Scribd
Upload
19 views

AddOns Released MSSecurity

Uploaded by

everithingmustgo
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
19 views

AddOns Released MSSecurity

Uploaded by

everithingmustgo
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 24

Splunk® Supported Add-ons

Splunk Add-on for Microsoft Security released


Generated: 6/20/2024 10:55 am

Copyright (c) 2024 Splunk Inc. All Rights Reserved


Table of Contents
Overview................................................................................................................................................................................1
About the Splunk Add-on for Microsoft Security........................................................................................................1
Hardware and software requirements........................................................................................................................1
Installation and configuration overview for the Splunk Add-on for Microsoft Security...............................................1

Installation.............................................................................................................................................................................2
Install the Splunk Add-on for Microsoft Security........................................................................................................2
Migrate and upgrade the Splunk add-on for Microsoft Security.................................................................................2
Create Active Directory permissions for configuring Microsoft Account....................................................................5

Configuration........................................................................................................................................................................6
Configure inputs for the Splunk Add-on for Microsoft Security..................................................................................6
Configure Alert Actions to collect data for the Splunk Add-on for Microsoft Security................................................9
Use Dashboards to view the analytics for the Splunk Add-on for Microsoft Security................................................9

Troubleshooting.................................................................................................................................................................11
Troubleshoot the Splunk Add-on for Microsoft Security..........................................................................................11

Reference............................................................................................................................................................................13
Source types for the Splunk Add-on for Microsoft Security.....................................................................................13

Release Notes.....................................................................................................................................................................14
Release notes for the Splunk Add-on for Microsoft Security...................................................................................14
Release history........................................................................................................................................................16

i
Overview

About the Splunk Add-on for Microsoft Security


Version 2.2.0

Vendor Products Microsoft 365 Defender, Defender for Endpoint, Azure Event Hubs

Visible in Splunk Web Yes, this add-on contains configuration


The Splunk Add-on for Microsoft Security collects incidents and related information from Microsoft 365 Defender and
alerts from Microsoft Defender for Endpoint.

This Add-on collects simulation data from Microsoft Defender for Endpoint and Microsoft 365 Defender Advanced Hunting
events data from Azure Event Hubs, which is streamed in real-time from Microsoft Defender Portal using streaming API.

Download the Splunk Add-on for Microsoft Security from Splunkbase at https://splunkbase.splunk.com/app/6207.

Hardware and software requirements


You must have an Azure Active Directory application registration to use this add-on. The Azure Active Directory account
must be configured with tenant_id, client_id, and client_secret. You use these parameters to configure the accounts
and inputs in the add-on to start data collection in Splunk.

• Refer to the Microsoft docs for information about setting up an Azure Active Directory application registration with
the appropriate permissions for Microsoft Defender for Endpoint and Microsoft Defender for Endpoint incidents.

Splunk platform requirements

Because this add-on runs on the Splunk platform, all of the system requirements apply for the Splunk software that you
use to run this add-on.

• For Splunk Enterprise system requirements: see System Requirements in the Splunk Enterprise Installation
Manual.
• If you are managing on-premises forwarders to get data into Splunk Cloud, see System Requirements in the
Splunk Enterprise Installation Manual, which includes information about forwarders.

Installation and configuration overview for the Splunk Add-on for Microsoft
Security
Install and configure this add-on on your supported platform:

1. Download the add-on from Splunkbase.


2. Install the add-on.
3. Configure your input.
4. (Optional) Configure your alert actions.

1
Installation

Install the Splunk Add-on for Microsoft Security


Use the tables in this topic to determine where and how to install this add-on in a distributed deployment of Splunk
Enterprise. See the installation walkthrough at the end of this topic for links to installation instructions specific to a
single-instance deployment, distributed deployment, or Splunk Cloud.

Where to install this add-on for a distributed deployment

Unless otherwise noted, all supported add-ons can be safely installed to all tiers of a distributed Splunk platform
deployment. This table provides a quick reference for installing this add-on to a distributed deployment of Splunk
Enterprise.

Splunk
Supported Required Comments
instance type
This add-on contains search-time knowledge. If possible, turn off visibility on your search
Search Heads Yes Yes heads to prevent data duplication errors that can result from running inputs on your search
heads instead of, or in addition to, on your data collection node.

Indexers Yes No Not required because the parsing operations occur on the forwarders.

Heavy Recommended. Install this add-on on a heavy forwarder for data collection. To avoid
Yes No
Forwarders duplicates, configure data collection in a single location.

Universal Universal forwarders are not supported for data collection because the modular inputs require
No No
Forwarders Python and the Splunk REST handler.

Installation walkthrough

See "Installing add-ons" in Splunk Add-Ons for detailed instructions describing how to install a Splunk add-on in the
following deployment scenarios:

• Single-instance Splunk Enterprise


• Distributed Splunk Enterprise
• Splunk Cloud

Migrate and upgrade the Splunk add-on for Microsoft Security


Upgrade the Splunk Add-on for Microsoft Security from version 2.1 to version 2.2.0

After upgrading the add-on in your environment to version 2.2.0, clear the browser cache. Refresh the Add-On's page to
see the new modular inputs to collect simulations and real time Advanced hunting events from Azure Event Hub streamed
using streaming API.

2
Upgrade the Splunk Add-on for Microsoft Security from version 2.0.1 to version 2.1.1

After upgrading the add-on in your environment to version 2.1.1, clear the browser cache. Refresh the Add-On's page to
see the dashboards that give a sneak peek under the hood of the add-on.

Upgrade the Splunk Add-on for Microsoft Security from version 1.3.1 to version 2.0.1

After upgrading the add-on in your environment to version 2.0.1, clear the web browser cache.

Migrate from the Microsoft 365 Defender Add-on for Splunk to the Splunk Add-on for Microsoft
Security 1.0.0 and later

If you have already installed the Microsoft 365 Defender Add-on for Splunk in a Splunk instance and want to install Splunk
Add-on for Microsoft Security in the same Splunk instance, you must first:

• Disable inputs for the Microsoft 365 Defender Add-on for Splunk
• Disable the Microsoft 365 Defender Add-on for Splunk.

This prevents clashing of modular inputs, data collection mechanisms, and sourcetypes in both add-ons.

To disable inputs for Microsoft 365 Defender Add-on for Splunk, navigate to the Inputs page and select "Disable" in the
dropdown for that add-on.

To disable the Microsoft 365 Defender Add-on for Splunk, navigate to Apps > Manage Apps and select the "Disable"
option for the add-on.

If both add-ons are enabled on the same Splunk instance, data duplication occurs for the sourcetype with the same
names: ms:defender:atp:alerts and m365:defender:incident:advanced_hunting. The names of former sources and
current sources are:

• The Microsoft 365 Defender Add-on for Splunk source names::


♦ microsoft_365_defender_incidents
♦ microsoft_defender_atp_alerts
♦ ms_defender_apt_alerts
• The Splunk Add-on for Microsoft Security sourcenames:
♦ microsoft_365_defender_endpoint_incidents
♦ microsoft_defender_endpoint_atp_alerts
♦ ms_defender_endpoint_apt_alerts

• If the Microsoft 365 Defender Add-on for Splunk is already installed, the modular input names are different for the
Splunk Add-on for Microsoft Security. This means that source names are modified for events coming through
modular inputs. The table describes these source name changes.

Source name in Microsoft 365 Defender Add-on for Source name in Splunk add-on for MS Security v1.0.0 and
Splunk later
microsoft_365_defender_incidents microsoft_365_defender_endpoint_incidents

microsoft_defender_atp_alerts microsoft_defender_endpoint_atp_alerts

ms_defender_apt_alerts ms_defender_endpoint_apt_alerts
This table describes the event types supported in Splunk Add-on for Microsoft Security 1.0.0 and later with data models
compared with the same for Microsoft 365 Defender Add-on for Splunk.

3
CIM data model in the
CIM data model in the Splunk Add-on for
Event type Microsoft 365 Defender
Microsoft Security
Add-on for Splunk
ms_security_incident Alerts Ticket Management:Incident

ms_security_atp_alert Alerts Alerts

ms_security_advanced_hunting No DM No DM

ms_security_advanced_hunting_process Endpoint:Processes Endpoint:Processes

The eventtype is removed and the events now falls under


ms_security_advanced_hunting_network Network Traffic, Endpoint:Ports
ms_security_advanced_hunting_process eventtype

Change:Endpoint,
ms_security_advanced_hunting_filesystem Endpoint:Filesystem
Endpoint:Filesystem

Change:Endpoint,
ms_security_advanced_hunting_registry Endpoint:Registry
Endpoint:Registry

ms_security_advanced_hunting_delivery Not present Email:Delivery

ms_security_advanced_hunting_email Not present Email:All_Email

ms_security_advanced_hunting_authentication Not present Authentication

ms_security_incident_alerts Not present Alerts

• The sourcetypes supported in the Splunk Add-on for Microsoft Security are:
♦ ms:defender:atp:alerts
♦ ms365:defender:incident
♦ m365:defender:incident:advanced_hunting
♦ ms365:defender:incident:alerts

Note: Events in old sourcetype m365:defender:incident consisted of alerts data and incident data. Alerts related data
was not relevant in this sourcetype. So in this release, the events are bifurcated at index time in such a way that alerts
related data gets indexed into the new sourcetype ms365:defender:incident:alerts, and only incident related data gets
ingested in the re-named sourcetype ms365:defender:incident

• Schema difference in Alerts that are collected through the Splunk Add-on for Microsoft Security:

The Splunk Addon for Microsoft Security collects Alerts in the following sourcetypes:

* ms:defender:atp:alerts
* ms365:defender:incident:alerts

Based on specific requirements, users can collect either of the two alert sourcetypes as these events contain some fields
which are unique to each sourcetype.

