Skip to content

Configure Alert Actions to collect data for the Splunk Add-on for Microsoft Security

You can configure an alert action for Advanced Hunting and Update Incidents in the Splunk Add-on for Microsoft Security in order to collect data into Splunk ad-hoc rather than proactively

  1. Navigate to Add-on UI > Settings > Searches, Reports and Alerts.
  2. Click New Alert.
  3. Click Create Alert and provide the appropriate information.
  4. Select a value from Add Action dropdown
    • Defender Advanced Hunting: For collecting Advanced Hunting Events
    • Defender Update Incident: For updating incidents and collecting events of updated incidents
    • Defender Update Incident via Graph API: For updating incidents and collecting events of updated incidents using the Microsoft Graph API
  5. Select desired action and provide the requested information.
  6. Click Save.

Note the following:

  • Alert Action queries are not supported on Classic Cloud instances.
  • When you create a Defender Advanced Hunting Alert Action, you must provide the Query
  • You can optionally provide a Tenant ID corresponding to the selected Account to authenticate API calls for Alert Actions
  • In clustered environments, configure the Alert Action on either the Victoria stack or HF as it collects data.