All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is Splunk Add-on for Microsoft Security for GCC not working?

_joe
Contributor
‎03-23-2022 06:12 AM

Hello all,

It would seem a swift migration to Splunk Add-on for Microsoft Security is highly recommended:

"Customers currently utilizing Microsoft 365 Defender Add-on for Splunk are strongly recommended to migrate to this new Splunk supported add-on after reading the migration section of the documentation."

I haven't been able to get this app to work with GCC, has anyone else? Anyone know when that support is coming?

Labels (2)
0 Karma
Reply

m_pham
Splunk Employee
Splunk Employee
‎07-19-2023 06:10 PM

Are you having issues with getting the data in? Can you dig into index=_internal to find errors in the TA logs?

0 Karma
Reply

Brooksenator
Observer
‎07-20-2023 09:08 AM

We are getting error 400 "Resource not found for the segment" on the calls the Add-On is making. I confirmed the credentials are good, we are getting successful logins.

0 Karma
Reply

_joe
Contributor
‎07-20-2023 09:25 AM

I believe when I posted this support had not yet been added. At this time, this app does support GCC and I have gotten it working in at least one environment. My guess would be you are running into an Azure permissions issue. 

 

https://splunkbase.splunk.com/app/6207

 

0 Karma
Reply

Brooksenator
Observer
‎07-20-2023 09:35 AM

You got it working in GCC or GCC high? We are not able to get it working for GCC high.

0 Karma
Reply

_joe
Contributor
‎07-20-2023 09:38 AM

Sorry, only GCC (literally the "GCC" selection an the API input configuration). I have not had the opportunity to work with GCC high yet so I cannot confirm if it works.

0 Karma
Reply

Brooksenator
Observer
‎07-20-2023 09:46 AM

@m_pham can you validate that this can work/is supported for GCC high? I notice that in the Splunk addon for Microsoft Offie 365 that I can pull my data from GCC high in, but it would be amazing to know that we could visualize that data with the Microsoft 365 App for Splunk. So far it looks like the APIs do not support that data.

@splunk 

0 Karma
Reply

m_pham
Splunk Employee
Splunk Employee
‎07-21-2023 02:08 AM

I don't have experience with this TA but it may be a permissions issue, so I'd recommend taking a look at that on that: 

https://docs.splunk.com/Documentation/AddOns/released/MSSecurity/Configurepermissions

0 Karma
Reply

Brooksenator
Observer
‎07-19-2023 09:20 AM

Bump. I am running into the same issue. Can we please get GCC high support for this app?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

Enterprise Security Content Update (ESCU) | New Releases

In April, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security ...