Refer to the Microsoft Documents for ATP Alerts and Incident APIs to get further information about the difference in
schema for both alerts

4
Create Active Directory permissions for configuring Microsoft Account
To collect data for Microsoft Security sourcetypes, you must configure an Active Directory Application Account with
appropriate permissions in Azure Active Directory Portal. Permissions required for different sourcetypes:

Input
Purpose Sourcetype Permission/Role
type
Read Incidents and its Incident.Read.All, Modular
ms365:defender:incident/ms365:defender:incident:alert
associated Alerts SecurityIncident.Read.All* Input

Modular
Read Alerts ms:defender:atp:alerts Alert.Read.All, SecurityAlert.Read.All*
Input

Incident.ReadWrite.All, Alert
Update Incidents ms365:defender:incident/ms365:defender:incident:alert
SecurityIncident.ReadWrite.All* Action

Fetch Advance Hunt query AdvancedHunting.Read.All, Alert


m365:defender:incident:advanced_hunting
results ThreatHunting.Read.All* Action

Modular
Read Simulation reports data ms:defender:simulations AttackSimulation.Read.All
Input

Read Microsoft Defender


generated Advanced Hunting Azure Active Directory account with Role Modular
ms:defender:eventhub
events from Azure Event Hub "Azure Event Hubs Data Receiver"** input
using streaming API

Permissions with an (*) are required if you are pulling or pushing data via the Microsoft Graph REST APIs.

Role with an (**) is required for getting events from eventhub. You can refer to Microsoft docs for configuring streaming
API to stream data from Microsoft 365 Defender Portal to Azure Event Hubs. After the streaming API has been
configured, Advanced Hunting data will be streamed to Azure Event Hub in real time and add-on will collect the data
from Azure Event Hub.

After creating the Active Directory Application, login to the Azure Portal and refer to the Azure documentation and:

• Ensure that Alert permissions are set to


♦ "Alert.Read.All" or "Alert.ReadWrite.All" when using Microsoft 365 APIs
♦ "SecurityAlert.Read.All" or "SecurityAlert.ReadWrite.All" when using Microsoft Graph REST APIs
• Ensure that Incidents permissions are set to
♦ "Incident.ReadWrite.All" or "Incident.Read.All" or "AdvancedHunting.Read.All" when using Microsoft 365
APIs
♦ "SecurityIncident.Read.All" or "SecurityIncident.ReadWrite.All" or "ThreatHunting.Read.All" when using
Microsoft Graph REST APIs

5
Configuration

Configure inputs for the Splunk Add-on for Microsoft Security


You must configure an account and an input in the Splunk Add-on for Microsoft Security to collect data with Splunk

1. Navigate to Add-on UI > Configuration > Account.


2. Click Add and provide the appropriate information.

• Account Name: unique name for the account.


• Client ID: The Azure Active Directory Client ID
• Client Secret: Client Secret associated to that Client ID
• Tenant ID: Tenant ID of the Azure Account

• Click Add to save the account


• Navigate to Add-on > Inputs and click the Create New Input dropdown.

• For "Microsoft 365 Defender Incidents" modular input


♦ Name: name of the modular input
♦ Interval: data collection interval
♦ Index: index in which you want to ingest the data
♦ Azure App Account: account created on configuration page using client_id and client_secret
♦ Tenant ID: (optional) Tenant ID of the Azure Account. This overrides the tenant ID provided in the
account created in the Configurations page
♦ Environment: Endpoint to collect data from
♦ Start Date: date from which user wants to start collecting data. If it is empty, default start date will be
considered which is 30 days ago from now in UTC

• For "Microsoft Defender for Endpoint Alerts" modular input


♦ Name: name of the modular input
♦ Interval: data collection interval
♦ Index: index in which you want to ingest the data
♦ Azure App Account: account created on configuration page using client_id and client_secret
♦ Tenant ID: (optional) Tenant ID of the Azure Account. This overrides the tenant ID provided in the
account created in the Configurations page
♦ Location: location of the server user wants to collect data from
♦ Start Date: date from which user wants to start collecting data. If it is empty, default start date will be
considered which is 30 days ago from now

• For "Microsoft Defender Simulations" modular input


♦ Name: name of the modular input
♦ Azure App Account: account created on configuration page using client_id and client_secret
♦ Environment: environment of the server user wants to collect data from
♦ Start Date: date from which user wants to start collecting data. If it is empty, default start date will be
considered which is 30 days ago from now
♦ Interval: data collection interval
♦ Index: index in which you want to ingest the data

6
• For "Microsoft Defender Event Hub" modular input

♦ Name: name of the modular input


♦ Azure App Account: account created on configuration page using client_id and client_secret
♦ Event Hub Namespace(FQDN): namespace of event hub
♦ Event Hub Name: name of event hub from where user wants to collect data
♦ Consumer Group: consumer group of event hub from where user wants to collect data
♦ Streaming Event Types: types of advanced hunting events that will be collected by addon. If it is empty,
by default all types of supported events will be collected.
♦ Index: index in which you want to ingest the data

• Select your input and provide the requested information.


• Click Add.

Configure the Input with the same environment in all Inputs. Configuring multiple inputs, each with a different environment,
will mix up commercial environment data with that of GCC/GCC-High environment data.

