Skip to content

Overview

Splunk Add-on for Microsoft Security
Version 2.4.1
Vendor Products Microsoft 365 Defender, Defender for Endpoint, Azure Event Hubs, Microsoft Defender Threat Intelligence
Visible in Splunk Web Yes, this add-on contains configuration

The Splunk Add-on for Microsoft Security collects incidents and related information from Microsoft 365 Defender and alerts from Microsoft Defender for Endpoint.

This Add-on collects simulation data from Microsoft Defender for Endpoint and Microsoft 365 Defender Advanced Hunting events data from Azure Event Hubs, which is streamed in real-time from Microsoft Defender Portal using streaming API.

This Add-on collects Microsoft Defender Threat Intelligence data.

Download the Splunk Add-on for Microsoft Security from the Splunkbase.

Hardware and software requirements

You must have an Azure Active Directory application registration to use this add-on. The Azure Active Directory account must be configured with tenant_id, client_id, and client_secret. You use these parameters to configure the accounts and inputs in the add-on to start data collection in Splunk.

  • Refer to the Microsoft docs for information about setting up an Azure Active Directory application registration with the appropriate permissions for Microsoft Defender for Endpoint and Microsoft Defender for Endpoint incidents.

Splunk platform requirements

Because this add-on runs on the Splunk platform, all the system requirements apply for the Splunk software that you use to run this add-on.

  • For Splunk Enterprise system requirements: see System Requirements in the Splunk Enterprise Installation Manual.

  • If you are managing on-premises forwarders to get data into Splunk Cloud, see System Requirements in the Splunk Enterprise Installation Manual, which includes information about forwarders.

Installation and configuration overview for the Splunk Add-on for Microsoft Security

Install and configure this add-on on your supported platform:

  1. Download the add-on from Splunkbase.
  2. Install the add-on.
  3. Configure your input.
  4. (Optional) Configure your alert actions.

Ended: Overview

Installation

Install the Splunk Add-on for Microsoft Security

Use the tables in this topic to determine where and how to install this add-on in a distributed deployment of Splunk Enterprise. See the installation walkthrough at the end of this topic for links to installation instructions specific to a single-instance deployment, distributed deployment, or Splunk Cloud.

Where to install this add-on for a distributed deployment

Unless otherwise noted, all supported add-ons can be safely installed to all tiers of a distributed Splunk platform deployment. This table provides a quick reference for installing this add-on to a distributed deployment of Splunk Enterprise.

Splunk instance type Supported Required Comments
Search Heads Yes Yes This add-on contains search-time knowledge. If possible, turn off visibility on your search heads to prevent data duplication errors that can result from running inputs on your search heads instead of, or in addition to, on your data collection node.
Indexers Yes No Not required because the parsing operations occur on the forwarders.
Heavy Forwarders Yes No Recommended. Install this add-on on a heavy forwarder for data collection. To avoid duplicates, configure data collection in a single location.
Universal Forwarders No No Universal forwarders are not supported for data collection because the modular inputs require Python and the Splunk REST handler.

Installation walkthrough

See “Installing add-ons” in Splunk Add-Ons for detailed instructions describing how to install a Splunk add-on in the following deployment scenarios:

Migrate and upgrade the Splunk add-on for Microsoft Security

Upgrade the Splunk Add-on for Microsoft Security from version 2.1 to version 2.2.0 or later

After upgrading the add-on in your environment to version 2.2.0 or later, clear the browser cache. Refresh the Add-On’s page to see the new modular inputs to collect simulations and real time Advanced hunting events from Azure Event Hub streamed using streaming API.

Upgrade the Splunk Add-on for Microsoft Security from version 2.0.1 to version 2.1.1

After upgrading the add-on in your environment to version 2.1.1, clear the browser cache. Refresh the Add-On’s page to see the dashboards that give a sneak peek under the hood of the add-on.

Upgrade the Splunk Add-on for Microsoft Security from version 1.3.1 to version 2.0.1

After upgrading the add-on in your environment to version 2.0.1, clear the web browser cache.

Migrate from the Microsoft 365 Defender Add-on for Splunk to the Splunk Add-on for Microsoft Security 1.0.0 and later

If you have already installed the Microsoft 365 Defender Add-on for Splunk in a Splunk instance and want to install Splunk Add-on for Microsoft Security in the same Splunk instance, you must first:

  • Disable inputs for the Microsoft 365 Defender Add-on for Splunk
  • Disable the Microsoft 365 Defender Add-on for Splunk.

This prevents clashing of modular inputs, data collection mechanisms, and sourcetypes in both add-ons.

To disable inputs for Microsoft 365 Defender Add-on for Splunk, navigate to the Inputs page and select “Disable” in the dropdown for that add-on.

To disable the Microsoft 365 Defender Add-on for Splunk, navigate to Apps > Manage Apps and select the “Disable” option for the add-on.

If both add-ons are enabled on the same Splunk instance, data duplication occurs for the sourcetype with the same names: ms:defender:atp:alerts and m365:defender:incident:advanced_hunting. The names of former sources and current sources are:

  • The Microsoft 365 Defender Add-on for Splunk source names:
    • microsoft_365_defender_incidents
    • microsoft_defender_atp_alerts
    • ms_defender_apt_alerts
  • The Splunk Add-on for Microsoft Security sourcenames:
    • microsoft_365_defender_endpoint_incidents
    • microsoft_defender_endpoint_atp_alerts
    • ms_defender_endpoint_apt_alerts
  • If the Microsoft 365 Defender Add-on for Splunk is already installed, the modular input names are different for the Splunk Add-on for Microsoft Security. This means that source names are modified for events coming through modular inputs. The table describes these source name changes.
Source name in Microsoft 365 Defender Add-on for Splunk Source name in Splunk add-on for MS Security v1.0.0 and later
microsoft_365_defender_incidents microsoft_365_defender_endpoint_incidents
microsoft_defender_atp_alerts microsoft_defender_endpoint_atp_alerts
ms_defender_apt_alerts ms_defender_endpoint_apt_alerts

This table describes the event types supported in Splunk Add-on for Microsoft Security 1.0.0 and later with data models compared with the same for Microsoft 365 Defender Add-on for Splunk.

Event type CIM data model in the Microsoft 365 Defender Add-on for Splunk CIM data model in the Splunk Add-on for Microsoft Security
ms_security_incident Alerts Ticket Management:Incident
ms_security_atp_alert Alerts Alerts
ms_security_advanced_hunting No DM No DM
ms_security_advanced_hunting_process Endpoint:Processes Endpoint:Processes
ms_security_advanced_hunting_network Network Traffic, Endpoint:Ports The eventtype is removed and the events now falls under ms_security_advanced_hunting_process eventtype
ms_security_advanced_hunting_filesystem Change:Endpoint, Endpoint:Filesystem Endpoint:Filesystem
ms_security_advanced_hunting_registry Change:Endpoint, Endpoint:Registry Endpoint:Registry
ms_security_advanced_hunting_delivery Not present Email:Delivery
ms_security_advanced_hunting_email Not present Email:All_Email
ms_security_advanced_hunting_authentication Not present Authentication
ms_security_incident_alerts Not present Alerts
  • The sourcetypes supported in the Splunk Add-on for Microsoft Security are:
    • ms:defender:atp:alerts
    • ms365:defender:incident
    • m365:defender:incident:advanced_hunting
    • ms365:defender:incident:alerts

Events in old sourcetype m365:defender:incident consisted of alerts data and incident data. Alerts related data was not relevant in this sourcetype. So in this release, the events are bifurcated at index time in such a way that alerts related data gets indexed into the new sourcetype ms365:defender:incident:alerts, and only incident related data gets ingested in the re-named sourcetype ms365:defender:incident

  • Schema difference in Alerts that are collected through the Splunk Add-on for Microsoft Security:

The Splunk Addon for Microsoft Security collects Alerts in the following sourcetypes:

* ms:defender:atp:alerts
* ms365:defender:incident:alerts

Based on specific requirements, users can collect either of the two alert sourcetypes as these events contain some fields which are unique to each sourcetype.

Refer to the Microsoft Documents for ATP Alerts and Incident APIs to get further information about the difference in schema for both alerts.

Create Active Directory permissions for configuring Microsoft Account

Create Active Directory permissions for configuring Microsoft Account

To collect data for Microsoft Security sourcetypes, you must configure an Active Directory Application Account with appropriate permissions in Azure Active Directory Portal. Permissions required for different sourcetypes:

Purpose Sourcetype Permission/Role Input type
Read Incidents and its associated Alerts ms365:defender:incident / ms365:defender:incident:alert Incident.Read.All, SecurityIncident.Read.All* Modular Input
Read Alerts ms:defender:atp:alerts Alert.Read.All, SecurityAlert.Read.All* Modular Input
Update Incidents ms365:defender:incident / ms365:defender:incident:alert Incident.ReadWrite.All, SecurityIncident.ReadWrite.All* Alert Action
Fetch Advance Hunt query results m365:defender:incident:
advanced_hunting		 AdvancedHunting.Read.All, ThreatHunting.Read.All* Alert Action
Read Simulation reports data ms:defender:simulations AttackSimulation.Read.All Modular Input
Read Microsoft Defender generated Advanced Hunting events from Azure Event Hub using streaming API ms:defender:eventhub Azure Active Directory account with Role “Azure Event Hubs Data Receiver”** Modular Input
Read Microsoft Defender Threat Intelligence datasets ms:defender:articles / ms:defender:ti:article_indicators / ms:defender:ti:certificates / ms:defender:ti:components / ms:defender:ti:cookies / ms:defender:ti:hostpairs / ms:defender:ti:passivedns / ms:defender:ti:subdomains / ms:defender:ti:trackers / ms:defender:ti:whois ThreatIntelligence.Read.All Modular Input

Permissions with an (*) are required if you are pulling or pushing data via the Microsoft Graph REST APIs.

Role with an (**) is required for getting events from eventhub. You can refer to Microsoft docs for configuring streaming API to stream data from Microsoft 365 Defender Portal to Azure Event Hubs. After the streaming API has been configured, Advanced Hunting data will be streamed to Azure Event Hub in real time and add-on will collect the data from Azure Event Hub.

