Release notes for the Splunk Add-on for Microsoft Security¶
About this release¶
Version 3.0.0 of the Splunk Add-on for Microsoft Security was released on
Compatibility¶
Version 3.0.0 is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 9.x |
|---|---|
| CIM | 5.3.2 |
| Platforms | Windows, Linux based Operating Systems |
| Vendor Products | Microsoft 365 Defender, Defender for Endpoint, Azure Event Hubs, Microsoft Defender Threat Intelligence |
Note
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New features¶
-
Enhanced AdvancedHunting Event Mapping
- Expanded the mapping coverage for AdvancedHunting events to include broader CIM compatibility.
- New event types listed in the New event types section and field mapping changes for events listed in the Field mapping changes section.
-
Optimized Data Ingestion Efficiency
- Replaced the previous recursive pagination (loading all results into memory) with iterative chunked collection, reducing memory usage, improving performance and stability underrate limits, and enabling earlier incremental checkpoint updates for faster recovery.
-
Lookback Option for Incidents and Alerts Inputs
- Introduced a configurable lookback parameter, enabling users to define custom time ranges for query execution.
-
Monitoring Dashboard
- Introduced a new Monitoring dashboard for operational visibility. The previous (legacy) metrics and original monitoring dashboard remain available under the Internal tab
New event types¶
| Source type | Category | Fields added |
|---|---|---|
ms:defender:eventhub |
AdvancedHunting-AlertInfo |
app, id, severity, signature, type, vendor_product |
ms:defender:eventhub |
AdvancedHunting-AlertEvidence |
description, id, severity, type, user, vendor_account |
ms:defender:eventhub |
AdvancedHunting-EmailAttachmentInfo |
file_name, file_create_time, file_hash, action, file_access_time, file_acl, dest, file_path, file_size, vendor_product, process_id, vendor_account |
ms:defender:eventhub |
AdvancedHunting-EmailEvents |
action, internal_message_id, message_id, recipient, recipient_count, recipient_domain, src_user, src_user_domain, subject, vendor_product |
ms:defender:eventhub |
AdvancedHunting-EmailUrlInfo |
action, internal_message_id, url, vendor_product |
ms:defender:eventhub |
AdvancedHunting-IdentityLogonEvents |
action, app, authentication_method, authentication_service, dest, dest_nt_domain, signature, src, src_user_id, vendor_account |
Field mapping changes¶
| Source type | Category | Fields modified | 2.5.4 extractions | 3.0.0 extractions | Comments |
|---|---|---|---|---|---|
ms:defender:eventhub |
AdvancedHunting-DeviceRegistryEvents |
dest |
tenantId | DeviceName | field mapping change |
ms:defender:eventhub |
AdvancedHunting-UrlClickEvents |
vendor-product |
DefaultTenant | Microsoft Defender for Endpoint | default value change |
ms:defender:eventhub |
AdvancedHunting-UrlClickEvents |
action |
ClickAllowed | allowed | value change according to Data Model specification when property ClickAllowed is ActionType |
ms:defender:eventhub |
AdvancedHunting-DeviceFileEvents |
file_size |
FileSize/1000 | FileSize/1024 | now calculated in bytes |
ms:defender:eventhub |
AdvancedHunting-DeviceFileEvents |
dest |
tenantId | DeviceName | field mapping change |
ms:defender:eventhub |
AdvancedHunting-DeviceImageLoadEvents |
action |
read | allowed | value change according to Data Model specification when property ClickAllowed is ImageLoaded |
ms:defender:eventhub |
AdvancedHunting-DeviceImageLoadEvents |
dest |
tenantId | DeviceName | field mapping change |
ms:defender:eventhub |
AdvancedHunting-DeviceImageLoadEvents |
file_size |
