***This TA is tested on 8.0.1 using default python version which is 2.7 and working without any issues***
****This TA doesn't support python3. If your Splunk Enterprise is forced to use python3 still you can make this TA work by just putting python.version=python2 in inputs.conf of TA****
The new TA Add-on for Microsoft Defender ATP Known as Windows Defender ATP (https://splunkbase.splunk.com/app/5038/) is updated version of this TA and The new TA supports Splunk Enterprise Version 8 and python3.
It fetches windows security centre alerts from Azure cloud.
First you need to enable SIEM integration in Windows Defender ATP. This will give Client ID , Client Secret. These two are required to get the logs in to Splunk.
Below link provides the documentation on how to enable SIEM integration in Windows Defender ATP :
This TA Requires following attributes:
Endpoint - Use the URI applicable for your region
For EU: https://wdatp-alertexporter-eu.securitycenter.windows.com
For US: https://wdatp-alertexporter-us.securitycenter.windows.com
Tenant ID - It is required to get an access token and this will be used to fetch events from Azure windows security centre
Resource - defaults to https://graph.windows.net
Client ID - This is found in Windows Defender ATP
Client Secret - This is also found in WDATP
Open the app from app menu and click on configuration tab under that click on logging and set log level to debug.
use below query to see for more details on how the script is executed: