We are trying to collect logs for Microsoft Defender ATP, and according to MS documentation we will need to use an Arcsight Flex connector at REST.
Now we have done the whole setup and followed the guide, but the connector does not seem to come online when we start the connector. Connector version 7.14 on Windows server 2016 we are using Oauth2 and this is the guide:
Now, how do you collect the DefenderATP logs in your environment? As the MS recommended way does not seem to work for us.
hi @eonl , same issue here, connector is not starting up. Did you solved this issue ?
I did same as listed in windows doc, still no luck.
Please let me know if you solved it and did any tweaks on that !
We also had the same issues, after trying various connector framework versions we found only 7.9 to work. However, that is not the end of it, the refresh token should last 90 days but the connector randomly will complain that the refresh token has expired and stop polling events (despite the refresh token being a week old). Re-applying the very same refresh token fixes this issue until next time. We are 100% sure the problem is with the connector.
If you are using a framework version that is other than 7.9 and the connector status remains down on ESM, then please add the following line to <arcsight home\current\user\agaent\flexagent\WDATP-connector.properties>
The connector status on ESM will show up as running, however, for us it still does not poll events. We still have an open ticket with MicroFocus and hoping...
Thanks for insights, @StevyG
Can I get 7.9 version connector download. I'm not able to see in marketplace.
+ Pls post once you solved this issue.
In addition, I too raised case with microfocus, as its Rest API flex - only ps need to involve here no normal support will be done.
7.9 is available to download via the Licensing and Downloads section on the same portal where the service requests are logged with MicroFocus. Or just request it on the service request you have raised.
As for Flex connector support, out of the box the latest connector frameworks remains down and will not make the api calls/connection attempts to MSDEFATP to poll for the events whereas 7.9 works (out of the box), so something has changed with latest frameworks. The flex parser from MS woks just fine, so no support is needed from MicroFocus on that front. MicroFocus need to address the issue as to why the framework is not attempting/failing to connect, parsing is further down the chain.