pdoconnell / ta-microsoft-windefender Goto Github PK

v1.0.6 is available for Splunk Cloud but v1.0.8 fails validation checks. The only failures are the permissions on the tgz/spl file - file objects need the execute bit removed. Unpacking the tarball and removing the execute bit from files allows it to pass the validator.

SplunkCloud-TA-microsoft-windefender.pdf

Line 25 reads:

EVAL-Feature_Name = case(Feature_Name="%%802",

Splunk logs state: The expression is malformed. Expected ).

Not and issue with this app but the Splunk_TA_windows has a rename for this sourcetype which causes your sourcetype not not to appear. Thought it would be worth calling out in the readme.

fix create/edit:
Splunk_TA_windows/local/props.conf

[XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational]
rename = xmlwineventlog
disabled = true

[XmlWinEventLog:Microsoft-Windows-Defender/Operational]
rename = xmlwineventlog
disabled = true

[WinEventLog:Microsoft-Windows-Defender/Operational]
rename = wineventlog
disabled = true

[WinEventLog:Microsoft-Windows-Windows Defender/Operational]
rename = wineventlog
disabled = true

While going through the error/warning messages within my Splunk environment, i noticed following warning message which appears quite a number of times in a day.

"Invalid eval expression for 'EVAL-Feature_Name' in stanza [XmlWinEventLog:Microsoft-Windows-Windows Defender/Operational]. The expression is malformed. Expected )"

The currepsonding calulated field expression seem to be incomplete
EVAL-Feature_Name = case(Feature_Name="%%802",

This seems to be a list of SCEP/Defender event codes and magic values - many of which aren't in the TA.

We've used this to supplement the TA to eval out other fields in the XML logs such as Action_Name, Execution_Name, Origin_Name, Source_Name, and Type_Name

https://social.technet.microsoft.com/Forums/en-US/75336c42-612b-41dd-9617-46a372affebf/scep-2012-windows-event-ids?forum=configmanagersecurity

https://splunkbase.splunk.com/app/3734

I was able to self-serve install the above app, TA for Microsoft Windows Defender. However, when I attempt to configure it, I get a 404 error when accessing it; https://.splunkcloud.com/en-US/app/TA-microsoft-windefender/home

In the Internal Spunk logs I see the below:

2020-08-27 23:22:47,040 INFO [5f484046f87f21fc02a1d0] error:311 - Masking the original 404 message: 'Splunk cannot find the "None" view.' with 'Page not found!' for security reasons

2020-08-27 23:22:47,039 WARNING [5f484046f87f21fc02a1d0] appnav:399 - An unknown view name "apn_certificate" is referenced in the navigation definition for "TA-microsoft-windefender".

2020-08-27 23:22:47,038 WARNING [5f484046f87f21fc02a1d0] appnav:399 - An unknown view name "mobile_apps" is referenced in the navigation definition for "TA-microsoft-windefender".

2020-08-27 23:22:47,038 WARNING [5f484046f87f21fc02a1d0] appnav:399 - An unknown view name "home" is referenced in the navigation definition for "TA-microsoft-windefender".

2020-08-27 23:22:47,032 INFO [5f484046f87f21fc02a1d0] memoizedviews:89 - PERF - getDigestTime=0.0191s getParsedViewTime=0.001s