FileSize/1000 | FileSize/1024 | now calculated in bytes |
ms:defender:eventhub |
AdvancedHunting-DeviceLogonEvents |
dest |
RemoteIP | DeviceName | field mapping change |
ms:defender:eventhub |
AdvancedHunting-DeviceNetworkEvents |
dest |
RemoteIP | DeviceName | field mapping change |
ms:defender:eventhub |
AdvancedHunting-DeviceNetworkEvents |
original_file_name |
InitiatingProcessFileName | ProcessVersionInfoOriginalFileName | field mapping change |
ms:defender:eventhub |
AdvancedHunting-DeviceNetworkEvents |
parent_process_id |
InitiatingProcessParentId | InitiatingProcessId | field mapping change |
ms:defender:eventhub |
AdvancedHunting-DeviceNetworkEvents |
process |
InitiatingProcessCommandLine | ProcessCommandLine | field mapping change |
ms:defender:eventhub |
AdvancedHunting-DeviceNetworkEvents |
process_exec |
InitiatingProcessFileName | derived from FolderPath | field mapping change |
ms:defender:eventhub |
AdvancedHunting-DeviceNetworkEvents |
process_id |
InitiatingProcessId | ProcessId | field mapping change |
ms:defender:eventhub |
AdvancedHunting-DeviceNetworkEvents |
process_integrity_level |
InitiatingProcessIntegrityLevel | ProcessIntegrityLevel | field mapping change |
ms:defender:eventhub |
AdvancedHunting-DeviceNetworkEvents |
process_name |
InitiatingProcessFileName | FileName | field mapping change |
ms:defender:eventhub |
AdvancedHunting-DeviceNetworkEvents |
process_path |
InitiatingProcessFolderPath | FolderPath | field mapping change |
ms:defender:eventhub |
AdvancedHunting-DeviceProcessEvents |
action |
created | allowed | value change according to Data Model specification when property ClickAllowed is ProcessCreated |
ms:defender:eventhub |
AdvancedHunting-DeviceProcessEvents |
dest |
TenantId | DeviceName | field mapping change |
ms:defender:eventhub |
AdvancedHunting-DeviceProcessEvents |
original_file_name |
FileName | ProcessVersionInfoOriginalFileName | field mapping change |
ms:defender:eventhub |
AdvancedHunting-DeviceProcessEvents |
parent_process_exec |
N\A | InitiatingProcessFileName | field mapping change |
ms:defender:eventhub |
AdvancedHunting-DeviceEvents |
dest |
tenantId | DeviceName | field mapping change |
ms:defender:eventhub |
AdvancedHunting-DeviceEvents |
original_file_name |
InitiatingProcessFileName | ProcessVersionInfoOriginalFileName | field mapping change |
ms:defender:eventhub |
AdvancedHunting-DeviceEvents |
parent_process_id |
InitiatingProcessParentId | InitiatingProcessId | field mapping change |
ms:defender:eventhub |
AdvancedHunting-DeviceEvents |
process |
InitiatingProcessCommandLine | ProcessCommandLine | field mapping change |
ms:defender:eventhub |
AdvancedHunting-DeviceEvents |
process_exec |
InitiatingProcessFileName | derived from FolderPath | field mapping change |
ms:defender:eventhub |
AdvancedHunting-DeviceEvents |
process_id |
InitiatingProcessId | ProcessId | field mapping change |
ms:defender:eventhub |
AdvancedHunting-DeviceEvents |
process_integrity_level |
InitiatingProcessIntegrityLevel | ProcessIntegrityLevel | field mapping change |
ms:defender:eventhub |
AdvancedHunting-DeviceEvents |
process_name |
InitiatingProcessFileName | FileName | field mapping change |
ms:defender:eventhub |
AdvancedHunting-DeviceEvents |
process_path |
InitiatingProcessFolderPath | FolderPath | field mapping change |
Fixed issues¶
Version 3.0.0 of the Splunk Add-on for Microsoft Security fixes the following issues.
Known issues¶
Version 3.0.0 of the Splunk Add-on for Microsoft Security contains the following known issues.
Third-party software attributions¶
Version 3.0.0 incorporates third-party software attributions for the Splunk Add-on for Microsoft Security.