Migrate and upgrade the Splunk add-on for Microsoft Security¶
Upgrade the Splunk Add-on for Microsoft Security from version 2.1 to version 2.2.0 or later¶
After upgrading the add-on in your environment to version 2.2.0 or later, clear the browser cache. Refresh the Add-On’s page to see the new modular inputs to collect simulations and real time Advanced hunting events from Azure Event Hub streamed using streaming API.
Upgrade the Splunk Add-on for Microsoft Security from version 2.0.1 to version 2.1.1¶
After upgrading the add-on in your environment to version 2.1.1, clear the browser cache. Refresh the Add-On’s page to see the dashboards that give a sneak peek under the hood of the add-on.
Upgrade the Splunk Add-on for Microsoft Security from version 1.3.1 to version 2.0.1¶
After upgrading the add-on in your environment to version 2.0.1, clear the web browser cache.
Migrate from the Microsoft 365 Defender Add-on for Splunk to the Splunk Add-on for Microsoft Security 1.0.0 and later¶
If you have already installed the Microsoft 365 Defender Add-on for Splunk in a Splunk instance and want to install Splunk Add-on for Microsoft Security in the same Splunk instance, you must first:
- Disable inputs for the Microsoft 365 Defender Add-on for Splunk
- Disable the Microsoft 365 Defender Add-on for Splunk.
This prevents clashing of modular inputs, data collection mechanisms, and sourcetypes in both add-ons.
To disable inputs for Microsoft 365 Defender Add-on for Splunk, navigate to the Inputs page and select “Disable” in the dropdown for that add-on.
To disable the Microsoft 365 Defender Add-on for Splunk, navigate to Apps > Manage Apps and select the “Disable” option for the add-on.
If both add-ons are enabled on the same Splunk instance, data
duplication occurs for the sourcetype with the same names:
ms:defender:atp:alerts and m365:defender:incident:advanced_hunting.
The names of former sources and current sources are:
- The Microsoft 365 Defender Add-on for Splunk source names:
microsoft_365_defender_incidentsmicrosoft_defender_atp_alertsms_defender_apt_alerts
- The Splunk Add-on for Microsoft Security sourcenames:
microsoft_365_defender_endpoint_incidentsmicrosoft_defender_endpoint_atp_alertsms_defender_endpoint_apt_alerts
- If the Microsoft 365 Defender Add-on for Splunk is already installed, the modular input names are different for the Splunk Add-on for Microsoft Security. This means that source names are modified for events coming through modular inputs. The table describes these source name changes.
| Source name in Microsoft 365 Defender Add-on for Splunk | Source name in Splunk add-on for MS Security v1.0.0 and later |
|---|---|
| microsoft_365_defender_incidents | microsoft_365_defender_endpoint_incidents |
| microsoft_defender_atp_alerts | microsoft_defender_endpoint_atp_alerts |
| ms_defender_apt_alerts | ms_defender_endpoint_apt_alerts |
This table describes the event types supported in Splunk Add-on for Microsoft Security 1.0.0 and later with data models compared with the same for Microsoft 365 Defender Add-on for Splunk.
| Event type | CIM data model in the Microsoft 365 Defender Add-on for Splunk | CIM data model in the Splunk Add-on for Microsoft Security |
|---|---|---|
| ms_security_incident | Alerts | Ticket Management:Incident |
| ms_security_atp_alert | Alerts | Alerts |
| ms_security_advanced_hunting | No DM | No DM |
| ms_security_advanced_hunting_process | Endpoint:Processes | Endpoint:Processes |
| ms_security_advanced_hunting_network | Network Traffic, Endpoint:Ports | The eventtype is removed and the events now falls under ms_security_advanced_hunting_process eventtype |
| ms_security_advanced_hunting_filesystem | Change:Endpoint, Endpoint:Filesystem | Endpoint:Filesystem |
| ms_security_advanced_hunting_registry | Change:Endpoint, Endpoint:Registry | Endpoint:Registry |
| ms_security_advanced_hunting_delivery | Not present | Email:Delivery |
| ms_security_advanced_hunting_email | Not present | Email:All_Email |
| ms_security_advanced_hunting_authentication | Not present | Authentication |
| ms_security_incident_alerts | Not present | Alerts |
- The sourcetypes supported in the Splunk Add-on for Microsoft Security are:
- ms:defender:atp:alerts
- ms365:defender:incident
- m365:defender:incident:advanced_hunting
- ms365:defender:incident:alerts
Events in old sourcetype m365:defender:incident consisted of
alerts data and incident data. Alerts related data was not relevant in
this sourcetype. So in this release, the events are bifurcated at index
time in such a way that alerts related data gets indexed into the new
sourcetype ms365:defender:incident:alerts, and only incident related
data gets ingested in the re-named sourcetype ms365:defender:incident
- Schema difference in Alerts that are collected through the Splunk Add-on for Microsoft Security:
The Splunk Addon for Microsoft Security collects Alerts in the following sourcetypes:
* ms:defender:atp:alerts
* ms365:defender:incident:alerts
Based on specific requirements, users can collect either of the two alert sourcetypes as these events contain some fields which are unique to each sourcetype.
Refer to the Microsoft Documents for ATP Alerts and Incident APIs to get further information about the difference in schema for both alerts.