Source types for the Splunk Add-on for Microsoft Security¶
The Splunk Add-on for Microsoft Security provides the search-time knowledge for Microsoft Security logs in the following formats.
| Source type | Description | CIM data models |
|---|---|---|
ms:defender:atp:alerts |
This sourcetype contains data related to alerts generated from the Microsoft 365 Defender portal. | Alerts |
ms365:defender:incident |
This sourcetype contains data related to incidents generated from the Microsoft 365 Defender portal. | Ticket Management |
ms365:defender:incident:alerts |
This sourcetype is newly introduced and contains data related to alerts associated with incidents in Microsoft 365 Defender. | Alerts |
m365:defender:incident:advanced_hunting |
This sourcetype collects events from the alerts actions configured in the add-on | Email, Endpoint, Authentication |
ms:defender:simulations |
This sourcetype contains data related to simulations generated from the Microsoft 365 Defender portal. | Alerts |
ms:defender:eventhub |
This sourcetype contains advanced hunting events data generated from the Microsoft 365 Defender portal and collected from Azure Event Hub. | Certificates, Endpoint,Compute Inventory |
ms:defender:ti:articles |
This sourcetype contains article data obtained from the Microsoft Defender Threat Intelligence. | |
ms:defender:ti:article_indicators |
This sourcetype contains article indicator data obtained from the Microsoft Defender Threat Intelligence. | |
ms:defender:ti:certificates |
This sourcetype contains host certificates data obtained from the Microsoft Defender Threat Intelligence. | |
ms:defender:ti:components |
This sourcetype contains host components data obtained from the Microsoft Defender Threat Intelligence. | |
ms:defender:ti:cookies |
This sourcetype contains host cookies data obtained from the Microsoft Defender Threat Intelligence. | |
ms:defender:ti:hostpairs |
This sourcetype contains host pairs data obtained from the Microsoft Defender Threat Intelligence. | |
ms:defender:ti:passivedns |
This sourcetype contains host passive DNS record data obtained from the Microsoft Defender Threat Intelligence. | |
ms:defender:ti:subdomains |
This sourcetype contains host subdomains data obtained from the Microsoft Defender Threat Intelligence. | |
ms:defender:ti:trackers |
This sourcetype contains host trackers data obtained from the Microsoft Defender Threat Intelligence. | |
ms:defender:ti:whois |
This sourcetype contains host WHOIS data obtained from the Microsoft Defender Threat Intelligence. |
Duplicate Events for ms365:defender:incident:alerts sourcetype¶
- Microsoft Defender Incident Alerts can be collected as a part of Microsoft 365 Defender incidents API.
- When Microsoft 365 defender incidents are updated (status change, alerts added/removed, etc) a new event is generated
and collected in Splunk for both
ms365:defender:incident:alertsandms365:defender:incidentsourcetypes. - Whenever an event is updated some of its fields are modified but its related alerts may not be modified. So in the
next API call when the event with the same incidentId is fetched it is assigned to both
ms365:defender:incidentandms365:defender:incident:alertssourcetypes causing probable data duplication in alerts sourcetype. - For example, if incidentId=21 is updated, during the next API call, “incidentId=21” is fetched and ingested in sourcetype=ms365:defender:incident in Splunk with updated field values, and its related alerts are ingested in sourcetype=ms365:defender:incident:alerts with the same field values causing probable data duplication.