Windows Defender Endpoint / ATP via Azure Event Hu... - Splunk Community

Getting Data In

I'm using the Splunk Addon for Microsoft Cloud Service to import our ATP / Microsoft Defender Endpoint Data into Splunk. I've succeeded into getting the data in but the events aren't getting separated correctly. Below is a screenshot of a single event. Each Record should be an individual Splunk event.

My question is should the Splunk Addon for Microsoft Cloud Service automatically parse this out or is this something I should work through in the props.conf and linebreaks.

Here's the information I used to set this up:

ATP to EventHub: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/raw-data-...
Event Hub to Splunk: https://www.splunk.com/en_us/blog/platform/splunking-azure-event-hubs.html

Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious! We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...