Forum Discussion
Splunk integration ATP Defender
Hello, we are looking at Microsoft 365 ATP Defender and we are struggling with the integration with Splunk due some missing fields in the logs, did anyone was succesful to do this? Thank you! RS
Jake_Mowrer the app is working but our team does not want to put in production the unsupported app because they are afraid it can stop working any time. Is there a timeline for fixing this?
An alternative from the support is to use the graph api (https://graph.microsoft.com/v1.0/security/alerts/ with app: https://splunkbase.splunk.com/app/4564/ ) but we don't see the same level of detail of the incident API.
"IncidentURI" is missing and also useful fields like "Veridict", "InvestigationState"
rs8091 cvue-snl FYI Splunk released the supported add-on. Please see here: https://splunkbase.splunk.com/app/6207/#/overview