Release notes for the Splunk Add-on for Microsoft Security¶
About this release¶
Version 2.5.4 of the Splunk Add-on for Microsoft Security was released on June 24, 2025.
Up to previous version add-on was using default ordering when retrieving incidents via REST API which is descending. Performance issues appeared when the number of incidents caused more than 50 calls to Defender API per minute that exceeds the Defender limit. Some incidents from the peak time were not retrieved as a consequence and, due to the internal state of the add-on and its business logic, there is no way to retrieve the data from the past.
This version changes the way the add-on is retrieving the data to ascending that is mainly used in other Splunk-suported addons. When the Defender limit is reached, it waits and keeps going forwards.
Version 2.5.4 is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 9.1.x, 9.2.x, 9.3.x, 9.4.x |
|---|---|
| CIM | 5.3.2 |
| Platforms | Windows, Linux based Operating Systems |
| Vendor Products | Microsoft 365 Defender, Defender for Endpoint, Azure Event Hubs, Microsoft Defender Threat Intelligence |
Note
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
Fixed issues¶
Version 2.5.4 of the Splunk Add-on for Microsoft Security fixes the following issues.
Known issues¶
Version 2.5.4 of the Splunk Add-on for Microsoft Security contains the following known issues.
Third-party software attributions¶
Version 2.5.4 incorporates third-party software attributions for the Splunk Add-on for Microsoft Security.