Forum Discussion
Splunk integration ATP Defender
Hello, we are looking at Microsoft 365 ATP Defender and we are struggling with the integration with Splunk due some missing fields in the logs, did anyone was succesful to do this? Thank you! RS
Jake_Mowrer Thank you for the clarification. I can confirm that from incident API we can see the link.
We are surprised that link to the alert was removed from SIEM API. It's an important information to have for a security analyst.
We opened a support case to investigate this
We are surprised that link to the alert was removed from SIEM API. It's an important information to have for a security analyst.
We opened a support case to investigate this
The LinkToWDATP is still in the SIEM API however the Splunk add on linked above does not use the SIEM API any longer, it uses the M365 Defender incident API and the Defender for Endpoint alert API.
- Jake_Mowrer Thank you, from my understanding the API used is: api-eu.securitycenter.microsoft.com.
We opened a ticket to MS support to request an improvment on this fields that can help our security operations.