Blog Post

Microsoft Defender for Endpoint Blog
1 MIN READ

The Splunk Add-on for Microsoft Security is now available

Michael Shalev's avatar
Feb 17, 2022

We're happy to share that the Splunk-supported Splunk Add-on for Microsoft Security is now available. This add-on maps the Microsoft Defender for Endpoint Alerts API properties or the Microsoft 365 Defender Incidents API properties onto Splunk's Common Information Model (CIM).

 

The update incidents and update alerts functionality as well as the dashboards that were available in the Microsoft 365 Defender Add-on for Splunk 1.3.0 have now moved to the Microsoft 365 App for Splunk 3.3.0 in Splunkbase.

 

The Splunk SOAR Windows Defender ATP App 3.5.2 supports 30 additional Microsoft Defender for Endpoint API calls (see Additional Information below).

 

Additional Information:

 

The Microsoft Defender for Endpoint Team

Updated Jul 11, 2023
Version 2.0
  • TatsuK66's avatar
    TatsuK66
    Copper Contributor

    We also have a similar issue, as our tenant hosts multiple subsidiaries around the globe, and we want to filter only the devices related to each sub or by region, and we have specific device tags already defined.

  • SocInABox's avatar
    SocInABox
    Iron Contributor

    Hi there,

    Can the add-on filter by Defender device groups?

    We have regional data privacy issues so we can only collect data into Splunk for a specified Defender device group.

    Thanks.

     

  • Splunk is creating the add-ons for M365D and MDE and has prioritized Alerts and Incidents for parsing/mapping to Splunk CIM.

    I'm not aware of plans on their part to add parsing for MDE - and other M365D - events and mapping to Splunk CIM.

    I imagine that receiving this as a request from a customer may provide even more motivation to add support for events (I know this is what motivates us :smile:)

  • Jeff Walzer's avatar
    Jeff Walzer
    Iron Contributor

    Michael Shalev - TYVM for the link as I am already utilizing M365D Streaming API for MDE alerts. Currently, there is no Spunk add-on for MDE events. I have all MDE events going to an EventHub and then use Splunk to ingest the MDE events that way, but without a Splunk add-on that parses and relates to Splunk CIM these MDE events are being utilized for correlation or data models.

     

    The MDE alerts work great, it's just no add-on exists for MDE events.

     

    Thx,

    Jeff

  • Jeff Walzer's avatar
    Jeff Walzer
    Iron Contributor

    Michael Shalev - is Microsoft planning to release a Splunk add-on for Microsoft Defender for Endpoint events, similar to what it has for Sysmon?