All Apps and Add-ons

Why is Splunk Add-on for Microsoft Security for GCC not working?

_joe
Communicator

Hello all,

It would seem a swift migration to Splunk Add-on for Microsoft Security is highly recommended:

"Customers currently utilizing Microsoft 365 Defender Add-on for Splunk are strongly recommended to migrate to this new Splunk supported add-on after reading the migration section of the documentation."

I haven't been able to get this app to work with GCC, has anyone else? Anyone know when that support is coming?

Labels (2)
0 Karma

m_pham
Splunk Employee
Splunk Employee

Are you having issues with getting the data in? Can you dig into index=_internal to find errors in the TA logs?

0 Karma

Brooksenator
Observer

We are getting error 400 "Resource not found for the segment" on the calls the Add-On is making. I confirmed the credentials are good, we are getting successful logins.

0 Karma

_joe
Communicator

I believe when I posted this support had not yet been added. At this time, this app does support GCC and I have gotten it working in at least one environment. My guess would be you are running into an Azure permissions issue. 

 

https://splunkbase.splunk.com/app/6207

 

0 Karma

Brooksenator
Observer

You got it working in GCC or GCC high? We are not able to get it working for GCC high.

0 Karma

_joe
Communicator

Sorry, only GCC (literally the "GCC" selection an the API input configuration). I have not had the opportunity to work with GCC high yet so I cannot confirm if it works.

0 Karma

Brooksenator
Observer

@m_pham can you validate that this can work/is supported for GCC high? I notice that in the Splunk addon for Microsoft Offie 365 that I can pull my data from GCC high in, but it would be amazing to know that we could visualize that data with the Microsoft 365 App for Splunk. So far it looks like the APIs do not support that data.

@splunk 

0 Karma

m_pham
Splunk Employee
Splunk Employee

I don't have experience with this TA but it may be a permissions issue, so I'd recommend taking a look at that on that: 

https://docs.splunk.com/Documentation/AddOns/released/MSSecurity/Configurepermissions

0 Karma

Brooksenator
Observer

Bump. I am running into the same issue. Can we please get GCC high support for this app?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...