Getting Data In

Can we get some clarification / consolidation for the add-ons available to ingest O365/Azure security data?


Figuring out the best add-on(s) to ingest security data related to O365/Azure is an exercise in insanity...


Can we get some clarification and/or consolidation for this since all 5 of these add-ons are developed by Splunk or Microsoft?


Microsoft Graph Security API Add-On for Splunk:


Splunk Add-on for Microsoft Security:

  • Microsoft 365 Defender incidents and alerts OR Microsoft Defender for Endpoint alerts.


Splunk Add-on for Microsoft Office 365:

  • All service policies, alerts and entities visible through the Microsoft cloud application security portal.
  • All audit events and reports visible through the Microsoft Graph API endpoints. This includes all log events and reports visible through the Microsoft Graph API.


Splunk Add-on for Microsoft Cloud Services:

  • mscs:azure:security:alert


Splunk Add on for Microsoft Azure:

  • Azure Security Center Alerts & Tasks


EDIT: There's also the Microsoft Defender Advanced Hunting Add-on for Splunk ( but the Splunk Add-on for Microsoft Security also seems to cover Advanced Hunting:


Labels (1)
Tags (3)
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...