Add-on for windows defender is not working: https:...

rahulhoney · ‎12-17-2019

We are trying to fetch data from Microsoft ATP using the "Add-on for windows defender" app and we are seeing an error.

App location on Splunkbase is: https://splunkbase.splunk.com/app/4128/

2019-12-17 12:37:22,682 ERROR pid=23927 tid=MainThread file=base_modinput.py:log_error:307 | Get error when collecting events. Traceback (most recent call last): File "/opt/splunk/etc/apps/TA_windows-defender/bin/ta_windows_defender/modinput_wrapper/base_modinput.py", line 127, in stream_events self.collect_events(ew) File "/opt/splunk/etc/apps/TA_windows-defender/bin/windows_defender_atp_alerts.py", line 88, in collect_events input_module.collect_events(self, ew) File "/opt/splunk/etc/apps/TA_windows-defender/bin/input_module_windows_defender_atp_alerts.py", line 151, in collect_events "Authorization": 'Bearer ' + access_token, TypeError: cannot concatenate 'str' and 'NoneType' objects

2019-12-17 12:37:22,681 ERROR pid=23927 tid=MainThread file=base_modinput.py:log_error:307 | No JSON object could be decoded

marianomromano · ‎02-14-2020

I believe you have the wrong Login URL.

Wrong URL:
- https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts
- https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts

Correct URL:

https://login.windows.net/

Add-on for windows defender is not working: https://splunkbase.splunk.com/app/4128/

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes