https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-fetch-Microsoft-defender-data-via-Microsoft-security/m-p/634520#M78720 <P>hi All,</P> <P>Trying to get data from microsoft security addon and get data for defender.</P> <P>seems like even after giveing necessary permissions on threat api in azure still not getting the data.</P> <P>Any help is appreciated</P> Mon, 20 Mar 2023 21:54:44 GMT KulvinderSingh 2023-03-20T21:54:44Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-fetch-Microsoft-defender-data-via-Microsoft-security/m-p/634520#M78720 <P>hi All,</P> <P>Trying to get data from microsoft security addon and get data for defender.</P> <P>seems like even after giveing necessary permissions on threat api in azure still not getting the data.</P> <P>Any help is appreciated</P> Mon, 20 Mar 2023 21:54:44 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-fetch-Microsoft-defender-data-via-Microsoft-security/m-p/634520#M78720 KulvinderSingh 2023-03-20T21:54:44Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-fetch-Microsoft-defender-data-via-Microsoft-security/m-p/634526#M78721 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;</P> Wed, 15 Mar 2023 07:20:29 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-fetch-Microsoft-defender-data-via-Microsoft-security/m-p/634526#M78721 KulvinderSingh 2023-03-15T07:20:29Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-fetch-Microsoft-defender-data-via-Microsoft-security/m-p/634528#M78722 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/236747">@KulvinderSingh</a>,</P><P>you have to install the Splunk Add-On for Microsoft Security (<A href="https://splunkbase.splunk.com/app/6207" target="_blank">https://splunkbase.splunk.com/app/6207</A>) and then follow the configuration steps that you can find at&nbsp;<A href="https://docs.splunk.com/Documentation/AddOns/released/MSSecurity/About" target="_blank">https://docs.splunk.com/Documentation/AddOns/released/MSSecurity/About</A></P><P>beware to the steps on Office365!</P><P>Ciao.</P><P>Giuseppe</P> Wed, 15 Mar 2023 07:25:26 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-fetch-Microsoft-defender-data-via-Microsoft-security/m-p/634528#M78722 gcusello 2023-03-15T07:25:26Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-fetch-Microsoft-defender-data-via-Microsoft-security/m-p/635127#M78744 <P>It was firewall blocking the traffic for me.</P> Mon, 20 Mar 2023 12:25:53 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-fetch-Microsoft-defender-data-via-Microsoft-security/m-p/635127#M78744 KulvinderSingh 2023-03-20T12:25:53Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-fetch-Microsoft-defender-data-via-Microsoft-security/m-p/635202#M78746 <P>For reference, I created this table that helps identify which MSFT API to configure. It took our team a few attempts to get this right before we had data flowing in for all the sourcetypes - except for advanced hunting (not configured).&nbsp;</P><P>Hope this helps someone in the future <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp;</P><TABLE width="800"><TBODY><TR><TD width="364">Sourcetype</TD><TD width="173">Permission</TD><TD width="81">Input type</TD><TD width="182">MSFT API&nbsp;</TD></TR><TR><TD>ms365:defender:incident/ms365:defender:incident:alert</TD><TD>Incident.Read.All</TD><TD>Modinput</TD><TD>Microsoft Threat Protection</TD></TR><TR><TD>ms:defender:atp:alerts</TD><TD>Alert.Read.All</TD><TD>Modinput</TD><TD>WindowsDefenderATP</TD></TR><TR><TD>ms365:defender:incident/ms365:defender:incident:alert</TD><TD>Incident.ReadWrite.All</TD><TD>Alert Action</TD><TD>Microsoft Threat Protection</TD></TR><TR><TD>m365:defender:incident:advanced_hunting</TD><TD>AdvancedHunting.Read.All</TD><TD>Alert Action</TD><TD>Microsoft Threat Protection</TD></TR></TBODY></TABLE> Mon, 20 Mar 2023 21:02:45 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-fetch-Microsoft-defender-data-via-Microsoft-security/m-p/635202#M78746 splunkdIt 2023-03-20T21:02:45Z https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-fetch-Microsoft-defender-data-via-Microsoft-security/m-p/647930#M79323 <P>was anyone able to get the&nbsp;<SPAN>Advanced Hunting Results in Microsoft 365 App for Splunk to work?</SPAN></P> Thu, 22 Jun 2023 14:13:51 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-fetch-Microsoft-defender-data-via-Microsoft-security/m-p/647930#M79323 splunkuser88 2023-06-22T14:13:51Z