I see 3 different apps from 3 different authors on splunkbase for Microsoft Windows Defender ATP ; which one is the one to use?
Windows Defender ATP Modular Inputs TA: https://splunkbase.splunk.com/app/4128/
TA for Microsoft Windows Defender: https://splunkbase.splunk.com/app/3734/
TA for Defender ATP hunting API: https://splunkbase.splunk.com/app/4623/
There is also this:
REST API Modular Input: https://splunkbase.splunk.com/app/1546/
along with this:
Obviously, I would like to use the "best" one; the "easiest" one or the one that is most-current or best-supported. How can I tell which one that is? An installation/user guide would be great, too. This is for
Common Information Model with
If you want to pull security alerts from all things ATP and have them mapped to CIM look no furher than “Microsoft Graph Security API Add-On for Splunk”. Maintained by MS!
My TA allows you to schedule KQL queries for more subtle endpoint telemetry stuff like “this and this file appeared in this directory”. For example macro files in office startup dirs. Oh and I don’t map to CIM because the telemetry data is way too varied.