Important information about the Microsoft Defender Event Hub modular input

• Splunk Cloud customers who are installing this add-on on the Inputs Data Manager (IDM) and want to collect
event hub data, must use the Admin Configuration Service (ACS) to configure outbound ports 5671/tcp and
5672/tcp (Advanced Message Queuing Protocol (AMQP) specification) to connect to their target Azure address.
By default IDM's can only go out on port 443.
• This modular input fetches data from Azure Event Hub in the real-time. In the Add-on Inputs page, interval will be
displayed as 0, as it is always connected to Event Hub and listening for events from Event Hub.
• Event Hub basic plan has a maximum 24 hours of retention policy. Hence if an instance input is not active for 24
hours, then events data not collected by the add-on during this period will be permanently lost.
• When you enter all details and click on the Add button to create input of this type, the add-on validates that the
details entered by user are valid by trying to connect to Azure Event Hub using user provided credentials. Hence
it is expected to take some time in case of valid details. In case of invalid details, it is expected to take further
more time to process the error and display the error from Azure Event Hub.
• If a user adds partitions dynamically (adds new partitions in existing eventhub) in the event hub, then the input
checkpoint is reset and events may be duplicated for pre-existing partitions.
♦ For example:
♦ An eventhub test_eventhub has 2 partitions - 0 and 1. In the MS Security addon, data is being ingested
from all partitions of eventhub test_eventhub via an input input_eventhub.
♦ User disables input_eventhub input in addon and adds new partitions in eventhub. After the addition of
new partitions, test_eventhub now has 4 partitions - 0 to 3.
♦ After adding new partitions, the user enables input input_eventhub in the addon. In this case, the
checkpoint for partition 0 and 1 will be reset and events may be duplicated.
• As most of the input details are used for checkpointing, users won't be able to edit most of the fields after creating
an input. Only Index and Streaming Event Types will be editable.

Configure inputs using configuration files

Splunk Cloud Platform

Use the Splunk Web steps for setting up the add-on, as described in the previous sections. You can't set up the add-on
using the configuration files.

7
Splunk Enterprise

System access, such as system administrators, is required i order to set up the Splunk Add-on for Microsoft Security
using configuration files.

1. On your heavy forwarder or deployment server, navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_MS_Security and


create a local directory if it does not already exist.
2. Create a file called splunk_ta_ms_security_account.conf in the
$SPLUNK_HOME/etc/apps/Splunk_TA_MS_Security/local directory.
3. Refer $SPLUNK_HOME/etc/apps/Splunk_TA_MS_Security/README</l/splunk_ta_ms_security_account.conf.spec
for details to be filled in the splunk_ta_ms_security_account.conf file.
4. If configuring from deployment server Enable the
script://$SPLUNK_HOME/etc/apps/Splunk_TA_MS_Security/bin/ms_security_encrypt_creds.py input using
inputs.conf
5. Create the necessary inputs that are required.
6. Push these conf files to your heavy forwarder and restart your heavy forwarder.

Supported endpoints for configuring an input

Modular
Environment Endpoint Supported User-Agent Supported
Input Type
ATP Alerts General https://api.securitycenter.microsoft.com MdePartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>

ATP Alerts US https://api-us.securitycenter.microsoft.com MdePartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>

ATP Alerts EU https://api-eu.securitycenter.microsoft.com MdePartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>

ATP Alerts UK https://api-uk.securitycenter.microsoft.com MdePartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>

ATP Alerts GCC https://api-gcc.securitycenter.microsoft.us MdePartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>

ATP Alerts GCC High/DoD https://api-gov.securitycenter.microsoft.us MdePartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>

ATP Alerts - Commercial &


https://graph.microsoft.com MdePartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
Graph API GCC - Graph API

ATP Alerts - GCC High - Graph


https://graph.microsoft.us MdePartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
Graph API API

Endpoint
Commercial https://api.security.microsoft.com M365DPartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
Incidents

Endpoint
GCC https://api-gcc.security.microsoft.us M365DPartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
Incidents

Endpoint
GCC High https://api-gov.security.microsoft.us M365DPartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
Incidents

Endpoint
Commercial &
Incidents - https://graph.microsoft.com M365DPartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
GCC - Graph API
Graph API

Endpoint
GCC High - Graph
Incidents - https://graph.microsoft.us M365DPartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
API
Graph API

Commercial &
Simulations https://graph.microsoft.com M365DPartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>
GCC - Graph API

Simulations https://graph.microsoft.us M365DPartner-Splunk-MicrosoftSecurityAddOn/<TA_Version>

8
Modular
Environment Endpoint Supported User-Agent Supported
Input Type
GCC High - Graph
API

Validate data collection

Once you have configured the modular input, run this search to check that you are ingesting the expected data.

index=<index provided in the input> sourcetype IN ("ms:defender:atp:alerts", "ms365:defender:incident",


"ms365:defender:incident:alerts", "ms:defender:simulations", "ms:defender:eventhub")

Configure Alert Actions to collect data for the Splunk Add-on for Microsoft
Security
You can configure an alert action for Advanced Hunting and Update Incidents in the Splunk Add-on for Microsoft
Security in order to collect data into Splunk ad-hoc rather than proactively

1. Navigate to Add-on UI > Settings > Searches, Reports and Alerts.


2. Click New Alert.
3. Click Create Alert and provide the appropriate information.
4. Select a value from Add Action dropdown
♦ Defender Advanced Hunting : For collecting Advanced Hunting Events
♦ Defender Update Incident : For updating incidents and collecting events of updated incidents
♦ Defender Update Incident via Graph API: For updating incidents and collecting events of updated
incidents using the Microsoft Graph API
5. Select desired action and provide the requested information.
6. Click Save.

