First you need to enable SIEM integration in Windows Defender ATP. This will give Client ID , Client Secret. These two are required to get the logs in to Splunk.
Below link provides the documentation on how to enable SIEM integration in Windows Defender ATP :
Endpoint - Use the URI applicable for your region
For EU: https://wdatp-alertexporter-eu.securitycenter.windows.com
For US: https://wdatp-alertexporter-us.securitycenter.windows.com
Tenant ID - It is required to get an access token and this will be used to fetch events from Azure windows security centre
Resource - defaults to https://graph.windows.net
Client ID - This is found in Windows Defender ATP
Client Secret - This is also found in WDATP
Open the app from app menu and click on configuration tab under that click on logging and set log level to debug.
use below query to see for more details on how the script is executed:
python.version=python3 is added to pass app inspect.
If you install this TA on Splunk versions below 8, you see below error on starting of Splunk.
Invalid key in stanza [microsoft_defender_atp_alerts] in $SPLUNK_HOME/etc/apps/TA-microsoft-defender/default/inputs.conf, line 4: python.version (value: python3).
Invalid key in stanza [admin_external:TA_microsoft_defender_settings] in $SPLUNK_HOME/etc/apps/TA-microsoft-defender/default/restmap.conf, line 10: python.version (value: python3).
Invalid key in stanza [admin_external:TA_microsoft_defender_microsoft_defender_atp_alerts] in $SPLUNK_HOME/etc/apps/TA-microsoft-defender/default/restmap.conf, line 16: python.version (value: python3).
The problems because the parameters which are used to support version 8 are not available in below versions 8. you can ignore these alerts. or you can comment python.version in inputs.conf and restmap.conf
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.