Splunk Enterprise Security

Which app(s) for Microsoft Windows Defender ATP?

woodcock
Esteemed Legend

I see 3 different apps from 3 different authors on splunkbase for Microsoft Windows Defender ATP ; which one is the one to use?
Windows Defender ATP Modular Inputs TA: https://splunkbase.splunk.com/app/4128/
TA for Microsoft Windows Defender: https://splunkbase.splunk.com/app/3734/
TA for Defender ATP hunting API: https://splunkbase.splunk.com/app/4623/

There is also this:
REST API Modular Input: https://splunkbase.splunk.com/app/1546/
along with this:
https://github.com/ThiruYadav/Configure-Splunk-to-pull-Windows-Defender-ATP-alerts/blob/master/Confi...

Obviously, I would like to use the "best" one; the "easiest" one or the one that is most-current or best-supported. How can I tell which one that is? An installation/user guide would be great, too. This is for Common Information Model with Enterprise Security.

0 Karma

chidiuchegbu
Loves-to-Learn Everything

This app is not CIM compliant for Endpoint and Malware datamodel for Splunk ES

0 Karma

jorritf
Path Finder

If you want to pull security alerts from all things ATP and have them mapped to CIM look no furher than “Microsoft Graph Security API Add-On for Splunk”. Maintained by MS!

My TA allows you to schedule KQL queries for more subtle endpoint telemetry stuff like “this and this file appeared in this directory”. For example macro files in office startup dirs. Oh and I don’t map to CIM because the telemetry data is way too varied.

0 Karma

woodcock
Esteemed Legend

Links/URLs?

0 Karma

Kfesliyan
Loves-to-Learn Everything

Did the Graph API do the trick for Defender ATP logs? I have the exact same question for the setup...

0 Karma

amankhan1
Path Finder
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...