Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- How to fetch Microsoft defender data via Microsoft...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi All,
Trying to get data from microsoft security addon and get data for defender.
seems like even after giveing necessary permissions on threat api in azure still not getting the data.
Any help is appreciated
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
was anyone able to get the Advanced Hunting Results in Microsoft 365 App for Splunk to work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For reference, I created this table that helps identify which MSFT API to configure. It took our team a few attempts to get this right before we had data flowing in for all the sourcetypes - except for advanced hunting (not configured).
Hope this helps someone in the future 🙂
| Sourcetype | Permission | Input type | MSFT API |
| ms365:defender:incident/ms365:defender:incident:alert | Incident.Read.All | Modinput | Microsoft Threat Protection |
| ms:defender:atp:alerts | Alert.Read.All | Modinput | WindowsDefenderATP |
| ms365:defender:incident/ms365:defender:incident:alert | Incident.ReadWrite.All | Alert Action | Microsoft Threat Protection |
| m365:defender:incident:advanced_hunting | AdvancedHunting.Read.All | Alert Action | Microsoft Threat Protection |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @KulvinderSingh,
you have to install the Splunk Add-On for Microsoft Security (https://splunkbase.splunk.com/app/6207) and then follow the configuration steps that you can find at https://docs.splunk.com/Documentation/AddOns/released/MSSecurity/About
beware to the steps on Office365!
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It was firewall blocking the traffic for me.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
