Splunk Enterprise Security

Unable to find sourcetype="ms365:defender:incident:alerts"?

Gaikwad
Explorer

Unable to find sourcetype="ms365:defender:incident:alerts"

can u pls help 

Labels (1)
0 Karma

Gaikwad
Explorer

I'm trying to setup Microsoft 365 app for Splunk in that app ->Security-> defender -> Defender 365 overview dashboard. this dashboard is not working

when I check the query it contains  sourcetype="ms365:defender:incident:alerts" but same I'm unable to find it when I search for index = azure or index= main

as I check add is already there, only concern is unable to find that sourcetype="ms365:defender:incident:alerts"


so just want to know, if that source type is not there then is there a way available so we can configure that or any other solution is available  ?

thanks 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I just installed that app and don't see the same error message even though I have no ms365 data on my system.  By default, the dashboards in the app search index=* so they should be able to find the data if it exists.

Generally, when a sourcetype is not there it's because no data with that soucetype has been indexed.  Check your inputs and verify you have the appropriate add-on installed both on your indexers and search heads.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Gaikwad
Explorer

@richgalloway 

thanks for your reply

as I check in input is not setup for sourcetype="ms365:defender:incident:alerts"?

can you please let me know, how can I setup input for this  "ms365:defender:incident:alerts"

0 Karma

GaetanVP
Contributor

Hello,

Do you receive the MDE logs via an Azure Event Hub ? If it's the case the sourcetype of MDE logs could be "mscs:azure:eventhub".

Maybe if you just change the sourcetype specified in the MDE App Dashboard you could see some data.

sourcetype="mscs:azure:eventhub"

Or maybe you would need to rename sourcetype of your incoming MDE events.

Good luck!

0 Karma

Gaikwad
Explorer

Hello @GaetanVP 

I tried to search those logs index =* sourcetype="mscs:azure:eventhub"

but no luck 

0 Karma

GaetanVP
Contributor

Ok so you should at least to which indexes your MDE logs are going no?
The thing is that you first be able to find your MDE logs via a classic Splunk search, and then retrieve what is the sourcetype assigned to those logs.

Finally, try to change the MDE App Dashboard by modifying the sourcetype used there.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please provide more information.  Where do you see this message?  What were you doing at the time?  Have you installed the proper add-on for the sourcetype?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...