All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is Splunk Add-on for Microsoft Security for GCC not working?

_joe
Contributor
‎03-23-2022 06:12 AM

Hello all,

It would seem a swift migration to Splunk Add-on for Microsoft Security is highly recommended:

"Customers currently utilizing Microsoft 365 Defender Add-on for Splunk are strongly recommended to migrate to this new Splunk supported add-on after reading the migration section of the documentation."

I haven't been able to get this app to work with GCC, has anyone else? Anyone know when that support is coming?

Labels (2)
0 Karma
Reply

m_pham
Splunk Employee
Splunk Employee
‎07-19-2023 06:10 PM

Are you having issues with getting the data in? Can you dig into index=_internal to find errors in the TA logs?

0 Karma
Reply

Brooksenator
Observer
‎07-20-2023 09:08 AM

We are getting error 400 "Resource not found for the segment" on the calls the Add-On is making. I confirmed the credentials are good, we are getting successful logins.

0 Karma
Reply

_joe
Contributor
‎07-20-2023 09:25 AM

I believe when I posted this support had not yet been added. At this time, this app does support GCC and I have gotten it working in at least one environment. My guess would be you are running into an Azure permissions issue. 

 

https://splunkbase.splunk.com/app/6207

 

0 Karma
Reply

Brooksenator
Observer
‎07-20-2023 09:35 AM

You got it working in GCC or GCC high? We are not able to get it working for GCC high.

0 Karma
Reply

_joe
Contributor
‎07-20-2023 09:38 AM

Sorry, only GCC (literally the "GCC" selection an the API input configuration). I have not had the opportunity to work with GCC high yet so I cannot confirm if it works.

0 Karma
Reply

Brooksenator
Observer
‎07-20-2023 09:46 AM

@m_pham can you validate that this can work/is supported for GCC high? I notice that in the Splunk addon for Microsoft Offie 365 that I can pull my data from GCC high in, but it would be amazing to know that we could visualize that data with the Microsoft 365 App for Splunk. So far it looks like the APIs do not support that data.

@splunk 

0 Karma
Reply

m_pham
Splunk Employee
Splunk Employee
‎07-21-2023 02:08 AM

I don't have experience with this TA but it may be a permissions issue, so I'd recommend taking a look at that on that: 

https://docs.splunk.com/Documentation/AddOns/released/MSSecurity/Configurepermissions

0 Karma
Reply

Brooksenator
Observer
‎07-19-2023 09:20 AM

Bump. I am running into the same issue. Can we please get GCC high support for this app?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...