https://community.splunk.com/t5/Splunk-Enterprise-Security/Unable-to-find-sourcetype-quot-ms365-defender-incident-alerts/m-p/616800#M11111 <P>Ok so you should at least to which indexes your MDE logs are going no?<BR />The thing is that you first be able to find your MDE logs via a classic Splunk search, and then retrieve what is the sourcetype assigned to those logs.<BR /><BR />Finally, try to change the MDE App Dashboard by modifying the sourcetype used there.</P> Wed, 12 Oct 2022 10:12:46 GMT GaetanVP 2022-10-12T10:12:46Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Unable-to-find-sourcetype-quot-ms365-defender-incident-alerts/m-p/616496#M11096 <P>Unable to find sourcetype="ms365:defender:incident:alerts"<BR /><BR />can u pls help&nbsp;</P> Mon, 10 Oct 2022 13:43:47 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Unable-to-find-sourcetype-quot-ms365-defender-incident-alerts/m-p/616496#M11096 Gaikwad 2022-10-10T13:43:47Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Unable-to-find-sourcetype-quot-ms365-defender-incident-alerts/m-p/616562#M11099 <P>Please provide more information.&nbsp; Where do you see this message?&nbsp; What were you doing at the time?&nbsp; Have you installed the proper add-on for the sourcetype?</P> Mon, 10 Oct 2022 17:50:24 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Unable-to-find-sourcetype-quot-ms365-defender-incident-alerts/m-p/616562#M11099 richgalloway 2022-10-10T17:50:24Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Unable-to-find-sourcetype-quot-ms365-defender-incident-alerts/m-p/616595#M11100 <P>I'm trying to setup Microsoft 365 app for Splunk in that app -&gt;Security-&gt; defender -&gt; Defender 365 overview dashboard. this dashboard is not working</P><P>when I check the query it contains &nbsp;<SPAN>sourcetype="ms365:defender:incident:alerts" but same&nbsp;I'm unable to find it when&nbsp;I search for index = azure or index= main<BR /><BR />as&nbsp;I check add is already there, only concern is unable to find that&nbsp;sourcetype="ms365:defender:incident:alerts"<BR /><BR /><BR />so just want to know, if that source type is not there then is there a way&nbsp;available so we&nbsp;can configure that or any other solution is&nbsp;available &nbsp;?<BR /><BR />thanks&nbsp;<BR /><BR /></SPAN></P> Tue, 11 Oct 2022 05:14:22 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Unable-to-find-sourcetype-quot-ms365-defender-incident-alerts/m-p/616595#M11100 Gaikwad 2022-10-11T05:14:22Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Unable-to-find-sourcetype-quot-ms365-defender-incident-alerts/m-p/616684#M11104 <P>I just installed that app and don't see the same error message even though I have no ms365 data on my system.&nbsp; By default, the dashboards in the app search index=* so they should be able to find the data if it exists.</P><P>Generally, when a sourcetype is not there it's because no data with that soucetype has been indexed.&nbsp; Check your inputs and verify you have the appropriate add-on installed both on your indexers and search heads.</P> Tue, 11 Oct 2022 14:03:52 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Unable-to-find-sourcetype-quot-ms365-defender-incident-alerts/m-p/616684#M11104 richgalloway 2022-10-11T14:03:52Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Unable-to-find-sourcetype-quot-ms365-defender-incident-alerts/m-p/616778#M11107 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;<BR /><BR />thanks for your reply<BR /><BR />as I check in input is not setup for&nbsp;sourcetype="ms365:defender:incident:alerts"?<BR /><BR />can you please let me know, how can I setup input for this &nbsp;"ms365:defender:incident:alerts"</P> Wed, 12 Oct 2022 07:11:26 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Unable-to-find-sourcetype-quot-ms365-defender-incident-alerts/m-p/616778#M11107 Gaikwad 2022-10-12T07:11:26Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Unable-to-find-sourcetype-quot-ms365-defender-incident-alerts/m-p/616783#M11108 <P data-unlink="true">Hello,<BR /><BR />Do you receive the MDE logs via an Azure Event Hub ? If it's the case the sourcetype of MDE logs could be "mscs:azure:eventhub".<BR /><BR />Maybe if you just change the sourcetype specified in the MDE App Dashboard you could see some data.</P><LI-CODE lang="markup">sourcetype="mscs:azure:eventhub"</LI-CODE><P data-unlink="true">Or maybe you would need to rename sourcetype of your incoming MDE events.<BR /><BR />Good luck!</P> Wed, 12 Oct 2022 08:05:11 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Unable-to-find-sourcetype-quot-ms365-defender-incident-alerts/m-p/616783#M11108 GaetanVP 2022-10-12T08:05:11Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Unable-to-find-sourcetype-quot-ms365-defender-incident-alerts/m-p/616784#M11109 <P>Hello&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/231013">@GaetanVP</a>&nbsp;<BR /><BR />I tried to search those logs&nbsp;index =* sourcetype="mscs:azure:eventhub"<BR /><BR />but no luck&nbsp;</P> Wed, 12 Oct 2022 08:26:16 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Unable-to-find-sourcetype-quot-ms365-defender-incident-alerts/m-p/616784#M11109 Gaikwad 2022-10-12T08:26:16Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Unable-to-find-sourcetype-quot-ms365-defender-incident-alerts/m-p/616800#M11111 <P>Ok so you should at least to which indexes your MDE logs are going no?<BR />The thing is that you first be able to find your MDE logs via a classic Splunk search, and then retrieve what is the sourcetype assigned to those logs.<BR /><BR />Finally, try to change the MDE App Dashboard by modifying the sourcetype used there.</P> Wed, 12 Oct 2022 10:12:46 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Unable-to-find-sourcetype-quot-ms365-defender-incident-alerts/m-p/616800#M11111 GaetanVP 2022-10-12T10:12:46Z