Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Which app(s) for Microsoft Windows Defender ATP?

woodcock
Esteemed Legend
‎04-28-2020 02:42 PM

I see 3 different apps from 3 different authors on splunkbase for Microsoft Windows Defender ATP ; which one is the one to use?
Windows Defender ATP Modular Inputs TA: https://splunkbase.splunk.com/app/4128/
TA for Microsoft Windows Defender: https://splunkbase.splunk.com/app/3734/
TA for Defender ATP hunting API: https://splunkbase.splunk.com/app/4623/

There is also this:
REST API Modular Input: https://splunkbase.splunk.com/app/1546/
along with this:
https://github.com/ThiruYadav/Configure-Splunk-to-pull-Windows-Defender-ATP-alerts/blob/master/Confi...

Obviously, I would like to use the "best" one; the "easiest" one or the one that is most-current or best-supported. How can I tell which one that is? An installation/user guide would be great, too. This is for Common Information Model with Enterprise Security.

Reply

chidiuchegbu
Loves-to-Learn Everything
‎03-09-2022 12:18 AM

This app is not CIM compliant for Endpoint and Malware datamodel for Splunk ES

0 Karma
Reply

jorritf
Path Finder
‎04-28-2020 10:27 PM

If you want to pull security alerts from all things ATP and have them mapped to CIM look no furher than “Microsoft Graph Security API Add-On for Splunk”. Maintained by MS!

My TA allows you to schedule KQL queries for more subtle endpoint telemetry stuff like “this and this file appeared in this directory”. For example macro files in office startup dirs. Oh and I don’t map to CIM because the telemetry data is way too varied.

0 Karma
Reply

woodcock
Esteemed Legend
‎04-29-2020 06:31 AM

Links/URLs?

Reply

Kfesliyan
Loves-to-Learn Everything
‎04-12-2021 05:44 AM

Did the Graph API do the trick for Defender ATP logs? I have the exact same question for the setup...

0 Karma
Reply

amankhan1
Path Finder
‎04-29-2020 07:00 AM

https://splunkbase.splunk.com/app/4564/

0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...