Splunk Enterprise Security

Which app(s) for Microsoft Windows Defender ATP?

woodcock
Esteemed Legend

I see 3 different apps from 3 different authors on splunkbase for Microsoft Windows Defender ATP ; which one is the one to use?
Windows Defender ATP Modular Inputs TA: https://splunkbase.splunk.com/app/4128/
TA for Microsoft Windows Defender: https://splunkbase.splunk.com/app/3734/
TA for Defender ATP hunting API: https://splunkbase.splunk.com/app/4623/

There is also this:
REST API Modular Input: https://splunkbase.splunk.com/app/1546/
along with this:
https://github.com/ThiruYadav/Configure-Splunk-to-pull-Windows-Defender-ATP-alerts/blob/master/Confi...

Obviously, I would like to use the "best" one; the "easiest" one or the one that is most-current or best-supported. How can I tell which one that is? An installation/user guide would be great, too. This is for Common Information Model with Enterprise Security.

0 Karma

chidiuchegbu
Loves-to-Learn Everything

This app is not CIM compliant for Endpoint and Malware datamodel for Splunk ES

0 Karma

jorritf
Path Finder

If you want to pull security alerts from all things ATP and have them mapped to CIM look no furher than “Microsoft Graph Security API Add-On for Splunk”. Maintained by MS!

My TA allows you to schedule KQL queries for more subtle endpoint telemetry stuff like “this and this file appeared in this directory”. For example macro files in office startup dirs. Oh and I don’t map to CIM because the telemetry data is way too varied.

0 Karma

woodcock
Esteemed Legend

Links/URLs?

0 Karma

Kfesliyan
Loves-to-Learn Everything

Did the Graph API do the trick for Defender ATP logs? I have the exact same question for the setup...

0 Karma

amankhan1
Path Finder
0 Karma
Get Updates on the Splunk Community!

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...

Admin Console: A Single, Unified Interface for All Your Cloud Admin Needs

WATCH NOWJoin us to learn how the admin console can save you time and give you more control over the Splunk® ...