Getting Data In

How best to ingest Microsoft Defender ATP events?

jwalzerpitt
Influencer

Microsoft Defender ATP (MDATP) events can be sent to a blob storage account or an Event Hub. I was wondering if anyone is collecting MDATP events either way and how the setup was to parse the events?

Thx

Labels (3)
0 Karma
1 Solution

jwalzerpitt
Influencer

I ended up using the Microsoft Azure Add on for Splunk (https://splunkbase.splunk.com/app/3757/), which was straight forward and easy to configure.

View solution in original post

0 Karma

jwalzerpitt
Influencer

I ended up using the Microsoft Azure Add on for Splunk (https://splunkbase.splunk.com/app/3757/), which was straight forward and easy to configure.

0 Karma

iamkilarunaresh
Explorer

Please take a look at this app : https://splunkbase.splunk.com/app/5038/ you can onboard the data using the Modular inputs. 

0 Karma

jwalzerpitt
Influencer

Thx for the link, but this add-on is only collecting MDATP alerts and not the actual events 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...