Forum Discussion
rs8091
Sep 07, 2021Copper Contributor
Splunk integration ATP Defender
Hello,
we are looking at Microsoft 365 ATP Defender and we are struggling with the integration with Splunk due some missing fields in the logs, did anyone was succesful to do this?
Thank you!
RS
- Michael Shalev
Microsoft
Hi rs8091,
There is even a newer add-on called Splunk Add-on for Microsoft Security v1.2.0 that is fully supported by Splunk.
If you want to continue updating Incidents and/or Alerts, you also need the Microsoft 365 App for Splunk that now includes these capabilities. - Jake_Mowrer
Microsoft
- rs8091Copper Contributor
Jake_Mowrer Hello, this app is not supported by Splunk, we tried to explain it to Microsoft support several times.
Apps and add-ons published either by Splunk or third-party developers. Indicates that no support or maintenance are provided by the publisher.
Customers are solely responsible for ensuring proper functionality and version compatibility of Not-supported apps and add-ons with the applicable Splunk software. If unresolvable functional or compatibility issues are encountered, customers may be required to uninstall the app or add-on from their Splunk environment in order for Splunk to fulfill support obligations.Are you aware of this?
Thank you- Michael Shalev
Microsoft
rs8091 - Thank you for your comments.
The Splunk supported Microsoft 365 Defender Add-on for Splunk will be released in the near future.
We'll announce it and news about other SIEM connectors here in the Tech Community.
Thanks,
- rs8091Copper Contributor
Jake_Mowrer Yes we installed this addon but there some issues:
these fields are not available anymore. (while were available with different app/API)
IncidentLinkToMTPIncidentLinktoWOATP
RemediationAction
RemediationIsSuccess
We already opened a case with Microsoft support but we are not able to resolve this. This is the reason we are asking if other customers are successful with this integration or not.
- Jake_Mowrer
Microsoft
rs8091 Those fields are from the SIEM API documented here:
Microsoft Defender for Endpoint detections API fields | Microsoft DocsThe 1.3.0 Add-on for Splunk is using the incident API in M365 Defender and the Alert API in Defender for Endpoint (you can set it up for both) and not the SIEM API:
M365 Defender incident API - List incidents API in Microsoft 365 Defender | Microsoft Docs
Defender for Endpoint API - List alerts API | Microsoft Docs
The fields you are looking for are a bit different now:
M365 Defender incident API:
- IncidentLinktoMTP = incidentUri (M365 Defender incident API)
- RemediationAction and RemediationIsSucess changed to:detectionStatus, remediationStatus, remediationStatusDetails
Thanks,
Jake Mowrer