Splunk integration ATP Defender

%3CLINGO-SUB%20id%3D%22lingo-sub-2728203%22%20slang%3D%22en-US%22%3ESplunk%20integration%20ATP%20Defender%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2728203%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3Ewe%20are%20looking%20at%20Microsoft%20365%20ATP%20Defender%20and%20we%20are%20struggling%20with%20the%20integration%20with%20Splunk%20due%20some%20missing%20fields%20in%20the%20logs%2C%20did%20anyone%20was%20succesful%20to%20do%20this%3F%3C%2FP%3E%3CP%3EThank%20you!%3CBR%20%2F%3ERS%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2728203%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESIEM%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESplunk%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2729182%22%20slang%3D%22en-US%22%3ERe%3A%20Splunk%20integration%20ATP%20Defender%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2729182%22%20slang%3D%22en-US%22%3EHi%2C%20are%20you%20using%20this%20add-on%3F%20%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fsplunkbase.splunk.com%2Fapp%2F4959%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsplunkbase.splunk.com%2Fapp%2F4959%2F%3C%2FA%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2732026%22%20slang%3D%22en-US%22%3ERe%3A%20Splunk%20integration%20ATP%20Defender%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2732026%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F173176%22%20target%3D%22_blank%22%3E%40Jake_Mowrer%3C%2FA%3E%26nbsp%3BYes%20we%20installed%20this%20addon%20but%20there%20some%20issues%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethese%20fields%20are%20not%20available%20anymore.%20(while%20were%20available%20with%20different%20app%2FAPI)%3CBR%20%2F%3EIncidentLinkToMTP%3C%2FP%3E%3CP%3EIncidentLinktoWOATP%3C%2FP%3E%3CP%3ERemediationAction%3C%2FP%3E%3CP%3ERemediationIsSuccess%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20already%20opened%20a%20case%20with%20Microsoft%20support%20but%20we%20are%20not%20able%20to%20resolve%20this.%20This%20is%20the%20reason%20we%20are%20asking%20if%20other%20customers%20are%20successful%20with%20this%20integration%20or%20not.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2738025%22%20slang%3D%22en-US%22%3ERe%3A%20Splunk%20integration%20ATP%20Defender%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2738025%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1148794%22%20target%3D%22_blank%22%3E%40rs8091%3C%2FA%3E%26nbsp%3BThose%20fields%20are%20from%20the%20SIEM%20API%20documented%20here%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender-endpoint%2Fapi-portal-mapping%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Defender%20for%20Endpoint%20detections%20API%20fields%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%201.3.0%20Add-on%20for%20Splunk%20is%20using%20the%20incident%20API%20in%20M365%20Defender%20and%20the%20Alert%20API%20in%20Defender%20for%20Endpoint%20(you%20can%20set%20it%20up%20for%20both)%20and%20not%20the%20SIEM%20API%3A%3C%2FP%3E%0A%3CP%3EM365%20Defender%20incident%20API%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender%2Fapi-list-incidents%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EList%20incidents%20API%20in%20Microsoft%20365%20Defender%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3EDefender%20for%20Endpoint%20API%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fdefender-endpoint%2Fget-alerts%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EList%20alerts%20API%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20fields%20you%20are%20looking%20for%20are%20a%20bit%20different%20now%3A%3C%2FP%3E%0A%3CP%3EM365%20Defender%20incident%20API%3A%3C%2FP%3E%0A%3CP%3E-%20IncidentLinktoMTP%20%3D%20incidentUri%20(M365%20Defender%20incident%20API)%3CBR%20%2F%3E-%20RemediationAction%20and%20RemediationIsSucess%20changed%20to%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%20%26nbsp%3B%20detectionStatus%2C%20remediationStatus%2C%20remediationStatusDetails%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%2C%3C%2FP%3E%0A%3CP%3EJake%20Mowrer%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2745672%22%20slang%3D%22en-US%22%3ERe%3A%20Splunk%20integration%20ATP%20Defender%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2745672%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F173176%22%20target%3D%22_blank%22%3E%40Jake_Mowrer%3C%2FA%3E%20Thank%20you%20for%20the%20clarification.%20I%20can%20confirm%20that%20from%20incident%20API%20we%20can%20see%20the%20link.%3CBR%20%2F%3EWe%20are%20surprised%20that%20link%20to%20the%20alert%20was%20removed%20from%20SIEM%20API.%20It's%20an%20important%20information%20to%20have%20for%20a%20security%20analyst.%3CBR%20%2F%3EWe%20opened%20a%20support%20case%20to%20investigate%20this%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello,

we are looking at Microsoft 365 ATP Defender and we are struggling with the integration with Splunk due some missing fields in the logs, did anyone was succesful to do this?

Thank you!
RS

9 Replies
Hi, are you using this add-on?
https://splunkbase.splunk.com/app/4959/

@Jake_Mowrer Yes we installed this addon but there some issues:

 

these fields are not available anymore. (while were available with different app/API)
IncidentLinkToMTP

IncidentLinktoWOATP

RemediationAction

RemediationIsSuccess

 

We already opened a case with Microsoft support but we are not able to resolve this. This is the reason we are asking if other customers are successful with this integration or not.

@rs8091 Those fields are from the SIEM API documented here:
Microsoft Defender for Endpoint detections API fields | Microsoft Docs

 

The 1.3.0 Add-on for Splunk is using the incident API in M365 Defender and the Alert API in Defender for Endpoint (you can set it up for both) and not the SIEM API:

M365 Defender incident API - List incidents API in Microsoft 365 Defender | Microsoft Docs

Defender for Endpoint API - List alerts API | Microsoft Docs

 

The fields you are looking for are a bit different now:

M365 Defender incident API:

- IncidentLinktoMTP = incidentUri (M365 Defender incident API)
- RemediationAction and RemediationIsSucess changed to:

    detectionStatus, remediationStatus, remediationStatusDetails

 

Thanks,

Jake Mowrer

@Jake_Mowrer Thank you for the clarification. I can confirm that from incident API we can see the link.
We are surprised that link to the alert was removed from SIEM API. It's an important information to have for a security analyst.
We opened a support case to investigate this
The LinkToWDATP is still in the SIEM API however the Splunk add on linked above does not use the SIEM API any longer, it uses the M365 Defender incident API and the Defender for Endpoint alert API.
@Jake_Mowrer Thank you, from my understanding the API used is: api-eu.securitycenter.microsoft.com.
We opened a ticket to MS support to request an improvment on this fields that can help our security operations.

@Jake_Mowrer Hello, this app is not supported by Splunk, we tried to explain it to Microsoft support several times.

 

Apps and add-ons published either by Splunk or third-party developers. Indicates that no support or maintenance are provided by the publisher.
Customers are solely responsible for ensuring proper functionality and version compatibility of Not-supported apps and add-ons with the applicable Splunk software. If unresolvable functional or compatibility issues are encountered, customers may be required to uninstall the app or add-on from their Splunk environment in order for Splunk to fulfill support obligations.

 

Are you aware of this?
Thank you

Yes, we're definitely aware of this and we're working with Splunk to improve this. Are you running into an issue with the add-on?

@Jake_Mowrer the app is working but our team does not want to put in production the unsupported app because they are afraid it can stop working any time. Is there a timeline for fixing this?

An alternative from the support is to use the graph api (https://graph.microsoft.com/v1.0/security/alerts/ with app: https://splunkbase.splunk.com/app/4564/ ) but we don't see the same level of detail of the incident API.
"IncidentURI" is missing and also useful fields like "Veridict", "InvestigationState"

www.000webhost.com