After creating the Active Directory Application, login to the Azure Portal and refer to the Azure documentation and:

  • Ensure that Alert permissions are set to
    • “Alert.Read.All” or “Alert.ReadWrite.All” when using Microsoft 365 APIs
    • “SecurityAlert.Read.All” or “SecurityAlert.ReadWrite.All” when using Microsoft Graph REST APIs
  • Ensure that Incidents permissions are set to
    • “Incident.ReadWrite.All” or “Incident.Read.All” or “AdvancedHunting.Read.All” when using Microsoft 365 APIs
    • “SecurityIncident.Read.All” or “SecurityIncident.ReadWrite.All” or “ThreatHunting.Read.All” when using Microsoft Graph REST APIs

Ended: Installation

Configuration

Configure inputs for the Splunk Add-on for Microsoft Security

You must configure an account and an input in the Splunk Add-on for Microsoft Security to collect data with Splunk

  1. Navigate to Add-on UI > Configuration > Account.
  2. Click Add and provide the appropriate information.
    • Account Name: unique name for the account.
    • Client ID: The Azure Active Directory Client ID
    • Client Secret: Client Secret associated to that Client ID
    • Tenant ID: Tenant ID of the Azure Account
  3. Click Add to save the account
  4. Navigate to Add-on > Inputs and click the Create New Input dropdown.
    • For “Microsoft 365 Defender Incidents” modular input, enter the following information:
      • Name: name of the modular input
      • Interval: data collection interval
      • Index: index in which you want to ingest the data
      • Azure App Account: account created on configuration page using client_id and client_secret
      • Tenant ID: (optional) Tenant ID of the Azure Account. This overrides the tenant ID provided in the account created in the Configurations page
      • Environment: Endpoint to collect data from
      • Start Date: date from which user wants to start collecting data. If it is empty, default start date will be considered which is 30 days ago from now in UTC
    • For “Microsoft Defender for Endpoint Alerts” modular input, enter the following information:
      • Name: name of the modular input
      • Interval: data collection interval
      • Index: index in which you want to ingest the data
      • Azure App Account: account created on configuration page using client_id and client_secret
      • Tenant ID: (optional) Tenant ID of the Azure Account. This overrides the tenant ID provided in the account created in the Configurations page
      • Location: location of the server user wants to collect data from
      • Start Date: date from which user wants to start collecting data. If it is empty, default start date will be considered which is 30 days ago from now
    • For “Microsoft Defender Simulations” modular input, enter the following information:
      • Name: name of the modular input
      • Azure App Account: account created on configuration page using client_id and client_secret
      • Environment: environment of the server user wants to collect data from
      • Start Date: date from which user wants to start collecting data. If it is empty, default start date will be considered which is 30 days ago from now
      • Interval: data collection interval
      • Index: index in which you want to ingest the data
    • For “Microsoft Defender Event Hub” modular input, enter the following information:
      • Name: name of the modular input
      • Azure App Account: account created on configuration page using client_id and client_secret
      • Event Hub Namespace(FQDN): namespace of event hub
      • Event Hub Name: name of event hub from where user wants to collect data
      • Consumer Group: consumer group of event hub from where user wants to collect data
      • Streaming Event Types: types of advanced hunting events that will be collected by addon. If it is empty, by default all types of supported events will be collected.
      • Index: index in which you want to ingest the data

    If the Splunk Add-on for Microsoft Security is installed on an IPv6-only host and the FQDN does not support IPv6, you must configure NAT64 and DNS64 in the infrastructure.

    • For “Microsoft Defender Threat Intelligence Datasets” modular input, enter the following information:
      • Name: the name of the modular input
      • Azure App Account: the account created on the configuration page using client_id and client_secret
      • Datasets: the list of datasets from which data is collected
      • Identifiers File: a csv or txt file with a list of identifiers for which data is collected. Enter one identifier per file line.
      • Interval: data collection interval
      • Index: index in which you want to ingest the data
  5. Select your input and provide the requested information.
  6. Select Add.

Configure the Input with the same environment in all Inputs. Configuring multiple inputs, each with a different environment, will mix up commercial environment data with that of GCC/GCC-High environment data.

Important information about the Microsoft Defender Event Hub modular input

  • Splunk Cloud customers who are installing this add-on on the Inputs Data Manager (IDM) and want to collect event hub data, must use the Admin Configuration Service (ACS) to configure outbound ports 5671/tcp and 5672/tcp (Advanced Message Queuing Protocol (AMQP) specification) to connect to their target Azure address. By default IDM’s can only go out on port 443.
  • This modular input fetches data from Azure Event Hub in the real-time. In the Add-on Inputs page, interval will be displayed as 0, as it is always connected to Event Hub and listening for events from Event Hub.
  • Event Hub basic plan has a maximum 24 hours of retention policy. Hence if an instance input is not active for 24 hours, then events data not collected by the add-on during this period will be permanently lost.
  • When you enter all details and click on the Add button to create input of this type, the add-on validates that the details entered by user are valid by trying to connect to Azure Event Hub using user provided credentials. Hence it is expected to take some time in case of valid details. In case of invalid details, it is expected to take further more time to process the error and display the error from Azure Event Hub.
  • If a user adds partitions dynamically (adds new partitions in existing eventhub) in the event hub, then the input checkpoint is reset and events may be duplicated for pre-existing partitions.
    • For example:
      • An eventhub test_eventhub has 2 partitions - 0 and 1. In the MS Security addon, data is being ingested from all partitions of eventhub test_eventhub via an input input_eventhub.
      • User disables input_eventhub input in addon and adds new partitions in eventhub. After the addition of new partitions, test_eventhub now has 4 partitions - 0 to 3.
      • After adding new partitions, the user enables input input_eventhub in the addon. In this case, the checkpoint for partition 0 and 1 will be reset and events may be duplicated.
  • As most of the input details are used for checkpointing, users won’t be able to edit most of the fields after creating an input. Only Index and Streaming Event Types will be editable.

Configure inputs using configuration files

Splunk Cloud Platform

Use the Splunk Web steps for setting up the add-on, as described in the previous sections. You can’t set up the add-on using the configuration files.

Splunk Enterprise

System access, such as system administrators, is required i order to set up the Splunk Add-on for Microsoft Security using configuration files.

