Figuring out the best add-on(s) to ingest security data related to O365/Azure is an exercise in insanity... Can we get some clarification and/or consolidation for this since all 5 of these add-ons are developed by Splunk or Microsoft? Microsoft Graph Security API Add-On for Splunk: https://splunkbase.splunk.com/app/4564 https://learn.microsoft.com/en-us/graph/api/resources/security-api-overview?view=graph-rest-1.0#alerts Alerts from the following providers are available: Azure Active Directory Identity Protection Microsoft 365 Default Cloud App Security Custom Alert Microsoft Defender for Cloud Apps Microsoft Defender for Endpoint Microsoft Defender for Identity Microsoft Sentinel (formerly Azure Sentinel) Splunk Add-on for Microsoft Security: https://splunkbase.splunk.com/app/6207 Microsoft 365 Defender incidents and alerts OR Microsoft Defender for Endpoint alerts. Splunk Add-on for Microsoft Office 365: https://splunkbase.splunk.com/app/4055 All service policies, alerts and entities visible through the Microsoft cloud application security portal. All audit events and reports visible through the Microsoft Graph API endpoints. This includes all log events and reports visible through the Microsoft Graph API. Splunk Add-on for Microsoft Cloud Services: https://splunkbase.splunk.com/app/3110 mscs:azure:security:alert Splunk Add on for Microsoft Azure: https://splunkbase.splunk.com/app/3757 Azure Security Center Alerts & Tasks EDIT: There's also the Microsoft Defender Advanced Hunting Add-on for Splunk (https://splunkbase.splunk.com/app/5518) but the Splunk Add-on for Microsoft Security also seems to cover Advanced Hunting: https://docs.splunk.com/Documentation/AddOns/released/MSSecurity/Releasenotes#New_features
... View more