Forum Discussion
Splunk integration ATP Defender
Jake_Mowrer Yes we installed this addon but there some issues:
these fields are not available anymore. (while were available with different app/API)
IncidentLinkToMTP
IncidentLinktoWOATP
RemediationAction
RemediationIsSuccess
We already opened a case with Microsoft support but we are not able to resolve this. This is the reason we are asking if other customers are successful with this integration or not.
Microsoftrs8091 Those fields are from the SIEM API documented here:
Microsoft Defender for Endpoint detections API fields | Microsoft Docs
The 1.3.0 Add-on for Splunk is using the incident API in M365 Defender and the Alert API in Defender for Endpoint (you can set it up for both) and not the SIEM API:
M365 Defender incident API - List incidents API in Microsoft 365 Defender | Microsoft Docs
Defender for Endpoint API - List alerts API | Microsoft Docs
The fields you are looking for are a bit different now:
M365 Defender incident API:
- IncidentLinktoMTP = incidentUri (M365 Defender incident API)
- RemediationAction and RemediationIsSucess changed to:
detectionStatus, remediationStatus, remediationStatusDetails
Thanks,
Jake Mowrer
- Jake_Mowrer Thank you for the clarification. I can confirm that from incident API we can see the link.
We are surprised that link to the alert was removed from SIEM API. It's an important information to have for a security analyst.
We opened a support case to investigate this- Jake_MowrerThe LinkToWDATP is still in the SIEM API however the Splunk add on linked above does not use the SIEM API any longer, it uses the M365 Defender incident API and the Defender for Endpoint alert API.
- Jake_Mowrer Thank you, from my understanding the API used is: api-eu.securitycenter.microsoft.com.
We opened a ticket to MS support to request an improvment on this fields that can help our security operations.
