Skip to content

Configure inputs for the Splunk Add-on for Microsoft Security

You must configure an account and an input in the Splunk Add-on for Microsoft Security to collect data with Splunk

  1. Navigate to Add-on UI > Configuration > Account.
  2. Click Add and provide the appropriate information.
    • Account Name: unique name for the account.
    • Client ID: The Azure Active Directory Client ID
    • Client Secret: Client Secret associated to that Client ID
    • Tenant ID: Tenant ID of the Azure Account
  3. Click Add to save the account
  4. Navigate to Add-on > Inputs and click the Create New Input dropdown.
    • For “Microsoft 365 Defender Incidents” modular input, enter the following information:
      • Name: name of the modular input
      • Interval: data collection interval
      • Index: index in which you want to ingest the data
      • Azure App Account: account created on configuration page using client_id and client_secret
      • Tenant ID: (optional) Tenant ID of the Azure Account. This overrides the tenant ID provided in the account created in the Configurations page
      • Environment: Endpoint to collect data from
      • Start Date: date from which user wants to start collecting data. If it is empty, default start date will be considered which is 30 days ago from now in UTC
    • For “Microsoft Defender for Endpoint Alerts” modular input, enter the following information:
      • Name: name of the modular input
      • Interval: data collection interval
      • Index: index in which you want to ingest the data
      • Azure App Account: account created on configuration page using client_id and client_secret
      • Tenant ID: (optional) Tenant ID of the Azure Account. This overrides the tenant ID provided in the account created in the Configurations page
      • Location: location of the server user wants to collect data from
      • Start Date: date from which user wants to start collecting data. If it is empty, default start date will be considered which is 30 days ago from now
    • For “Microsoft Defender Simulations” modular input, enter the following information:
      • Name: name of the modular input
      • Azure App Account: account created on configuration page using client_id and client_secret
      • Environment: environment of the server user wants to collect data from
      • Start Date: date from which user wants to start collecting data. If it is empty, default start date will be considered which is 30 days ago from now
      • Interval: data collection interval
      • Index: index in which you want to ingest the data
    • For “Microsoft Defender Event Hub” modular input, enter the following information:
      • Name: name of the modular input
      • Azure App Account: account created on configuration page using client_id and client_secret
      • Event Hub Namespace(FQDN): namespace of event hub
      • Event Hub Name: name of event hub from where user wants to collect data
      • Consumer Group: consumer group of event hub from where user wants to collect data
      • Streaming Event Types: types of advanced hunting events that will be collected by addon. If it is empty, by default all types of supported events will be collected.
      • Index: index in which you want to ingest the data

    If the Splunk Add-on for Microsoft Security is installed on an IPv6-only host and the FQDN does not support IPv6, you must configure NAT64 and DNS64 in the infrastructure.

    • For “Microsoft Defender Threat Intelligence Datasets” modular input, enter the following information:
      • Name: the name of the modular input
      • Azure App Account: the account created on the configuration page using client_id and client_secret
      • Datasets: the list of datasets from which data is collected
      • Identifiers File: a csv or txt file with a list of identifiers for which data is collected. Enter one identifier per file line.
      • Interval: data collection interval
      • Index: index in which you want to ingest the data
  5. Select your input and provide the requested information.
  6. Select Add.

Configure the Input with the same environment in all Inputs. Configuring multiple inputs, each with a different environment, will mix up commercial environment data with that of GCC/GCC-High environment data.

