All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why is Splunk Add-on for Microsoft Security for GCC not working?

_joe
Contributor
‎03-23-2022 06:12 AM

Hello all,

It would seem a swift migration to Splunk Add-on for Microsoft Security is highly recommended:

"Customers currently utilizing Microsoft 365 Defender Add-on for Splunk are strongly recommended to migrate to this new Splunk supported add-on after reading the migration section of the documentation."

I haven't been able to get this app to work with GCC, has anyone else? Anyone know when that support is coming?

Labels (2)
0 Karma
Reply

m_pham
Splunk Employee
Splunk Employee
‎07-19-2023 06:10 PM

Are you having issues with getting the data in? Can you dig into index=_internal to find errors in the TA logs?

0 Karma
Reply

Brooksenator
Observer
‎07-20-2023 09:08 AM

We are getting error 400 "Resource not found for the segment" on the calls the Add-On is making. I confirmed the credentials are good, we are getting successful logins.

0 Karma
Reply

_joe
Contributor
‎07-20-2023 09:25 AM

I believe when I posted this support had not yet been added. At this time, this app does support GCC and I have gotten it working in at least one environment. My guess would be you are running into an Azure permissions issue. 

 

https://splunkbase.splunk.com/app/6207

 

0 Karma
Reply

Brooksenator
Observer
‎07-20-2023 09:35 AM

You got it working in GCC or GCC high? We are not able to get it working for GCC high.

0 Karma
Reply

_joe
Contributor
‎07-20-2023 09:38 AM

Sorry, only GCC (literally the "GCC" selection an the API input configuration). I have not had the opportunity to work with GCC high yet so I cannot confirm if it works.

0 Karma
Reply

Brooksenator
Observer
‎07-20-2023 09:46 AM

@m_pham can you validate that this can work/is supported for GCC high? I notice that in the Splunk addon for Microsoft Offie 365 that I can pull my data from GCC high in, but it would be amazing to know that we could visualize that data with the Microsoft 365 App for Splunk. So far it looks like the APIs do not support that data.

@splunk 

0 Karma
Reply

m_pham
Splunk Employee
Splunk Employee
‎07-21-2023 02:08 AM

I don't have experience with this TA but it may be a permissions issue, so I'd recommend taking a look at that on that: 

https://docs.splunk.com/Documentation/AddOns/released/MSSecurity/Configurepermissions

0 Karma
Reply

Brooksenator
Observer
‎07-19-2023 09:20 AM

Bump. I am running into the same issue. Can we please get GCC high support for this app?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...