROR pid=18110 tid=MainThread file=base_modinput.py:log_error:307 | No JSON object could be decoded
2019-08-02 14:46:42,771 ERROR pid=18110 tid=MainThread file=base_modinput.py:log_error:307 | Get error when collecting events.
Traceback (most recent call last):
  File "/opt/splunk/etc/apps/TA_windows-defender/bin/ta_windows_defender/modinput_wrapper/base_modinput.py", line 127, in stream_events
    self.collect_events(ew)
  File "/opt/splunk/etc/apps/TA_windows-defender/bin/windows_defender_atp_alerts.py", line 88, in collect_events
    input_module.collect_events(self, ew)
  File "/opt/splunk/etc/apps/TA_windows-defender/bin/input_module_windows_defender_atp_alerts.py", line 151, in collect_events
    "Authorization": 'Bearer ' + access_token,
TypeError: cannot concatenate 'str' and 'NoneType' objects

smcclory
Loves-to-Learn

After about a month of trying everything and anything I randomly read this splunk doc:
https://docs.splunk.com/Documentation/Splunk/latest/Security/HowtoprepareyoursignedcertificatesforSp...

Replace latest with Splunk version being used and read about certificate chaining:

[ server certificate]
[ intermediate certificate]
[ root certificate (if required) ]

I went here:

$SPLUNK_HOME/etc/apps/TA_windows-defender/bin/ta_windows_defender/requests/

It turns out that TA_windows_defender needed my root certificate appended to the cacerts.pem.

I suggest backing your certs up, and then append with a command that works:

cat org.pem >> cacaerts.pem 

If it looks correct restart splunk . I hope you had the same issue and it is fixed.

Happy Splunking!

0 Karma

ChadLangUAB
Path Finder

Thanks for the input! I've tried catting my intermediate/root PEM to cacert.pem & restarted Splunk on my Windows HF and the log is:

2020-03-03 14:19:50,694 INFO pid=1140 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2020-03-03 14:20:06,312 INFO pid=1140 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2020-03-03 14:20:16,960 INFO pid=1140 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2020-03-03 14:20:27,624 INFO pid=1140 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2020-03-03 14:20:36,272 DEBUG pid=1140 tid=MainThread file=base_modinput.py:log_debug:286 | Log Level is set to :DEBUG
2020-03-03 14:20:36,273 DEBUG pid=1140 tid=MainThread file=base_modinput.py:log_debug:286 | Checkpoint key:UAB_obj_checkpoint
2020-03-03 14:20:36,273 DEBUG pid=1140 tid=MainThread file=base_modinput.py:log_debug:286 | Login URL:https://login.microsoftonline.com
2020-03-03 14:20:36,273 DEBUG pid=1140 tid=MainThread file=base_modinput.py:log_debug:286 | Endpoint : https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts
2020-03-03 14:20:36,273 DEBUG pid=1140 tid=MainThread file=base_modinput.py:log_debug:286 | Tenant ID:d8999fe4-76af-40b3-b435-1d8977abc08c
2020-03-03 14:20:36,273 DEBUG pid=1140 tid=MainThread file=base_modinput.py:log_debug:286 | Resource:https://graph.windows.net
2020-03-03 14:20:36,273 DEBUG pid=1140 tid=MainThread file=base_modinput.py:log_debug:286 | Client ID:463e0c66-ee95-4031-b430-00ee5a6575b2
2020-03-03 14:20:36,273 DEBUG pid=1140 tid=MainThread file=base_modinput.py:log_debug:286 | Start Date Input:None
2020-03-03 14:20:36,273 INFO pid=1140 tid=MainThread file=splunk_rest_client.py:_request_handler:100 | Use HTTP connection pooling
2020-03-03 14:20:36,273 DEBUG pid=1140 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA_windows-defender/storage/collections/config/TA_windows_d... (body: {})
2020-03-03 14:20:36,275 INFO pid=1140 tid=MainThread file=connectionpool.py:_new_conn:758 | Starting new HTTPS connection (1): 127.0.0.1
2020-03-03 14:20:36,279 DEBUG pid=1140 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA_windows-defender/storage/collections/config/TA_windows_defender_checkpointer HTTP/1.1" 200 5497
2020-03-03 14:20:36,280 DEBUG pid=1140 tid=MainThread file=binding.py:new_f:71 | Operation took 0:00:00.006000
2020-03-03 14:20:36,280 DEBUG pid=1140 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA_windows-defender/storage/collections/config/ (body: {'count': -1, 'search': 'TA_windows_defender_checkpointer', 'offset': 0})
2020-03-03 14:20:36,283 DEBUG pid=1140 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA_windows-defender/storage/collections/config/?count=-1&search=TA_windows_defender_checkpointer&offset=0 HTTP/1.1" 200 4685
2020-03-03 14:20:36,283 DEBUG pid=1140 tid=MainThread file=binding.py:new_f:71 | Operation took 0:00:00.003000
2020-03-03 14:20:36,288 DEBUG pid=1140 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA_windows-defender/storage/collections/data/TA_windows_def... (body: {})
2020-03-03 14:20:36,312 DEBUG pid=1140 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA_windows-defender/storage/collections/data/TA_windows_defender_checkpointer/UAB_obj_checkpoint HTTP/1.1" 404 140
2020-03-03 14:20:36,313 DEBUG pid=1140 tid=MainThread file=base_modinput.py:log_debug:286 | Max date before getting message: 2020-02-25 14:20:36.314000
2020-03-03 14:20:36,313 DEBUG pid=1140 tid=MainThread file=base_modinput.py:log_debug:286 | UTC Time Now:2020-03-03 20:20:36.314000
2020-03-03 14:20:36,315 DEBUG pid=1140 tid=MainThread file=binding.py:get:664 | GET request to https://127.0.0.1:8089/servicesNS/nobody/TA_windows-defender/storage/collections/data/TA_windows_def... (body: {})
2020-03-03 14:20:36,316 DEBUG pid=1140 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA_windows-defender/storage/collections/data/TA_windows_defender_checkpointer/accesstoken HTTP/1.1" 404 140
2020-03-03 14:20:36,318 DEBUG pid=1140 tid=MainThread file=base_modinput.py:log_debug:286 | get access token called
2020-03-03 14:20:36,318 INFO pid=1140 tid=MainThread file=setup_util.py:log_info:114 | Proxy is not enabled!
2020-03-03 14:20:36,318 DEBUG pid=1140 tid=MainThread file=base_modinput.py:log_debug:286 | Proxies set is : {}
2020-03-03 14:20:36,318 DEBUG pid=1140 tid=MainThread file=base_modinput.py:log_debug:286 | Global SSL Verify settings is: True
2020-03-03 14:20:36,342 DEBUG pid=1140 tid=MainThread file=connectionpool.py:_new_conn:809 | Starting new HTTPS connection (1): login.microsoftonline.com
2020-03-03 14:20:36,671 DEBUG pid=1140 tid=MainThread file=connectionpool.py:_make_request:400 | https://login.microsoftonline.com:443 "POST /d8999fe4-76af-40b3-b435-1d8977abc08c/oauth2/token HTTP/1.1" 401 471
2020-03-03 14:20:36,676 ERROR pid=1140 tid=MainThread file=base_modinput.py:log_error:307 | 'access_token'
2020-03-03 14:20:36,677 ERROR pid=1140 tid=MainThread file=base_modinput.py:log_error:307 | Get error when collecting events.
Traceback (most recent call last):
File "C:\Program Files\Splunk\etc\apps\TA_windows-defender\bin\ta_windows_defender\modinput_wrapper\base_modinput.py", line 127, in stream_events
self.collect_events(ew)
File "C:\Program Files\Splunk\etc\apps\TA_windows-defender\bin\windows_defender_atp_alerts.py", line 88, in collect_events
input_module.collect_events(self, ew)
File "C:\Program Files\Splunk\etc\apps\TA_windows-defender\bin\input_module_windows_defender_atp_alerts.py", line 151, in collect_events
"Authorization": 'Bearer ' + access_token,
TypeError: cannot concatenate 'str' and 'NoneType' objects

Pretty frustrating. FYI had a Splunk PS guy onsite for a couple weeks and he was clueless.

0 Karma

dasmind
Engager

Hi Chad

in your debug output i can see a type. The Endpoint should be "https://wdatp-alertexporter-us.securitycenter.windows.com" and not " https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts"

Best Regards
Damian

0 Karma

ajaynes
Engager

If you want to onboard Windows Defender ATP you will need to use Microsoft Graph Security API Add-On for Splunk.

https://splunkbase.splunk.com/app/4564/#/details

0 Karma

ChadLangUAB
Path Finder

Why do you think this is the answer? I could not get it to work with the same API connection used for the Windows Defender ATP Modular Inputs TA, which works on my dev instance.

The guidance directly from Microsoft is to use the Windows Defender ATP Modular Inputs TA, step 1 below:

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure...

0 Karma

ajaynes
Engager

Did anyone ever find the answer to this issue? I'm having the same problem.

ChadLangUAB
Path Finder

I'm having the exact same error. However, it works on my all-in-one Splunk instance but not when moved over to my HF.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...