This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .
We're happy to share that the Splunk-supported Splunk Add-on for Microsoft Security is now available. This add-on builds on the Microsoft 365 Defender Add-on for Splunk 1.3.0 and maps the Microsoft Defender for Endpoint Alerts API properties or the Microsoft 365 Defender Incidents API properties onto Splunk's Common Information Model (CIM).
The Splunk Add-on for Microsoft Security only supports ingesting Alerts or Incidents into Splunk - customers should continue using the Microsoft 365 Defender Add-on for Splunk 1.3.0 App or the Splunk SOAR Windows Defender ATP App to manage/update Alerts or Incidents (assignedTo, classification, determination, status, and comments fields) directly from Splunk.
The Splunk SOAR Windows Defender ATP App 3.5.2 supports 30 additional Microsoft Defender for Endpoint API calls (see Additional Information below).
Additional Information:
- The Splunk documentation for the Splunk Add-on for Microsoft Security is available here:
https://docs.splunk.com/Documentation/AddOns/released/MSSecurity/About - Splunk provide guidance on migrating from the Microsoft 365 Defender Add-on for Splunk version 1.3.0 to the Splunk Add-on for Microsoft Security here:
https://docs.splunk.com/Documentation/AddOns/released/MSSecurity/Migrate - The documentation for the Splunk SOAR Windows Defender ATP App version 3.5.2 is here:
https://github.com/splunk-soar-connectors/windowsdefenderatp
The Microsoft Defender for Endpoint Team