Solved: Re: Fetching Microsoft defender data via microsoft...

KulvinderSingh · ‎03-15-2023

hi All,

Trying to get data from microsoft security addon and get data for defender.

seems like even after giveing necessary permissions on threat api in azure still not getting the data.

Any help is appreciated

KulvinderSingh · ‎03-20-2023

It was firewall blocking the traffic for me.

View solution in original post

splunkuser88 · ‎06-22-2023

was anyone able to get the Advanced Hunting Results in Microsoft 365 App for Splunk to work?

splunkdIt · ‎03-20-2023

For reference, I created this table that helps identify which MSFT API to configure. It took our team a few attempts to get this right before we had data flowing in for all the sourcetypes - except for advanced hunting (not configured).

Hope this helps someone in the future 🙂

Sourcetype	Permission	Input type	MSFT API
ms365:defender:incident/ms365:defender:incident:alert	Incident.Read.All	Modinput	Microsoft Threat Protection
ms:defender:atp:alerts	Alert.Read.All	Modinput	WindowsDefenderATP
ms365:defender:incident/ms365:defender:incident:alert	Incident.ReadWrite.All	Alert Action	Microsoft Threat Protection
m365:defender:incident:advanced_hunting	AdvancedHunting.Read.All	Alert Action	Microsoft Threat Protection

KulvinderSingh · ‎03-15-2023

@gcusello

gcusello · ‎03-15-2023

Hi @KulvinderSingh,

you have to install the Splunk Add-On for Microsoft Security (https://splunkbase.splunk.com/app/6207) and then follow the configuration steps that you can find at https://docs.splunk.com/Documentation/AddOns/released/MSSecurity/About

beware to the steps on Office365!

Ciao.

Giuseppe

KulvinderSingh · ‎03-20-2023

It was firewall blocking the traffic for me.

How to fetch Microsoft defender data via Microsoft security Addon?

configuration

Data-Driven Success: Splunk & Financial Services

Video | Welcome Back to Smartness, Pedro

Detector Best Practices: Static Thresholds