Forum Discussion

rs8091's avatar
rs8091
Copper Contributor
Sep 07, 2021

Splunk integration ATP Defender

Hello,

we are looking at Microsoft 365 ATP Defender and we are struggling with the integration with Splunk due some missing fields in the logs, did anyone was succesful to do this?

Thank you!
RS

    • rs8091's avatar
      rs8091
      Copper Contributor

      Jake_Mowrer Hello, this app is not supported by Splunk, we tried to explain it to Microsoft support several times.

       

      Apps and add-ons published either by Splunk or third-party developers. Indicates that no support or maintenance are provided by the publisher.
      Customers are solely responsible for ensuring proper functionality and version compatibility of Not-supported apps and add-ons with the applicable Splunk software. If unresolvable functional or compatibility issues are encountered, customers may be required to uninstall the app or add-on from their Splunk environment in order for Splunk to fulfill support obligations.

       

      Are you aware of this?
      Thank you

      • Michael Shalev's avatar
        Michael Shalev
        Icon for Microsoft rankMicrosoft

        rs8091 - Thank you for your comments.

        The Splunk supported Microsoft 365 Defender Add-on for Splunk will be released in the near future.

        We'll announce it and news about other SIEM connectors here in the Tech Community.

         

        Thanks,

        Michael Shalev 

    • rs8091's avatar
      rs8091
      Copper Contributor

      Jake_Mowrer Yes we installed this addon but there some issues:

       

      these fields are not available anymore. (while were available with different app/API)
      IncidentLinkToMTP

      IncidentLinktoWOATP

      RemediationAction

      RemediationIsSuccess

       

      We already opened a case with Microsoft support but we are not able to resolve this. This is the reason we are asking if other customers are successful with this integration or not.

Resources