I see 3 different apps from 3 different authors on splunkbase for Microsoft Windows Defender ATP ; which one is the one to use?
Windows Defender ATP Modular Inputs TA: https://splunkbase.splunk.com/app/4128/
TA for Microsoft Windows Defender: https://splunkbase.splunk.com/app/3734/
TA for Defender ATP hunting API: https://splunkbase.splunk.com/app/4623/
There is also this:
REST API Modular Input: https://splunkbase.splunk.com/app/1546/
along with this:
https://github.com/ThiruYadav/Configure-Splunk-to-pull-Windows-Defender-ATP-alerts/blob/master/Confi...
Obviously, I would like to use the "best" one; the "easiest" one or the one that is most-current or best-supported. How can I tell which one that is? An installation/user guide would be great, too. This is for Common Information Model
with Enterprise Security
.
This app is not CIM compliant for Endpoint and Malware datamodel for Splunk ES
If you want to pull security alerts from all things ATP and have them mapped to CIM look no furher than “Microsoft Graph Security API Add-On for Splunk”. Maintained by MS!
My TA allows you to schedule KQL queries for more subtle endpoint telemetry stuff like “this and this file appeared in this directory”. For example macro files in office startup dirs. Oh and I don’t map to CIM because the telemetry data is way too varied.
Links/URLs?
Did the Graph API do the trick for Defender ATP logs? I have the exact same question for the setup...