We're happy to share that the Splunk-supported Splunk Add-on for Microsoft Security is now available. This add-on maps the Microsoft Defender for Endpoint Alerts API properties or the Microsoft 365 Defender Incidents API properties onto Splunk's Common Information Model (CIM).
The update incidents and update alerts functionality as well as the dashboards that were available in the Microsoft 365 Defender Add-on for Splunk 1.3.0 have now moved to the Microsoft 365 App for Splunk 3.3.0 in Splunkbase.
The Splunk SOAR Windows Defender ATP App 3.5.2 supports 30 additional Microsoft Defender for Endpoint API calls (see Additional Information below).
Additional Information:
- Documentation for the Splunk Add-on for Microsoft Security is available here:
https://docs.splunk.com/Documentation/AddOns/released/MSSecurity/About - Splunk guidance on migrating from the Microsoft 365 Defender Add-on for Splunk version 1.3.0 to the Splunk Add-on for Microsoft Security is available here:
https://docs.splunk.com/Documentation/AddOns/released/MSSecurity/Migrate - Documentation of the Microsoft 365 App for Splunk 3.3.0 is available here:
https://splunkbase.splunk.com/app/3786/#/details - Documentation for the Splunk SOAR Windows Defender ATP App version 3.5.2 is here:
https://github.com/splunk-soar-connectors/windowsdefenderatp
The Microsoft Defender for Endpoint Team
Updated Jul 11, 2023
Version 2.0Michael Shalev
Microsoft
Joined November 20, 2016
Microsoft Defender for Endpoint Blog
When evaluating various solutions, your peers value hearing from people like you who’ve used the product. Review Defender for Endpoint by filling out a Gartner Peer Insights survey and receive a $25 USD gift card (for customers only). Microsoft Privacy Statement