Release history¶
Version 2.4.1 is the latest release of the Splunk Add-on for Microsoft Security. See Release notes for more information.
Version 2.4.0¶
Version 2.4.0 of the Splunk Add-on for Microsoft Security was released on November 25, 2024. It is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 9.1.x, 9.2.x, 9.3.x |
|---|---|
| CIM | 5.3.2 |
| Platforms | Windows, Linux based Operating Systems |
| Vendor Products | Microsoft 365 Defender, Defender for Endpoint, Azure Event Hubs, Microsoft Defender Threat Intelligence |
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New Features¶
- New modular input to collect Microsoft Defender Threat Intelligence datasets from Microsoft Graph API
Fixed issues¶
Version 2.4.0 of the Splunk Add-on for Microsoft Security fixes the following issues.
Known issues¶
Version 2.4.0 of the Splunk Add-on for Microsoft Security contains the following known issues.
Third-party software attributions¶
Version 2.4.0 incorporates third-party software attributions for the Splunk Add-on for Microsoft Security.
Version 2.3.0¶
Version 2.3.0 of the Splunk Add-on for Microsoft Security was released on July 29, 2024. It is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 9.1.x, 9.2.x |
| CIM | 5.3.2 |
| Platforms | Windows, Linux based Operating Systems |
| Vendor Products | Microsoft 365 Defender, Defender for Endpoint, Azure Event Hubs |
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New features¶
Version 2.3.0 of the Splunk Add-on for Microsoft Security has the following new features.
- Support for IPv6
Fixed issues¶
Version 2.3.0 of the Splunk Add-on for Microsoft Security fixes the following issues.
Known issues¶
Version 2.3.0 of the Splunk Add-on for Microsoft Security contains the following known issues.
Third-party software attributions¶
Version 2.3.0 incorporates third-party software attributions for the Splunk Add-on for Microsoft Security.
Version 2.2.0¶
Version 2.2.0 of the Splunk Add-on for Microsoft Security was released on April 24, 2024. It is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 9.0.x, 9.1.0.x |
| CIM | 5.2.0 |
| Platforms | Windows, Linux based Operating Systems |
| Vendor Products | Microsoft 365 Defender, Defender for Endpoint, Azure Event Hubs |
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New features¶
Version 2.2.0 of the Splunk Add-on for Microsoft Security has the following new features.
- New modular input to collect simulations data from Microsoft 365 Defender Portal.
- New modular input to collect Microsoft Defender Advanced Hunting events from Azure Event Hub streamed from Defender portal via streaming API.
CIM Data Model Changes¶
There are no changes in the CIM Data Model for existing extractions. For new modular inputs introduced in v2.2.0, CIM Data Model mappings are as below:
Field Changes¶
| Source-type | attackType | Fields added | Fields removed |
|---|---|---|---|
['ms:defender:simulations'] |
social | type, user_name, severity, src, app, dest, user, signature, signature_id |
| Source-type | category | Fields added | Fields removed |
|---|---|---|---|
['ms:defender:eventhub'] |
AdvancedHunting-DeviceEvents | parent_process_name, user, parent_process_id, parent_process_path, action, original_file_name, process_exec, process_integrity_level, dest, process_path, vendor_product, process_id, process_hash, process_name, process | |
['ms:defender:eventhub'] |
AdvancedHunting-DeviceFileCertificateInfo | ssl_validity_window, src, ssl_issuer_common_name, dest, ssl_serial, ssl_subject_common_name, ssl_subject_organization, ssl_hash, ssl_start_time, ssl_signature_algorithm, ssl_end_time | |
['ms:defender:eventhub'] |
AdvancedHunting-DeviceFileEvents | file_name, file_create_time, file_hash, action, file_access_time, file_acl, dest, file_path, file_size, vendor_product, process_id, user | |
['ms:defender:eventhub'] |
AdvancedHunting-DeviceImageLoadEvents | file_name, file_hash, action, file_access_time, file_acl, dest, file_size, file_path, vendor_product, process_id, user | |
['ms:defender:eventhub'] |
AdvancedHunting-DeviceInfo | family, version, os, dest, vendor_product | |
['ms:defender:eventhub'] |
AdvancedHunting-DeviceLogonEvents, AdvancedHunting-DeviceNetworkEvents | parent_process_name, user, parent_process_id, parent_process_path, action, original_file_name, process_exec, process_integrity_level, dest, process_path, vendor_product, process_id, process_hash, process_name, process | |
['ms:defender:eventhub'] |
AdvancedHunting-DeviceNetworkInfo | mac, src_ip, name, ip, dest, interface, vendor_product, dns, status | |
['ms:defender:eventhub'] |
AdvancedHunting-DeviceProcessEvents | parent_process_name, user, parent_process_id, parent_process_path, action, parent_process, original_file_name, process_exec, process_integrity_level, dest, process_path, vendor_product, process_id, process_name, process | |
['ms:defender:eventhub'] |
AdvancedHunting-DeviceRegistryEvents | action, registry_path, dest, registry_key_name, registry_hive, process_id, registry_value_type, vendor_product, registry_value_name, user |
There are no field mappings removed in this version. As a part of introducing new modular inputs, only new field mappings are added.
