pdoconnell / ta-microsoft-windefender Goto Github PK
View Code? Open in Web Editor NEWSplunk TA for Windows Defender inputs and extractions.
License: Apache License 2.0
Splunk TA for Windows Defender inputs and extractions.
License: Apache License 2.0
v1.0.6 is available for Splunk Cloud but v1.0.8 fails validation checks. The only failures are the permissions on the tgz/spl file - file objects need the execute bit removed. Unpacking the tarball and removing the execute bit from files allows it to pass the validator.
Line 25 reads:
EVAL-Feature_Name = case(Feature_Name="%%802",
Splunk logs state: The expression is malformed. Expected ).
Not and issue with this app but the Splunk_TA_windows has a rename for this sourcetype which causes your sourcetype not not to appear. Thought it would be worth calling out in the readme.
fix create/edit:
Splunk_TA_windows/local/props.conf
[XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational]
rename = xmlwineventlog
disabled = true
[XmlWinEventLog:Microsoft-Windows-Defender/Operational]
rename = xmlwineventlog
disabled = true
[WinEventLog:Microsoft-Windows-Defender/Operational]
rename = wineventlog
disabled = true
[WinEventLog:Microsoft-Windows-Windows Defender/Operational]
rename = wineventlog
disabled = true
While going through the error/warning messages within my Splunk environment, i noticed following warning message which appears quite a number of times in a day.
"Invalid eval expression for 'EVAL-Feature_Name' in stanza [XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational]. The expression is malformed. Expected )"
The currepsonding calulated field expression seem to be incomplete
EVAL-Feature_Name = case(Feature_Name="%%802",
This seems to be a list of SCEP/Defender event codes and magic values - many of which aren't in the TA.
We've used this to supplement the TA to eval out other fields in the XML logs such as Action_Name, Execution_Name, Origin_Name, Source_Name, and Type_Name
https://splunkbase.splunk.com/app/3734
I was able to self-serve install the above app, TA for Microsoft Windows Defender. However, when I attempt to configure it, I get a 404 error when accessing it; https://.splunkcloud.com/en-US/app/TA-microsoft-windefender/home
In the Internal Spunk logs I see the below:
2020-08-27 23:22:47,040 INFO [5f484046f87f21fc02a1d0] error:311 - Masking the original 404 message: 'Splunk cannot find the "None" view.' with 'Page not found!' for security reasons
2020-08-27 23:22:47,039 WARNING [5f484046f87f21fc02a1d0] appnav:399 - An unknown view name "apn_certificate" is referenced in the navigation definition for "TA-microsoft-windefender".
2020-08-27 23:22:47,038 WARNING [5f484046f87f21fc02a1d0] appnav:399 - An unknown view name "mobile_apps" is referenced in the navigation definition for "TA-microsoft-windefender".
2020-08-27 23:22:47,038 WARNING [5f484046f87f21fc02a1d0] appnav:399 - An unknown view name "home" is referenced in the navigation definition for "TA-microsoft-windefender".
2020-08-27 23:22:47,032 INFO [5f484046f87f21fc02a1d0] memoizedviews:89 - PERF - getDigestTime=0.0191s getParsedViewTime=0.001s
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.