Windows Defender Endpoint / ATP via Azure Event Hu... - Splunk Community

Getting Data In

I'm using the Splunk Addon for Microsoft Cloud Service to import our ATP / Microsoft Defender Endpoint Data into Splunk. I've succeeded into getting the data in but the events aren't getting separated correctly. Below is a screenshot of a single event. Each Record should be an individual Splunk event.

My question is should the Splunk Addon for Microsoft Cloud Service automatically parse this out or is this something I should work through in the props.conf and linebreaks.

Screenshot 2021-01-27 101238.png

Here's the information I used to set this up:

ATP to EventHub: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/raw-data-...
Event Hub to Splunk: https://www.splunk.com/en_us/blog/platform/splunking-azure-event-hubs.html

Get Updates on the Splunk Community!

New This Month - Splunk Observability updates and improvements for faster ...

What’s New? This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...

Buttercup Games: Further Dashboarding Techniques (Part 6)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...