Fixed issues¶
Version 2.2.0 of the Splunk Add-on for Microsoft Security fixes the following issues.
Known issues¶
Version 2.2.0 of the Splunk Add-on for Microsoft Security contains the following known issues.
Third-party software attributions¶
Version 2.2.0 incorporates third-party software attributions for the Splunk Add-on for Microsoft Security.
Version 2.1.1¶
Version 2.1.1 of the Splunk Add-on for Microsoft Security was released on July 13, 2023. It is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 9.0.x |
| CIM | 5.0.1 |
| Platforms | Platform independent |
| Vendor Products | Microsoft 365 Defender, Defender for Endpoint |
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New features¶
Version 2.1.1 of the Splunk Add-on for Microsoft Security has the following new features.
- Fixes the issue of proxy not being used while creating/updating inputs.
CIM Data Model Changes¶
There are no CIM Data Model changes between the Splunk add-on for Microsoft Security v2.1.0 and v2.1.1.
Fixed issues¶
Version 2.1.1 of the Splunk Add-on for Microsoft Security contains the following fixed issues.
Known issues¶
Version 2.1.1 of the Splunk Add-on for Microsoft Security contains the following known issues.
Third-party software attributions¶
Version 2.1.1 incorporates third-party software attributions for the Splunk Add-on for Microsoft Security.
Version 2.1.0¶
Version 2.1.0 of the Splunk Add-on for Microsoft Security was released on June 13, 2023. It is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 9.0.x |
| CIM | 5.0.1 |
| Platforms | Platform independent |
| Vendor Products | Microsoft 365 Defender, Defender for Endpoint |
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New features¶
Version 2.1.0 of the Splunk Add-on for Microsoft Security has the following new features.
- Provides dashboards to give insights of the Add-On, informational insights and errors and its action items
- Provides support for configuring the add-on from the deployment server
- Shows warning message when creating an input with duplicate values
CIM Data Model Changes¶
There are no CIM Data Model or field extraction changes between the Splunk add-on for Microsoft Security v2.0.1 vs v2.1.0
Fixed issues¶
Version 2.1.0 of the Splunk Add-on for Microsoft Security fixes the following issues.
Known issues¶
Version 2.1.0 of the Splunk Add-on for Microsoft Security contains the following known issues.
Third-party software attributions¶
Version 2.1.0 incorporates third-party software attributions for the Splunk Add-on for Microsoft Security.
Version 2.0.1¶
Version 2.0.1 of the Splunk Add-on for Microsoft Security was released on Apr 14, 2023. It is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 8.1.x, 8.2.x, 9.0.x |
| CIM | 5.0.1 |
| Platforms | Platform independent |
| Vendor Products | Microsoft 365 Defender, Defender for Endpoint |
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New features¶
Version 2.0.1 of the Splunk Add-on for Microsoft Security has the following new features.
- Provided support of Microsoft Graph API for getting incidents and alerts
- Provided support of Microsoft Graph API for updating incidents and running advanced hunting queries
- Updated look and feel of the input and configuration pages
- Account configuration now supports providing a default value for tenant Id
- The data collected via Microsoft Graph API is CIM compliant
CIM Data Model Changes¶
There are no CIM Data Model changes between the Splunk add-on for Microsoft Security v1.3.1 vs v2.0.1 but there are the following new mappings.
Field Changes¶
| Source-type | category | Fields added | Fields removed |
|---|---|---|---|
['ms:defender:atp:alerts'] |
LateralMovement, Discovery, PrivilegeEscalation, SuspiciousActivity, DefenseEvasion, Collection, CredentialAccess, Execution, CommandAndControl, InitialAccess | signature_id | |
['ms:defender:atp:alerts'] |
None, Persistence | signature_id, user |
| Source-type | threatFamilyName | Fields added | Fields removed |
|---|---|---|---|
['ms365:defender:incident:alerts'] |
null | signature_id |
Previously, for the above signature_id and user fields, values
such as “null” were extracted, which now won’t be extracted. There are
no field changes for m365:defender:incident:advanced_hunting
sourcetype
Fixed issues¶
Version 2.0.1 of the Splunk Add-on for Microsoft Security fixes the following issues.
Known issues¶
Version 2.0.1 of the Splunk Add-on for Microsoft Security contains the following known issues.
Third-party software attributions¶
Version 2.0.1 incorporates third-party software attributions for the Splunk Add-on for Microsoft Security.
