Getting Data In

Can we get some clarification / consolidation for the add-ons available to ingest O365/Azure security data?

splunkUser00
Engager

Figuring out the best add-on(s) to ingest security data related to O365/Azure is an exercise in insanity...

 

Can we get some clarification and/or consolidation for this since all 5 of these add-ons are developed by Splunk or Microsoft?

 

Microsoft Graph Security API Add-On for Splunk: https://splunkbase.splunk.com/app/4564

 

Splunk Add-on for Microsoft Security: https://splunkbase.splunk.com/app/6207

  • Microsoft 365 Defender incidents and alerts OR Microsoft Defender for Endpoint alerts.

 

Splunk Add-on for Microsoft Office 365: https://splunkbase.splunk.com/app/4055

  • All service policies, alerts and entities visible through the Microsoft cloud application security portal.
  • All audit events and reports visible through the Microsoft Graph API endpoints. This includes all log events and reports visible through the Microsoft Graph API.

 

Splunk Add-on for Microsoft Cloud Services: https://splunkbase.splunk.com/app/3110

  • mscs:azure:security:alert

 

Splunk Add on for Microsoft Azure: https://splunkbase.splunk.com/app/3757

  • Azure Security Center Alerts & Tasks

 

EDIT: There's also the Microsoft Defender Advanced Hunting Add-on for Splunk (https://splunkbase.splunk.com/app/5518) but the Splunk Add-on for Microsoft Security also seems to cover Advanced Hunting: https://docs.splunk.com/Documentation/AddOns/released/MSSecurity/Releasenotes#New_features

 

Labels (1)
Tags (3)
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...