Forum Discussion
Splunk integration ATP Defender
Jake_Mowrer Hello, this app is not supported by Splunk, we tried to explain it to Microsoft support several times.
Apps and add-ons published either by Splunk or third-party developers. Indicates that no support or maintenance are provided by the publisher.
Customers are solely responsible for ensuring proper functionality and version compatibility of Not-supported apps and add-ons with the applicable Splunk software. If unresolvable functional or compatibility issues are encountered, customers may be required to uninstall the app or add-on from their Splunk environment in order for Splunk to fulfill support obligations.
Are you aware of this?
Thank you
rs8091 - Thank you for your comments.
The Splunk supported Microsoft 365 Defender Add-on for Splunk will be released in the near future.
We'll announce it and news about other SIEM connectors here in the Tech Community.
Thanks,
Michael ShalevAny update on the when this new supported version of M365 Defender for Endpoint Add-on for Splunk will be available?
cvue-snl - thanks for your question.
We're waiting for the new Add-on to complete Splunk's deployment process - I will update here when I receive notice that deployment is complete
- Yes, we're definitely aware of this and we're working with Splunk to improve this. Are you running into an issue with the add-on?
Jake_Mowrer the app is working but our team does not want to put in production the unsupported app because they are afraid it can stop working any time. Is there a timeline for fixing this?
An alternative from the support is to use the graph api (https://graph.microsoft.com/v1.0/security/alerts/ with app: https://splunkbase.splunk.com/app/4564/ ) but we don't see the same level of detail of the incident API.
"IncidentURI" is missing and also useful fields like "Veridict", "InvestigationState"rs8091 cvue-snl FYI Splunk released the supported add-on. Please see here: https://splunkbase.splunk.com/app/6207/#/overview
