Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Unable to find sourcetype="ms365:defender:incident:alerts"?

Gaikwad
Explorer
‎10-10-2022 12:26 AM

Unable to find sourcetype="ms365:defender:incident:alerts"

can u pls help 

Labels (1)
Labels
0 Karma
Reply

Gaikwad
Explorer
‎10-10-2022 10:14 PM

I'm trying to setup Microsoft 365 app for Splunk in that app ->Security-> defender -> Defender 365 overview dashboard. this dashboard is not working

when I check the query it contains  sourcetype="ms365:defender:incident:alerts" but same I'm unable to find it when I search for index = azure or index= main

as I check add is already there, only concern is unable to find that sourcetype="ms365:defender:incident:alerts"


so just want to know, if that source type is not there then is there a way available so we can configure that or any other solution is available  ?

thanks 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-11-2022 07:03 AM

I just installed that app and don't see the same error message even though I have no ms365 data on my system.  By default, the dashboards in the app search index=* so they should be able to find the data if it exists.

Generally, when a sourcetype is not there it's because no data with that soucetype has been indexed.  Check your inputs and verify you have the appropriate add-on installed both on your indexers and search heads.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Gaikwad
Explorer
‎10-12-2022 12:11 AM

@richgalloway 

thanks for your reply

as I check in input is not setup for sourcetype="ms365:defender:incident:alerts"?

can you please let me know, how can I setup input for this  "ms365:defender:incident:alerts"

0 Karma
Reply

GaetanVP
Contributor
‎10-12-2022 01:05 AM

Hello,

Do you receive the MDE logs via an Azure Event Hub ? If it's the case the sourcetype of MDE logs could be "mscs:azure:eventhub".

Maybe if you just change the sourcetype specified in the MDE App Dashboard you could see some data.

sourcetype="mscs:azure:eventhub"

Or maybe you would need to rename sourcetype of your incoming MDE events.

Good luck!

0 Karma
Reply

Gaikwad
Explorer
‎10-12-2022 01:26 AM

Hello @GaetanVP 

I tried to search those logs index =* sourcetype="mscs:azure:eventhub"

but no luck 

0 Karma
Reply

GaetanVP
Contributor
‎10-12-2022 03:12 AM

Ok so you should at least to which indexes your MDE logs are going no?
The thing is that you first be able to find your MDE logs via a classic Splunk search, and then retrieve what is the sourcetype assigned to those logs.

Finally, try to change the MDE App Dashboard by modifying the sourcetype used there.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-10-2022 10:50 AM

Please provide more information.  Where do you see this message?  What were you doing at the time?  Have you installed the proper add-on for the sourcetype?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...