Lieutenant Commander
Lieutenant Commander
616 views

Defender ATP

Hi All,

We are trying to collect logs for Microsoft Defender ATP, and according to MS documentation we will need to use an Arcsight Flex connector at REST.

Now we have done the whole setup and followed the guide, but the connector does not seem to come online when we start the connector. Connector version 7.14 on Windows server 2016 we are using Oauth2 and this is the guide:

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight

Now, how do you collect the DefenderATP logs in your environment? As the MS recommended way does not seem to work for us.

0 Likes
5 Replies
Lieutenant
Lieutenant

hi @eonl   , same issue here, connector is not starting up. Did you solved this issue ? 

I did same as listed in windows doc, still no luck. 

Please let me know if you solved it and did any tweaks on that !

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

pls give SC Framework 7.11 a try

0 Likes
Commander Commander
Commander

Hi,

We also had the same issues, after trying various connector framework versions we found only 7.9 to work. However, that is not the end of it, the refresh token should last 90 days but the connector randomly will complain that the refresh token has expired and stop polling events (despite the refresh token being a week old). Re-applying the very same refresh token fixes this issue until next time. We are 100% sure the problem is with the connector.

If you are using a framework version that is other than 7.9 and the connector status remains down on ESM, then please add the following line to <arcsight home\current\user\agaent\flexagent\WDATP-connector.properties>

timestamp_format_of_api_vendor=YYYY-MM-DDThh:mm:ss.SSSX

The connector status on ESM will show up as running, however, for us it still does not poll events. We still have an open ticket with MicroFocus and hoping...

Lieutenant
Lieutenant

Thanks for insights, @StevyG 

Can I get 7.9 version connector download. I'm not able to see in marketplace.

+ Pls post once you solved this issue.

In addition, I too raised case with microfocus, as its Rest API flex - only ps need to involve here no normal support will be done. 

Thanks.

0 Likes
Commander Commander
Commander

7.9 is available to download via the Licensing and Downloads section on the same portal where the service requests are logged with MicroFocus. Or just request it on the service request you have raised.

 

As for Flex connector support, out of the box the latest connector frameworks remains down and will not make the api calls/connection attempts to MSDEFATP to poll for the events whereas 7.9 works (out of the box), so something  has changed with latest frameworks. The flex parser from MS woks just fine, so no support is needed from MicroFocus on that front. MicroFocus need to address the issue as to why the framework is not attempting/failing to connect, parsing is further down the chain.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.