Important information about the Microsoft Defender Event Hub modular input

  • Splunk Cloud customers who are installing this add-on on the Inputs Data Manager (IDM) and want to collect event hub data, must use the Admin Configuration Service (ACS) to configure outbound ports 5671/tcp and 5672/tcp (Advanced Message Queuing Protocol (AMQP) specification) to connect to their target Azure address. By default IDM’s can only go out on port 443.
  • This modular input fetches data from Azure Event Hub in the real-time. In the Add-on Inputs page, interval will be displayed as 0, as it is always connected to Event Hub and listening for events from Event Hub.
  • Event Hub basic plan has a maximum 24 hours of retention policy. Hence if an instance input is not active for 24 hours, then events data not collected by the add-on during this period will be permanently lost.
  • When you enter all details and click on the Add button to create input of this type, the add-on validates that the details entered by user are valid by trying to connect to Azure Event Hub using user provided credentials. Hence it is expected to take some time in case of valid details. In case of invalid details, it is expected to take further more time to process the error and display the error from Azure Event Hub.
  • If a user adds partitions dynamically (adds new partitions in existing eventhub) in the event hub, then the input checkpoint is reset and events may be duplicated for pre-existing partitions.
    • For example:
      • An eventhub test_eventhub has 2 partitions - 0 and 1. In the MS Security addon, data is being ingested from all partitions of eventhub test_eventhub via an input input_eventhub.
      • User disables input_eventhub input in addon and adds new partitions in eventhub. After the addition of new partitions, test_eventhub now has 4 partitions - 0 to 3.
      • After adding new partitions, the user enables input input_eventhub in the addon. In this case, the checkpoint for partition 0 and 1 will be reset and events may be duplicated.
  • As most of the input details are used for checkpointing, users won’t be able to edit most of the fields after creating an input. Only Index and Streaming Event Types will be editable.

Configure inputs using configuration files

Splunk Cloud Platform

Use the Splunk Web steps for setting up the add-on, as described in the previous sections. You can’t set up the add-on using the configuration files.

Splunk Enterprise

System access, such as system administrators, is required i order to set up the Splunk Add-on for Microsoft Security using configuration files.

  1. On your heavy forwarder or deployment server, navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_MS_Security and create a local directory if it does not already exist.
  2. Create a file called splunk_ta_ms_security_account.conf in the $SPLUNK_HOME/etc/apps/Splunk_TA_MS_Security/local directory.
  3. Refer $SPLUNK_HOME/etc/apps/Splunk_TA_MS_Security/README</l/splunk_ta_ms_security_account.conf.spec for details to be filled in the splunk_ta_ms_security_account.conf file.
  4. If configuring from deployment server Enable the script://$SPLUNK_HOME/etc/apps/Splunk_TA_MS_Security/bin/ms_security_encrypt_creds.py input using inputs.conf
  5. Create the necessary inputs that are required.
  6. Push these conf files to your heavy forwarder and restart your heavy forwarder.

Supported endpoints for configuring an input

Modular Input Type Environment Endpoint Supported User-Agent Supported
ATP Alerts General https://api.securitycenter.microsoft.com MdePartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
ATP Alerts US https://api-us.securitycenter.microsoft.com MdePartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
ATP Alerts EU https://api-eu.securitycenter.microsoft.com MdePartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
ATP Alerts UK https://api-uk.securitycenter.microsoft.com MdePartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
ATP Alerts GCC https://api-gcc.securitycenter.microsoft.us MdePartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
ATP Alerts GCC High/DoD https://api-gov.securitycenter.microsoft.us MdePartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
ATP Alerts - Graph API Commercial & GCC - Graph API https://graph.microsoft.com MdePartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
ATP Alerts - Graph API GCC High - Graph API https://graph.microsoft.us MdePartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
Endpoint Incidents Commercial https://api.security.microsoft.com M365DPartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
Endpoint Incidents GCC https://api-gcc.security.microsoft.us M365DPartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
Endpoint Incidents GCC High https://api-gov.security.microsoft.us M365DPartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
Endpoint Incidents - Graph API Commercial & GCC - Graph API https://graph.microsoft.com M365DPartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
Endpoint Incidents - Graph API GCC High - Graph API https://graph.microsoft.us M365DPartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
Simulations Commercial & GCC - Graph API https://graph.microsoft.com M365DPartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
Simulations GCC High - Graph API https://graph.microsoft.us M365DPartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
Threat Intelligence General - Graph API https://graph.microsoft.com

Validate data collection

Once you have configured the modular input, run this search to check that you are ingesting the expected data.

Search

index=<index provided in the input> sourcetype IN
("ms:defender:atp:alerts", "ms365:defender:incident",
"ms365:defender:incident:alerts", "ms:defender:simulations",
"ms:defender:eventhub")