Note the following:

• Alert Action queries are not supported on Classic Cloud instances.


• When you create a Defender Advanced Hunting Alert Action, you must provide the Query
• You can optionally provide a Tenant ID corresponding to the selected Account to authenticate API calls for Alert
Actions
• In clustered environments, configure the Alert Action on either the Victoria stack or HF as it collects data.

Use Dashboards to view the analytics for the Splunk Add-on for Microsoft
Security
MS Security TA logs Dashboard

You can view the log analytics and performance data for the Splunk Add-on for Microsoft Security using this dashboard.

1. Navigate to Add-on UI > Log Analytics > MS Security TA logs.


2. Select time range from timepicker with label Time for logs on the top left corner.
3. Now you can view different type of analytics and panels related to TA logs.

9
Panels provided in this Dashboard include:

• Microsoft Security TA
• Roles for the MS Security (Requires DEBUG logs enabled)
• CPU consumption (Supported only on specific OS)
• Memory consumption (Supported only on specific OS)
• ATP Alerts ingested
• Defender Incidents ingested
♦ Defender Incidents
♦ Defender Alerts associated with Incidents
• Events from EventHub ingested
• Advance Hunting ingested
• Phishing Simulation Attack ingested
• EPS by MS Security sourcetype (EPS stands for Events per Second)
• MS Security .conf current changes
• MS Security .conf update frequency

MS Security TA Errors Dashboard

You can view the Error analytics and performance data sourcetype wise for the Splunk Add-on for Microsoft Security
using this dashboard.

1. Navigate to Add-on UI > Log Analytics > MS Security TA Errors.


2. Select time range from the time selector with the label Time for logs on the top left corner.
3. Now you can view different types of analytics and panels related to the TA logs.

Panels provided in this Dashboard:

• ATP Alerts errors


• Defender Incidents errors
• Defender EventHub Input errors
• Advance Hunting errors
• Defender Simulations errors

10
Troubleshooting

Troubleshoot the Splunk Add-on for Microsoft Security


For helpful troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons. You can also access these
support and resource links.

Useful Searches

Search the internal index for logs specific to the add-on. Search queries are added in dashboard panels for displaying the
error to users. Error information can be viewed in Dashboards provided by Add-on, see MS Security TA Errors
Dashboard.

403 Forbidden Error

This error message "Missing Application Roles. API required roles: …" implies that your Azure Active Directory Account
does not have necessary permissions for fetching the data.

ERROR pid=<pid> tid=<thread> file=ms_security_utils.py:get_atp_alerts_odata:274 | {'error': {'code':


'Forbidden', 'message': 'Missing application roles. API required roles:
SecurityIncident.Read.All,SecurityIncident.ReadWrite.All, application roles:
SecurityEvents.Read.All,User.Read.All.', 'innerError': '...'}}
Traceback (most recent call last):
File "/opt/splunk/etc/apps/Splunk_TA_MS_Security/bin/ms_security_utils.py", line 254, in
get_atp_alerts_odata
r.raise_for_status()
File "/opt/splunk/etc/apps/Splunk_TA_MS_Security/lib/requests/models.py", line 1021, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: Forbidden for url:<your_url>

You can refer to the Configure Permissions document and add the missing permissions mentioned in the error message
to resolve the error.

To use Microsoft Graph API to collect data, set the parameter '''environment/location''' ending with '''- Graph API''' while
configuring an input in the add-on. You need to set the permissions for Graph API accordingly as well.

SSL certificate issue

If you encounter a SSL: CERTIFICATE_VERIFY_FAILED issue, the SSL certificate entry might be missing from your
certificate store. Resolve the issue by adding the certificate to your add-on trust list.

The Splunk Add-on for Microsoft Security uses the Python requests library to make REST calls to Microsoft. Requests will
throw this SSL error if it's unable to verify the certificate. For more information, see

11
https://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification

• Navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_MS_Security/lib/certifi
• Edit cacert.pem file
• Append the contents of your root certificate to this file
• Restart Splunk

New extractions don't work

If extractions don't work, try disabling the inputs of 'Microsoft 365 Defender Add-on for Splunk' and then disable the
'Microsoft 365 Defender Add-on for Splunk' and check if the extractions are applied

To disable the inputs and the add-on:

1. Navigate to Add-on > Inputs


2. Disable input by selecting "Disable" in the dropdown list.
3. Navigate to Apps > Manage Apps
4. Disable the Microsoft 365 Defender Add-on for Splunk by clicking "Disable"..

Data duplication in the ms365:defender:incident:alerts sourcetype

Data duplication is an expected behavior in ms365:defender:incident:alerts sourcetype. See the Sourcetypes topic in
this manual for more information.

Issue in Data Collection

If any issue in data collection persists, verify appropriate permissions are set for the configured account on Azure Active
Directory Portal. See the Hardware and software requirements topic in this manual for more information.

12
Reference

Source types for the Splunk Add-on for Microsoft Security


The Splunk Add-on for Microsoft Security provides the search-time knowledge for Microsoft Security logs in the following
formats.

Source type Description CIM data models


This sourcetype contains data related to alerts generated from
ms:defender:atp:alerts Alerts
the Microsoft 365 Defender portal.