  1. On your heavy forwarder or deployment server, navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_MS_Security and create a local directory if it does not already exist.
  2. Create a file called splunk_ta_ms_security_account.conf in the $SPLUNK_HOME/etc/apps/Splunk_TA_MS_Security/local directory.
  3. Refer $SPLUNK_HOME/etc/apps/Splunk_TA_MS_Security/README</l/splunk_ta_ms_security_account.conf.spec for details to be filled in the splunk_ta_ms_security_account.conf file.
  4. If configuring from deployment server Enable the script://$SPLUNK_HOME/etc/apps/Splunk_TA_MS_Security/bin/ms_security_encrypt_creds.py input using inputs.conf
  5. Create the necessary inputs that are required.
  6. Push these conf files to your heavy forwarder and restart your heavy forwarder.

Supported endpoints for configuring an input

Modular Input Type Environment Endpoint Supported User-Agent Supported
ATP Alerts General https://api.securitycenter.microsoft.com MdePartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
ATP Alerts US https://api-us.securitycenter.microsoft.com MdePartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
ATP Alerts EU https://api-eu.securitycenter.microsoft.com MdePartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
ATP Alerts UK https://api-uk.securitycenter.microsoft.com MdePartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
ATP Alerts GCC https://api-gcc.securitycenter.microsoft.us MdePartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
ATP Alerts GCC High/DoD https://api-gov.securitycenter.microsoft.us MdePartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
ATP Alerts - Graph API Commercial & GCC - Graph API https://graph.microsoft.com MdePartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
ATP Alerts - Graph API GCC High - Graph API https://graph.microsoft.us MdePartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
Endpoint Incidents Commercial https://api.security.microsoft.com M365DPartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
Endpoint Incidents GCC https://api-gcc.security.microsoft.us M365DPartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
Endpoint Incidents GCC High https://api-gov.security.microsoft.us M365DPartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
Endpoint Incidents - Graph API Commercial & GCC - Graph API https://graph.microsoft.com M365DPartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
Endpoint Incidents - Graph API GCC High - Graph API https://graph.microsoft.us M365DPartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
Simulations Commercial & GCC - Graph API https://graph.microsoft.com M365DPartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
Simulations GCC High - Graph API https://graph.microsoft.us M365DPartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
Threat Intelligence General - Graph API https://graph.microsoft.com

Validate data collection

Once you have configured the modular input, run this search to check that you are ingesting the expected data.

Search

index=<index provided in the input> sourcetype IN
("ms:defender:atp:alerts", "ms365:defender:incident",
"ms365:defender:incident:alerts", "ms:defender:simulations",
"ms:defender:eventhub")

Configure Alert Actions to collect data for the Splunk Add-on for Microsoft Security

You can configure an alert action for Advanced Hunting and Update Incidents in the Splunk Add-on for Microsoft Security in order to collect data into Splunk ad-hoc rather than proactively

  1. Navigate to Add-on UI > Settings > Searches, Reports and Alerts.
  2. Click New Alert.
  3. Click Create Alert and provide the appropriate information.
  4. Select a value from Add Action dropdown
    • Defender Advanced Hunting: For collecting Advanced Hunting Events
    • Defender Update Incident: For updating incidents and collecting events of updated incidents
    • Defender Update Incident via Graph API: For updating incidents and collecting events of updated incidents using the Microsoft Graph API
  5. Select desired action and provide the requested information.
  6. Click Save.

Note the following:

  • Alert Action queries are not supported on Classic Cloud instances.
  • When you create a Defender Advanced Hunting Alert Action, you must provide the Query
  • You can optionally provide a Tenant ID corresponding to the selected Account to authenticate API calls for Alert Actions
  • In clustered environments, configure the Alert Action on either the Victoria stack or HF as it collects data.

Use Dashboards to view the analytics for the Splunk Add-on for Microsoft Security

MS Security TA logs Dashboard

You can view the log analytics and performance data for the Splunk Add-on for Microsoft Security using this dashboard.

  1. Navigate to Add-on UI > Log Analytics > MS Security TA logs.
  2. Select time range from timepicker with label Time for logs in the top left corner.
  3. Now you can view different type of analytics and panels related to TA logs.

Panels provided in this Dashboard include:

  • Microsoft Security TA
  • Roles for the MS Security (Requires DEBUG logs enabled)
  • CPU consumption (Supported only on specific OS)
  • Memory consumption (Supported only on specific OS)
  • ATP Alerts ingested
  • Defender Incidents ingested
    • Defender Incidents
    • Defender Alerts associated with Incidents
  • Events from EventHub ingested
  • Advance Hunting ingested
  • Phishing Simulation Attack ingested
  • EPS by MS Security sourcetype (EPS stands for Events per Second)
  • MS Security .conf current changes
  • MS Security .conf update frequency

MS Security TA Errors Dashboard

You can view the Error analytics and performance data sourcetype wise for the Splunk Add-on for Microsoft Security using this dashboard.

  1. Navigate to Add-on UI > Log Analytics > MS Security TA Errors.
  2. Select time range from the time selector with the label Time for logs in the top left corner.
  3. Now you can view different types of analytics and panels related to the TA logs.

Panels provided in this Dashboard:

  • ATP Alerts errors
  • Defender Incidents errors
  • Defender EventHub Input errors
  • Advance Hunting errors
  • Defender Simulations errors

MDTI ingestion stats Dashboard

On this dashboard, you can view ingestion statistics and performance data presented by sourcetype for the “Microsoft Defender Threat Intelligence Datasets” inputs.

  1. Navigate to Add-on UI > Log Analytics > MDTI ingestion stats.
  2. Select time range from the time selector with the label Time Range in the top left corner.
  3. Select index where the data is ingested.
  4. Now you can view different types of analytics and panels related to the TA logs.

Panels provided in this Dashboard:

  • Events/1m ingestion rate by Sourcetype
  • Events/1m ingestion rate
  • Events ingested by Sourcetype
  • Hosts Ingested by Sourcetype
  • Input Ingestion Stats /1m
  • API Health Metrics /1m
  • Input Log

Ended: Configuration

Troubleshoot

Troubleshoot the Splunk Add-on for Microsoft Security

For helpful troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons. You can also access these support and resource links.

Useful Searches

Search the internal index for logs specific to the add-on. Search queries are added in dashboard panels for displaying the error to users. Error information can be viewed in Dashboards provided by Add-on, see MS Security TA Errors Dashboard.

403 Forbidden Error

This error message “Missing Application Roles. API required roles: …” implies that your Azure Active Directory Account does not have necessary permissions for fetching the data. 

    ERROR pid=<pid> tid=<thread> file=ms_security_utils.py:get_atp_alerts_odata:274 | {'error': {'code': 'Forbidden', 'message': 'Missing application roles. API required roles: SecurityIncident.Read.All,SecurityIncident.ReadWrite.All, application roles: SecurityEvents.Read.All,User.Read.All.', 'innerError': '...'}}
    Traceback (most recent call last):
     File "/opt/splunk/etc/apps/Splunk_TA_MS_Security/bin/ms_security_utils.py", line 254, in get_atp_alerts_odatar.raise_for_status()
     File "/opt/splunk/etc/apps/Splunk_TA_MS_Security/lib/requests/models.py", line 1021, in raise_for_status
      raise HTTPError(http_error_msg, response=self)
     requests.exceptions.HTTPError: 403 Client Error: Forbidden for url:<your_url>
You can refer to the Configure Permissions document and add the missing permissions mentioned in the error message to resolve the error.

To use Microsoft Graph API to collect data, set the parameter environment/location ending with - Graph API while configuring an input in the add-on. You need to set the permissions for Graph API accordingly as well.

SSL certificate issue

If you encounter a SSL: CERTIFICATE_VERIFY_FAILED issue, the SSL certificate entry might be missing from your certificate store. Resolve the issue by adding the certificate to your add-on trust list.

The Splunk Add-on for Microsoft Security uses the Python requests library to make REST calls to Microsoft. Requests will throw this SSL error if it’s unable to verify the certificate. For more information, see https://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification

  • Navigate to \$SPLUNK_HOME/etc/apps/Splunk_TA_MS_Security/lib/certifi
  • Edit cacert.pem file
  • Append the contents of your root certificate to this file
  • Restart Splunk

New extractions don’t work

If extractions don’t work, try disabling the inputs of ‘Microsoft 365 Defender Add-on for Splunk’ and then disable the ‘Microsoft 365 Defender Add-on for Splunk’ and check if the extractions are applied

To disable the inputs and the add-on:

  1. Navigate to Add-on > Inputs
  2. Disable input by selecting “Disable” in the dropdown list.
  3. Navigate to Apps > Manage Apps
  4. Disable the Microsoft 365 Defender Add-on for Splunk by clicking “Disable”..

Data duplication in the ms365:defender:incident:alerts sourcetype

Data duplication is an expected behavior in ms365:defender:incident:alerts sourcetype. See the Sourcetypes topic in this manual for more information.

Data duplication in the ms:defender:ti:* sourcetypes

Data duplication is an expected behavior in ms:defender:ti:* sourcetypes.

Issue in Data Collection

If any issue in data collection persists, verify appropriate permissions are set for the configured account on Azure Active Directory Portal. See the Hardware and software requirements topic in this manual for more information.

Ended: Troubleshoot

Reference

Source types for the Splunk Add-on for Microsoft Security

The Splunk Add-on for Microsoft Security provides the search-time knowledge for Microsoft Security logs in the following formats.

Source type Description CIM data models
ms:defender:atp:alerts This sourcetype contains data related to alerts generated from the Microsoft 365 Defender portal. Alerts
ms365:defender:incident This sourcetype contains data related to incidents generated from the Microsoft 365 Defender portal. Ticket Management
ms365:defender:incident:alerts This sourcetype is newly introduced and contains data related to alerts associated with incidents in Microsoft 365 Defender. Alerts
m365:defender:incident:advanced_hunting This sourcetype collects events from the alerts actions configured in the add-on Email, Endpoint, Authentication
ms:defender:simulations This sourcetype contains data related to simulations generated from the Microsoft 365 Defender portal. Alerts
ms:defender:eventhub This sourcetype contains advanced hunting events data generated from the Microsoft 365 Defender portal and collected from Azure Event Hub. Certificates, Endpoint,Compute Inventory
ms:defender:ti:articles This sourcetype contains article data obtained from the Microsoft Defender Threat Intelligence.
ms:defender:ti:article_indicators This sourcetype contains article indicator data obtained from the Microsoft Defender Threat Intelligence.
ms:defender:ti:certificates This sourcetype contains host certificates data obtained from the Microsoft Defender Threat Intelligence.
ms:defender:ti:components This sourcetype contains host components data obtained from the Microsoft Defender Threat Intelligence.
ms:defender:ti:cookies This sourcetype contains host cookies data obtained from the Microsoft Defender Threat Intelligence.
ms:defender:ti:hostpairs This sourcetype contains host pairs data obtained from the Microsoft Defender Threat Intelligence.
ms:defender:ti:passivedns This sourcetype contains host passive DNS record data obtained from the Microsoft Defender Threat Intelligence.
ms:defender:ti:subdomains This sourcetype contains host subdomains data obtained from the Microsoft Defender Threat Intelligence.
ms:defender:ti:trackers This sourcetype contains host trackers data obtained from the Microsoft Defender Threat Intelligence.
ms:defender:ti:whois This sourcetype contains host WHOIS data obtained from the Microsoft Defender Threat Intelligence.

Duplicate Events for ms365:defender:incident:alerts sourcetype

  • Microsoft Defender Incident Alerts can be collected as a part of Microsoft 365 Defender incidents API.
  • When Microsoft 365 defender incidents are updated (status change, alerts added/removed, etc) a new event is generated and collected in Splunk for both ms365:defender:incident:alerts and ms365:defender:incident sourcetypes.
  • Whenever an event is updated some of its fields are modified but its related alerts may not be modified. So in the next API call when the event with the same incidentId is fetched it is assigned to both ms365:defender:incident and ms365:defender:incident:alerts sourcetypes causing probable data duplication in alerts sourcetype.
  • For example, if incidentId=21 is updated, during the next API call, “incidentId=21” is fetched and ingested in sourcetype=ms365:defender:incident in Splunk with updated field values, and its related alerts are ingested in sourcetype=ms365:defender:incident:alerts with the same field values causing probable data duplication.

Ended: Reference

Release Notes

Release notes for the Splunk Add-on for Microsoft Security

About this release

Version 2.4.1 of the Splunk Add-on for Microsoft Security was released on December 5, 2024. It is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 9.1.x, 9.2.x, 9.3.x
CIM 5.3.2
Platforms Windows, Linux based Operating Systems
Vendor Products Microsoft 365 Defender, Defender for Endpoint, Azure Event Hubs, Microsoft Defender Threat Intelligence

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

Fixed issues

Version 2.4.1 of the Splunk Add-on for Microsoft Security fixes the following issues.

Known issues

Version 2.4.1 of the Splunk Add-on for Microsoft Security contains the following known issues.

Third-party software attributions

Version 2.4.1 incorporates third-party software attributions for the Splunk Add-on for Microsoft Security.

Release history

Version 2.4.1 is the latest release of the Splunk Add-on for Microsoft Security. See Release notes for more information.

Version 2.4.0

Version 2.4.0 of the Splunk Add-on for Microsoft Security was released on November 25, 2024. It is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 9.1.x, 9.2.x, 9.3.x
CIM 5.3.2
Platforms Windows, Linux based Operating Systems
Vendor Products Microsoft 365 Defender, Defender for Endpoint, Azure Event Hubs, Microsoft Defender Threat Intelligence

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New Features

  • New modular input to collect Microsoft Defender Threat Intelligence datasets from Microsoft Graph API

Fixed issues

Version 2.4.0 of the Splunk Add-on for Microsoft Security fixes the following issues.

Known issues

Version 2.4.0 of the Splunk Add-on for Microsoft Security contains the following known issues.

Third-party software attributions

Version 2.4.0 incorporates third-party software attributions for the Splunk Add-on for Microsoft Security.

Version 2.3.0

Version 2.3.0 of the Splunk Add-on for Microsoft Security was released on July 29, 2024. It is compatible with the following software, CIM versions, and platforms.
Splunk platform versions 9.1.x, 9.2.x
CIM 5.3.2
Platforms Windows, Linux based Operating Systems
Vendor Products Microsoft 365 Defender, Defender for Endpoint, Azure Event Hubs

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 2.3.0 of the Splunk Add-on for Microsoft Security has the following new features.

  • Support for IPv6

Fixed issues

Version 2.3.0 of the Splunk Add-on for Microsoft Security fixes the following issues.

Known issues

Version 2.3.0 of the Splunk Add-on for Microsoft Security contains the following known issues.

Third-party software attributions

Version 2.3.0 incorporates third-party software attributions for the Splunk Add-on for Microsoft Security.

Version 2.2.0

Version 2.2.0 of the Splunk Add-on for Microsoft Security was released on April 24, 2024. It is compatible with the following software, CIM versions, and platforms.
Splunk platform versions 9.0.x, 9.1.0.x
CIM 5.2.0
Platforms Windows, Linux based Operating Systems
Vendor Products Microsoft 365 Defender, Defender for Endpoint, Azure Event Hubs

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 2.2.0 of the Splunk Add-on for Microsoft Security has the following new features.

  • New modular input to collect simulations data from Microsoft 365 Defender Portal.
  • New modular input to collect Microsoft Defender Advanced Hunting events from Azure Event Hub streamed from Defender portal via streaming API.

CIM Data Model Changes

There are no changes in the CIM Data Model for existing extractions. For new modular inputs introduced in v2.2.0, CIM Data Model mappings are as below:

Field Changes

Source-type attackType Fields added Fields removed
['ms:defender:simulations'] social type, user_name, severity, src, app, dest, user, signature, signature_id
Source-type category Fields added Fields removed
['ms:defender:eventhub'] AdvancedHunting-DeviceEvents parent_process_name, user, parent_process_id, parent_process_path, action, original_file_name, process_exec, process_integrity_level, dest, process_path, vendor_product, process_id, process_hash, process_name, process
['ms:defender:eventhub'] AdvancedHunting-DeviceFileCertificateInfo ssl_validity_window, src, ssl_issuer_common_name, dest, ssl_serial, ssl_subject_common_name, ssl_subject_organization, ssl_hash, ssl_start_time, ssl_signature_algorithm, ssl_end_time
['ms:defender:eventhub'] AdvancedHunting-DeviceFileEvents file_name, file_create_time, file_hash, action, file_access_time, file_acl, dest, file_path, file_size, vendor_product, process_id, user
['ms:defender:eventhub'] AdvancedHunting-DeviceImageLoadEvents file_name, file_hash, action, file_access_time, file_acl, dest, file_size, file_path, vendor_product, process_id, user
['ms:defender:eventhub'] AdvancedHunting-DeviceInfo family, version, os, dest, vendor_product
['ms:defender:eventhub'] AdvancedHunting-DeviceLogonEvents, AdvancedHunting-DeviceNetworkEvents parent_process_name, user, parent_process_id, parent_process_path, action, original_file_name, process_exec, process_integrity_level, dest, process_path, vendor_product, process_id, process_hash, process_name, process
['ms:defender:eventhub'] AdvancedHunting-DeviceNetworkInfo mac, src_ip, name, ip, dest, interface, vendor_product, dns, status
['ms:defender:eventhub'] AdvancedHunting-DeviceProcessEvents parent_process_name, user, parent_process_id, parent_process_path, action, parent_process, original_file_name, process_exec, process_integrity_level, dest, process_path, vendor_product, process_id, process_name, process
['ms:defender:eventhub'] AdvancedHunting-DeviceRegistryEvents action, registry_path, dest, registry_key_name, registry_hive, process_id, registry_value_type, vendor_product, registry_value_name, user

There are no field mappings removed in this version. As a part of introducing new modular inputs, only new field mappings are added.

Fixed issues

Version 2.2.0 of the Splunk Add-on for Microsoft Security fixes the following issues.

Known issues

Version 2.2.0 of the Splunk Add-on for Microsoft Security contains the following known issues.

Third-party software attributions

Version 2.2.0 incorporates third-party software attributions for the Splunk Add-on for Microsoft Security.

Version 2.1.1

Version 2.1.1 of the Splunk Add-on for Microsoft Security was released on July 13, 2023. It is compatible with the following software, CIM versions, and platforms.
Splunk platform versions 9.0.x
CIM 5.0.1
Platforms Platform independent
Vendor Products Microsoft 365 Defender, Defender for Endpoint

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 2.1.1 of the Splunk Add-on for Microsoft Security has the following new features.

  • Fixes the issue of proxy not being used while creating/updating inputs.

CIM Data Model Changes

There are no CIM Data Model changes between the Splunk add-on for Microsoft Security v2.1.0 and v2.1.1.

Fixed issues

Version 2.1.1 of the Splunk Add-on for Microsoft Security contains the following fixed issues.

Known issues

Version 2.1.1 of the Splunk Add-on for Microsoft Security contains the following known issues.

Third-party software attributions

Version 2.1.1 incorporates third-party software attributions for the Splunk Add-on for Microsoft Security.

Version 2.1.0

Version 2.1.0 of the Splunk Add-on for Microsoft Security was released on June 13, 2023. It is compatible with the following software, CIM versions, and platforms.
Splunk platform versions 9.0.x
CIM 5.0.1
Platforms Platform independent
Vendor Products Microsoft 365 Defender, Defender for Endpoint

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 2.1.0 of the Splunk Add-on for Microsoft Security has the following new features.

  • Provides dashboards to give insights of the Add-On, informational insights and errors and its action items
  • Provides support for configuring the add-on from the deployment server
  • Shows warning message when creating an input with duplicate values

CIM Data Model Changes

There are no CIM Data Model or field extraction changes between the Splunk add-on for Microsoft Security v2.0.1 vs v2.1.0

Fixed issues

Version 2.1.0 of the Splunk Add-on for Microsoft Security fixes the following issues.

Known issues

Version 2.1.0 of the Splunk Add-on for Microsoft Security contains the following known issues.

Third-party software attributions

Version 2.1.0 incorporates third-party software attributions for the Splunk Add-on for Microsoft Security.

Version 2.0.1

Version 2.0.1 of the Splunk Add-on for Microsoft Security was released on Apr 14, 2023. It is compatible with the following software, CIM versions, and platforms.
Splunk platform versions 8.1.x, 8.2.x, 9.0.x
CIM 5.0.1
Platforms Platform independent
Vendor Products Microsoft 365 Defender, Defender for Endpoint

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 2.0.1 of the Splunk Add-on for Microsoft Security has the following new features.

  • Provided support of Microsoft Graph API for getting incidents and alerts
  • Provided support of Microsoft Graph API for updating incidents and running advanced hunting queries
  • Updated look and feel of the input and configuration pages
  • Account configuration now supports providing a default value for tenant Id
  • The data collected via Microsoft Graph API is CIM compliant

CIM Data Model Changes

There are no CIM Data Model changes between the Splunk add-on for Microsoft Security v1.3.1 vs v2.0.1 but there are the following new mappings.

Field Changes

Source-type category Fields added Fields removed
['ms:defender:atp:alerts'] LateralMovement, Discovery, PrivilegeEscalation, SuspiciousActivity, DefenseEvasion, Collection, CredentialAccess, Execution, CommandAndControl, InitialAccess signature_id
['ms:defender:atp:alerts'] None, Persistence signature_id, user
Source-type threatFamilyName Fields added Fields removed
['ms365:defender:incident:alerts'] null signature_id

Previously, for the above signature_id and user fields, values such as “null” were extracted, which now won’t be extracted. There are no field changes for m365:defender:incident:advanced_hunting sourcetype

Fixed issues

Version 2.0.1 of the Splunk Add-on for Microsoft Security fixes the following issues.

Known issues

Version 2.0.1 of the Splunk Add-on for Microsoft Security contains the following known issues.

Third-party software attributions

Version 2.0.1 incorporates third-party software attributions for the Splunk Add-on for Microsoft Security.

Version 1.3.1

Version 1.3.1 of the Splunk Add-on for Microsoft Security was released on October 13, 2022. It is compatible with the following software, CIM versions, and platforms.
Splunk platform versions 8.1, 8.2, 9.0
CIM 5.0.1
Platforms Platform independent
Vendor Products Microsoft 365 Defender, Defender for Endpoint

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 1.3.1 of the Splunk Add-on for Microsoft Security has the following new features.

  • Updated the eventtype name from ms_defender to ms_security for Splunk Add-On for Microsoft Security
Old Eventtype Name New Eventtype Name
ms_defender_incident ms_security_incident
ms_defender_atp_alert ms_security_atp_alert
ms_defender_advanced_hunting_sourcetypes ms_security_advanced_hunting
ms_defender_advanced_hunting_process. ms_security_advanced_hunting_process
ms_defender_advanced_hunting_filesystem ms_security_advanced_hunting_filesystem
ms_defender_advanced_hunting_registry ms_security_advanced_hunting_registry
ms_defender_advanced_hunting_delivery ms_security_advanced_hunting_delivery
ms_defender_advanced_hunting_email ms_security_advanced_hunting_email
ms_defender_advanced_hunting_authentication ms_security_advanced_hunting_authentication
ms_defender_incident_alerts ms_security_incident_alerts
  • Added the support of host field for the events ingested via Alert Actions.
  • Updated the system path to prioritize Add-on’s third-party libraries for data collection.
  • Enhanced validations for better user experience.
  • Added support of “Tenant ID” input field in the Alert actions configuration
  • Enhanced user experience to select “Account Name” input field in the Alert actions configuration
  • Updated extraction of _time field in the sourcetypes ms:defender:atp:alerts and ms365:defender:incident:alerts. It will be extracted based on the “last update time” of the event

Fixed issues

Version 1.3.1 of the Splunk Add-on for Microsoft Security fixes the following issues.

Known issues

Version 1.3.1 of the Splunk Add-on for Microsoft Security contains the following known issues.

Third-party software attributions

Version 1.3.1 incorporates third-party software attributions for the Splunk Add-on for Microsoft Security.

Version 1.2.0

Version 1.2.0 of the Splunk Add-on for Microsoft Security was released on March 23, 2022. It is compatible with the following software, CIM versions, and platforms.
Splunk platform versions 8.1, 8.2
CIM 5.0.0
Platforms Platform independent
Vendor Products Microsoft 365 Defender, Defender for Endpoint

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 1.2.0 of the Splunk Add-on for Microsoft Security has the following new features.

  • Added support for GCC and GCC High environments. Users can now collect data from these environments if they have credentials for these environments.
  • Updated working of alert action - defender_update_incident
  • CIM v5.0.0 support

Fixed issues

Version 1.2.0 of the Splunk Add-on for Microsoft Security fixes the following issues.

Known issues

Version 1.2.0 of the Splunk Add-on for Microsoft Security contains the following known issues.

Third-party software attributions

Version 1.2.0 incorporates third-party software attributions for the Splunk Add-on for Microsoft Security.

Version 1.1.0

Version 1.1.0 of the Splunk Add-on for MS Security was released on January 24, 2021. It is compatible with the following software, CIM versions, and platforms.
Splunk platform versions 8.1, 8.2
CIM 4.20.2
Platforms Platform independent
Vendor Products Microsoft 365 Defender, Defender for Endpoint

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 1.1.0 of the Splunk Add-on for Microsoft Security has the following new features.

  • This is a brand new release for Splunk Add-on for MS Security. The add-on is migrated from the Microsoft 365 Defender Add-on for Splunk.
  • The sourcetype m365:defender:incident is renamed to ms365:defender:incident and is now mapped to Ticket_Management:Incident CIM data model instead of Alerts CIM data model
  • Enhanced CIM field mapping for ms:defender:atp:alerts, m365:defender:incident:advanced:hunting
  • Introduced new sourcetype ms365:defender:incident:alerts which contains alerts related data bifurcated from incident events from old sourcetype=m365:defender:incident
  • Earlier, the events in old sourcetype m365:defender:incident consisted of alerts data and incident data. Alerts related data was not relevant in this sourcetype. So in this release, the events are bifurcated at index time in such a way that alerts related data gets indexed into the new sourcetype ms365:defender:incident:alerts and only incident related data gets ingested in the renamed sourcetype ms365:defender:incident
  • Removed dashboard panels - alert_queue, incident_queue, overview_alert, overview_detections, advanced_hunting, incident_detail, incident_overview, incident_update, microsoft_defender_atp_alerts
  • Added support for CIM v4.20.2

Fixed issues

Version 1.1.0 of the Splunk Add-on for Microsoft Security fixes the following issues.

Known issues

Version 1.1.0 of the Splunk Add-on for MS Security contains the following known issues.

Third-party software attributions

Version 1.1.0 incorporates third-party software attributions for the Splunk Add-on for Microsoft Security.

Ended: Release Notes