Version 1.3.1¶
Version 1.3.1 of the Splunk Add-on for Microsoft Security was released on October 13, 2022. It is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 8.1, 8.2, 9.0 |
| CIM | 5.0.1 |
| Platforms | Platform independent |
| Vendor Products | Microsoft 365 Defender, Defender for Endpoint |
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New features¶
Version 1.3.1 of the Splunk Add-on for Microsoft Security has the following new features.
- Updated the eventtype name from ms_defender to ms_security for Splunk Add-On for Microsoft Security
| Old Eventtype Name | New Eventtype Name |
|---|---|
| ms_defender_incident | ms_security_incident |
| ms_defender_atp_alert | ms_security_atp_alert |
| ms_defender_advanced_hunting_sourcetypes | ms_security_advanced_hunting |
| ms_defender_advanced_hunting_process. | ms_security_advanced_hunting_process |
| ms_defender_advanced_hunting_filesystem | ms_security_advanced_hunting_filesystem |
| ms_defender_advanced_hunting_registry | ms_security_advanced_hunting_registry |
| ms_defender_advanced_hunting_delivery | ms_security_advanced_hunting_delivery |
| ms_defender_advanced_hunting_email | ms_security_advanced_hunting_email |
| ms_defender_advanced_hunting_authentication | ms_security_advanced_hunting_authentication |
| ms_defender_incident_alerts | ms_security_incident_alerts |
- Added the support of host field for the events ingested via Alert Actions.
- Updated the system path to prioritize Add-on’s third-party libraries for data collection.
- Enhanced validations for better user experience.
- Added support of “Tenant ID” input field in the Alert actions configuration
- Enhanced user experience to select “Account Name” input field in the Alert actions configuration
- Updated extraction of
_timefield in the sourcetypesms:defender:atp:alertsandms365:defender:incident:alerts. It will be extracted based on the “last update time” of the event
Fixed issues¶
Version 1.3.1 of the Splunk Add-on for Microsoft Security fixes the following issues.
Known issues¶
Version 1.3.1 of the Splunk Add-on for Microsoft Security contains the following known issues.
Third-party software attributions¶
Version 1.3.1 incorporates third-party software attributions for the Splunk Add-on for Microsoft Security.
Version 1.2.0¶
Version 1.2.0 of the Splunk Add-on for Microsoft Security was released on March 23, 2022. It is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 8.1, 8.2 |
| CIM | 5.0.0 |
| Platforms | Platform independent |
| Vendor Products | Microsoft 365 Defender, Defender for Endpoint |
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New features¶
Version 1.2.0 of the Splunk Add-on for Microsoft Security has the following new features.
- Added support for GCC and GCC High environments. Users can now collect data from these environments if they have credentials for these environments.
- Updated working of alert action - defender_update_incident
- CIM v5.0.0 support
Fixed issues¶
Version 1.2.0 of the Splunk Add-on for Microsoft Security fixes the following issues.
Known issues¶
Version 1.2.0 of the Splunk Add-on for Microsoft Security contains the following known issues.
Third-party software attributions¶
Version 1.2.0 incorporates third-party software attributions for the Splunk Add-on for Microsoft Security.
Version 1.1.0¶
Version 1.1.0 of the Splunk Add-on for MS Security was released on January 24, 2021. It is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 8.1, 8.2 |
| CIM | 4.20.2 |
| Platforms | Platform independent |
| Vendor Products | Microsoft 365 Defender, Defender for Endpoint |
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New features¶
Version 1.1.0 of the Splunk Add-on for Microsoft Security has the following new features.
- This is a brand new release for Splunk Add-on for MS Security. The add-on is migrated from the Microsoft 365 Defender Add-on for Splunk.
- The sourcetype
m365:defender:incidentis renamed toms365:defender:incidentand is now mapped to Ticket_Management:Incident CIM data model instead of Alerts CIM data model - Enhanced CIM field mapping for
ms:defender:atp:alerts,m365:defender:incident:advanced:hunting - Introduced new sourcetype
ms365:defender:incident:alertswhich contains alerts related data bifurcated from incident events from old sourcetype=m365:defender:incident - Earlier, the events in old sourcetype
m365:defender:incidentconsisted of alerts data and incident data. Alerts related data was not relevant in this sourcetype. So in this release, the events are bifurcated at index time in such a way that alerts related data gets indexed into the new sourcetype ms365:defender:incident:alerts and only incident related data gets ingested in the renamed sourcetypems365:defender:incident - Removed dashboard panels - alert_queue, incident_queue, overview_alert, overview_detections, advanced_hunting, incident_detail, incident_overview, incident_update, microsoft_defender_atp_alerts
- Added support for CIM v4.20.2
Fixed issues¶
Version 1.1.0 of the Splunk Add-on for Microsoft Security fixes the following issues.
Known issues¶
Version 1.1.0 of the Splunk Add-on for MS Security contains the following known issues.
Third-party software attributions¶
Version 1.1.0 incorporates third-party software attributions for the Splunk Add-on for Microsoft Security.