This sourcetype contains data related to incidents generated from


ms365:defender:incident Ticket Management
the Microsoft 365 Defender portal.

This sourcetype is newly introduced and contains data related to


ms365:defender:incident:alerts Alerts
alerts associated with incidents in Microsoft 365 Defender.

This sourcetype collects events from the alerts actions configured Email, Endpoint,
m365:defender:incident:advanced_hunting
in the add-on Authentication

This sourcetype contains data related to simulations generated


ms:defender:simulations Alerts
from the Microsoft 365 Defender portal.

Certificates,
This sourcetype contains advanced hunting events data Endpoint,
ms:defender:eventhub generated from the Microsoft 365 Defender portal and collected
from Azure Event Hub. Compute
Inventory
Duplicate Events for ms365:defender:incident:alerts sourcetype

• Microsoft Defender Incident Alerts can be collected as a part of Microsoft 365 Defender incidents API.
• When Microsoft 365 defender incidents are updated (status change, alerts added/removed, etc) a new event is
generated and collected in Splunk for both ms365:defender:incident:alerts and ms365:defender:incident
sourcetypes.
• Whenever an event is updated some of its fields are modified but its related alerts may not be modified. So in the
next API call when the event with the same incidentId is fetched it is assigned to both ms365:defender:incident
and ms365:defender:incident:alerts sourcetypes causing probable data duplication in alerts sourcetype.
• For example, if incidentId=21 is updated, during the next API call, "incidentId=21" is fetched and ingested in
sourcetype=ms365:defender:incident in Splunk with updated field values, and its related alerts are ingested in
sourcetype=ms365:defender:incident:alerts with the same field values causing probable data duplication.

13
Release Notes

Release notes for the Splunk Add-on for Microsoft Security


About this release

Version 2.2.0 of the Splunk Add-on for Microsoft Security was released on April 24, 2024. It is compatible with the
following software, CIM versions, and platforms.

Splunk platform versions 9.0.x, 9.1.0.x

CIM 5.2.0

Platforms Windows, Linux based Operating Systems

Vendor Products Microsoft 365 Defender, Defender for Endpoint, Azure Event Hubs

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does
not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 2.2.0 of the Splunk Add-on for Microsoft Security has the following new features.

• New modular input to collect simulations data from Microsoft 365 Defender Portal.
• New modular input to collect Microsoft Defender Advanced Hunting events from Azure Event Hub streamed from
Defender portal via streaming API.

CIM Data Model Changes

There are no changes in the CIM Data Model for existing extractions. For new modular inputs introduced in v2.2.0, CIM
Data Model mappings are as below:

Field Changes

Fields
Source-type attackType Fields added
removed
type, user_name, severity, src, app, dest, user, signature,
['ms:defender:simulations'] social
signature_id

Fields
Source-type category Fields added
removed
['ms:defender:eventhub'] AdvancedHunting-DeviceEvents parent_process_name, user,
parent_process_id, parent_process_path,
action, original_file_name, process_exec,
process_integrity_level, dest, process_path,
vendor_product, process_id, process_hash,
process_name, process

14
Fields
Source-type category Fields added
removed

ssl_validity_window, src,
ssl_issuer_common_name, dest, ssl_serial,
ssl_subject_common_name,
['ms:defender:eventhub'] AdvancedHunting-DeviceFileCertificateInfo
ssl_subject_organization, ssl_hash,
ssl_start_time, ssl_signature_algorithm,
ssl_end_time

file_name, file_create_time, file_hash, action,


['ms:defender:eventhub'] AdvancedHunting-DeviceFileEvents file_access_time, file_acl, dest, file_path,
file_size, vendor_product, process_id, user

file_name, file_hash, action,


['ms:defender:eventhub'] AdvancedHunting-DeviceImageLoadEvents file_access_time, file_acl, dest, file_size,
file_path, vendor_product, process_id, user

['ms:defender:eventhub'] AdvancedHunting-DeviceInfo family, version, os, dest, vendor_product

parent_process_name, user,
parent_process_id, parent_process_path,
AdvancedHunting-DeviceLogonEvents, action, original_file_name, process_exec,
['ms:defender:eventhub']
AdvancedHunting-DeviceNetworkEvents process_integrity_level, dest, process_path,
vendor_product, process_id, process_hash,
process_name, process

mac, src_ip, name, ip, dest, interface,


['ms:defender:eventhub'] AdvancedHunting-DeviceNetworkInfo
vendor_product, dns, status

parent_process_name, user,
parent_process_id, parent_process_path,
action, parent_process, original_file_name,
['ms:defender:eventhub'] AdvancedHunting-DeviceProcessEvents
process_exec, process_integrity_level, dest,
process_path, vendor_product, process_id,
process_name, process

action, registry_path, dest,


registry_key_name, registry_hive,
['ms:defender:eventhub'] AdvancedHunting-DeviceRegistryEvents
process_id, registry_value_type,
vendor_product, registry_value_name, user
Note: There are no field mappings removed in this version. As a part of introducing new modular inputs, only new field
mappings are added.

Fixed issues

Version 2.2.0 of the Splunk Add-on for Microsoft Security contains no fixed issues.

