I have the Add-on for Windows Defender installed and configured. I am seeing that it appears to be polling for events successfully.
Log event in _internal:
file=connectionpool.py:_make_request:400 | https://wdatp-alertexporter-eu.securitycenter.windows.com:443 "GET //api/alerts?sinceTimeUtc=2019-12-26%2013:34:57.241814 HTTP/1.1" 200 2236
I have triggered an alert and see it within the ATP portal and also received the email alert form Azure but I am not seeing the data in Splunk.
Looking at _internal I do see the log entry:
DEBUG pid=91667 tid=MainThread file=connectionpool.py:_make_request:387 | "GET /servicesNS/nobody/TA_windows-defender/storage/collections/data/TA_windows_defender_checkpointer/ATP_EVENTS_obj_checkpoint HTTP/1.1" 404 140
Why is the 404 error coming across? What am I missing in my configuration? I thought I followed the docs correctly but I must be missing something.
... View more