We're happy to share that the Splunk-supported Splunk Add-on for Microsoft Security is now available. This add-on builds on the Microsoft 365 Defender Add-on for Splunk 1.3.0 and maps the Microsoft Defender for Endpoint Alerts API properties or the Microsoft 365 Defender Incidents API properties onto Splunk's Common Information Model (CIM).
The Splunk Add-on for Microsoft Security only supports ingesting Alerts or Incidents into Splunk - customers should continue using the Microsoft 365 Defender Add-on for Splunk 1.3.0 App or the Splunk SOAR Windows Defender ATP App to manage/update Alerts or Incidents (assignedTo, classification, determination, status, and comments fields) directly from Splunk.
The Splunk SOAR Windows Defender ATP App 3.5.2 supports 30 additional Microsoft Defender for Endpoint API calls (see Additional Information below).
Additional Information:
The Microsoft Defender for Endpoint Team