Known issues

Version 2.2.0 of the Splunk Add-on for Microsoft Security contains the following known issues.If no issues appear below,
no issues have been reported.

15
Third-party software attributions

Version 2.2.0 of the Splunk Add-on for Microsoft Security incorporates the following third-party software or libraries:
Media:MS-Security-v2.2.0-third-party.pdf

Release history
Version 2.2.0 is the latest release of the Splunk Add-on for Microsoft Security. See Release notes for more information.

Version 2.1.1

Version 2.1.1 of the Splunk Add-on for Microsoft Security was released on July 13, 2023. It is compatible with the
following software, CIM versions, and platforms.

Splunk platform versions 9.0.x

CIM 5.0.1

Platforms Platform independent

Vendor Products Microsoft 365 Defender, Defender for Endpoint

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does
not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 2.1.1 of the Splunk Add-on for Microsoft Security has the following new features.

• Fixes the issue of proxy not being used while creating/updating inputs.

CIM Data Model Changes

There are no CIM Data Model changes between the Splunk add-on for Microsoft Security v2.1.0 and v2.1.1.

Fixed issues

Version 2.1.1 of the Splunk Add-on for Microsoft Security contains the following fixed issues.

Date resolved Issue number Description


2023-07-31 ADDON-63131 Proxy details not used while creating/updating the input

16
Known issues

Version 2.1.1 of the Splunk Add-on for Microsoft Security contains the following known issues. If no issues appear below,
no issues have yet been reported:

Third-party software attributions

The Splunk Add-on for Microsoft Security incorporates the following third-party software or libraries:
Media:MS-Security-v2.1.0-third-party.pdf

Version 2.1.0

Version 2.1.0 of the Splunk Add-on for Microsoft Security was released on June 13, 2023. It is compatible with the
following software, CIM versions, and platforms.

Splunk platform versions 9.0.x

CIM 5.0.1

Platforms Platform independent

Vendor Products Microsoft 365 Defender, Defender for Endpoint

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does
not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 2.1.0 of the Splunk Add-on for Microsoft Security has the following new features.

• Provides dashboards to give insights of the Add-On, informational insights and errors and its action items
• Provides support for configuring the add-on from the deployment server
• Shows warning message when creating an input with duplicate values

CIM Data Model Changes

There are no CIM Data Model or field extraction changes between the Splunk add-on for Microsoft Security v2.0.1 vs
v2.1.0

Fixed issues

Version 2.1.0 of the Splunk Add-on for Microsoft Security contains no fixed issues.

17
Known issues

Version 2.1.0 of the Splunk Add-on for Microsoft Security contains the following known issues.

Date filed Issue number Description


2023-07-03 ADDON-63131 Proxy details not used while creating/updating the input
Third-party software attributions

Version 2.1.0 of the Splunk Add-on for Microsoft Security incorporates the following third-party software or libraries:
Media:MS-Security-v2.1.0-third-party.pdf

Version 2.0.1

Version 2.0.1 of the Splunk Add-on for Microsoft Security was released on Apr 14, 2023. It is compatible with the following
software, CIM versions, and platforms.

Splunk platform versions 8.1.x, 8.2.x, 9.0.x

CIM 5.0.1

Platforms Platform independent

Vendor Products Microsoft 365 Defender, Defender for Endpoint

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does
not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 2.0.1 of the Splunk Add-on for Microsoft Security has the following new features.

• Provided support of Microsoft Graph API for getting incidents and alerts
• Provided support of Microsoft Graph API for updating incidents and running advanced hunting queries
• Updated look and feel of the input and configuration pages
• Account configuration now supports providing a default value for tenant Id
• The data collected via Microsoft Graph API is CIM compliant

CIM Data Model Changes

There are no CIM Data Model changes between the Splunk add-on for Microsoft Security v1.3.1 vs v2.0.1 but there are
the following new mappings.

Field Changes

Source-type category

18
Fields Fields
added removed
LateralMovement, Discovery, PrivilegeEscalation, SuspiciousActivity,
['ms:defender:atp:alerts'] DefenseEvasion, Collection, CredentialAccess, Execution, signature_id
CommandAndControl, InitialAccess

signature_id,
['ms:defender:atp:alerts'] None, Persistence
user

Source-type threatFamilyName Fields added Fields removed


['ms365:defender:incident:alerts'] null signature_id
Note: Previously, for the above signature_id and user fields, values such as "null" were extracted, which now won't be
extracted. There are no field changes for m365:defender:incident:advanced_hunting sourcetype

Fixed issues

Version 2.0.1 of the Splunk Add-on for Microsoft Security contains no fixed issues.

Date resolved Issue number Description


2023-04-11 ADDON-61739 Advance Hunt query results aren't ingested when using Microsoft Graph APIs
Known issues

Version 2.0.1 of the Splunk Add-on for Microsoft Security contains the following known issues.

Date filed Issue number Description


2023-07-03 ADDON-63131 Proxy details not used while creating/updating the input
Third-party software attributions

Version 2.0.1 of the Splunk Add-on for Microsoft Security incorporates the following third-party software or libraries:
Media:MS-Security-v2.0.1-third-party.pdf

Version 1.3.1

Version 1.3.1 of the Splunk Add-on for Microsoft Security was released on October 13, 2022. It is compatible with the
following software, CIM versions, and platforms.

Splunk platform versions 8.1, 8.2, 9.0

CIM 5.0.1

Platforms Platform independent

Vendor Products Microsoft 365 Defender, Defender for Endpoint

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does
not support older field alias configurations.

19
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 1.3.0 of the Splunk Add-on for Microsoft Security has the following new features.

• Updated the eventtype name from ms_defender to ms_security for Splunk Add-On for Microsoft Security

Old Eventtype Name New Eventtype Name


ms_defender_incident ms_security_incident

ms_defender_atp_alert ms_security_atp_alert

ms_defender_advanced_hunting_sourcetypes ms_security_advanced_hunting

ms_defender_advanced_hunting_process. ms_security_advanced_hunting_process

ms_defender_advanced_hunting_filesystem ms_security_advanced_hunting_filesystem

ms_defender_advanced_hunting_registry ms_security_advanced_hunting_registry

ms_defender_advanced_hunting_delivery ms_security_advanced_hunting_delivery

ms_defender_advanced_hunting_email ms_security_advanced_hunting_email

ms_defender_advanced_hunting_authentication ms_security_advanced_hunting_authentication

ms_defender_incident_alerts ms_security_incident_alerts

• Added the support of host field for the events ingested via Alert Actions.
• Updated the system path to prioritize Add-on's third-party libraries for data collection.
• Enhanced validations for better user experience.
• Added support of "Tenant ID" input field in the Alert actions configuration
• Enhanced user experience to select "Account Name" input field in the Alert actions configuration
• Updated extraction of _time field in the sourcetypes ms:defender:atp:alerts and
ms365:defender:incident:alerts. It will be extracted based on the "last update time" of the event

Fixed issues

Version 1.3.1 of the Splunk Add-on for Microsoft Security contains no fixed issues.

Known issues

Version 1.3.1 of the Splunk Add-on for Microsoft Security contains the following known issues.

Third-party software attributions

Version 1.3.1 of the Splunk Add-on for Microsoft Security incorporates the following third-party software or libraries:
Media:Splunk_TA_MS_Security_120.pdf

20
Version 1.3.0 of the Splunk Add-on for Microsoft Security was released on March 23, 2022. See Release notes for more
information.

Version 1.2.0

Version 1.2.0 of the Splunk Add-on for Microsoft Security was released on March 23, 2022. It is compatible with the
following software, CIM versions, and platforms.

Splunk platform versions 8.1, 8.2

CIM 5.0.0

Platforms Platform independent

Vendor Products Microsoft 365 Defender, Defender for Endpoint

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does
not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 1.2.0 of the Splunk Add-on for Microsoft Security has the following new features.

• Added support for GCC and GCC High environments. Users can now collect data from these environments if they
have credentials for these environments.
• Updated working of alert action - defender_update_incident
• CIM v5.0.0 support

Fixed issues

Version 1.2.0 of the Splunk Add-on for Microsoft Security contains no fixed issues.

Known issues

Version 1.2.0 of the Splunk Add-on for Microsoft Security contains the following known issues.

Third-party software attributions

Version 1.2.0 of the Splunk Add-on for Microsoft Security incorporates the following third-party software or libraries:
Media:Splunk_TA_MS_Security_120.pdf

Version 1.1.0

Version 1.1.0 of the Splunk Add-on for MS Security was released on January 24, 2021. It is compatible with the following
software, CIM versions, and platforms.

21
Splunk platform versions 8.1, 8.2

CIM 4.20.2

Platforms Platform independent

Vendor Products Microsoft 365 Defender, Defender for Endpoint

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does
not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 1.1.0 of the Splunk Add-on for Microsoft Security has the following new features.

• This is a brand new release for Splunk Add-on for MS Security. The add-on is migrated from the Microsoft 365
Defender Add-on for Splunk.
• The sourcetype m365:defender:incident is renamed to ms365:defender:incident and is now mapped to
Ticket_Management:Incident CIM data model instead of Alerts CIM data model
• Enhanced CIM field mapping for ms:defender:atp:alerts, m365:defender:incident:advanced:hunting
• Introduced new sourcetype ms365:defender:incident:alerts which contains alerts related data bifurcated from
incident events from old sourcetype=m365:defender:incident
• Earlier, the events in old sourcetype m365:defender:incident consisted of alerts data and incident data. Alerts
related data was not relevant in this sourcetype. So in this release, the events are bifurcated at index time in such
a way that alerts related data gets indexed into the new sourcetype ms365:defender:incident:alerts and only
incident related data gets ingested in the renamed sourcetype ms365:defender:incident
• Removed dashboard panels - alert_queue, incident_queue, overview_alert, overview_detections,
advanced_hunting, incident_detail, incident_overview, incident_update, microsoft_defender_atp_alerts
• Added support for CIM v4.20.2

Fixed issues

Version 1.1.0 of the Splunk Add-on for Microsoft Security contains no fixed issues.

Known issues

Version 1.1.0 of the Splunk Add-on for MS Security contains the following known issues.

Third-party software attributions

Version 1.1.0 of the Splunk Add-on for Microsoft Security incorporates the following third-party software or libraries:
Media:Microsoft_Security_3rd_party_1_0.pdf

22

You might also like