Sep 07 2021 05:29 AM
Sep 08 2021 04:21 AM
@Jake_Mowrer Yes we installed this addon but there some issues:
these fields are not available anymore. (while were available with different app/API)
We already opened a case with Microsoft support but we are not able to resolve this. This is the reason we are asking if other customers are successful with this integration or not.
Sep 09 2021 01:31 PM
@rs8091 Those fields are from the SIEM API documented here:
Microsoft Defender for Endpoint detections API fields | Microsoft Docs
The 1.3.0 Add-on for Splunk is using the incident API in M365 Defender and the Alert API in Defender for Endpoint (you can set it up for both) and not the SIEM API:
M365 Defender incident API - List incidents API in Microsoft 365 Defender | Microsoft Docs
Defender for Endpoint API - List alerts API | Microsoft Docs
The fields you are looking for are a bit different now:
M365 Defender incident API:
- IncidentLinktoMTP = incidentUri (M365 Defender incident API)
- RemediationAction and RemediationIsSucess changed to:
detectionStatus, remediationStatus, remediationStatusDetails
Sep 13 2021 06:02 AM
Sep 13 2021 06:58 AM
Nov 17 2021 09:43 AM
@Jake_Mowrer Hello, this app is not supported by Splunk, we tried to explain it to Microsoft support several times.
Apps and add-ons published either by Splunk or third-party developers. Indicates that no support or maintenance are provided by the publisher.
Customers are solely responsible for ensuring proper functionality and version compatibility of Not-supported apps and add-ons with the applicable Splunk software. If unresolvable functional or compatibility issues are encountered, customers may be required to uninstall the app or add-on from their Splunk environment in order for Splunk to fulfill support obligations.
Are you aware of this?
Nov 17 2021 10:01 AM
Nov 27 2021 12:58 PM
@Jake_Mowrer the app is working but our team does not want to put in production the unsupported app because they are afraid it can stop working any time. Is there a timeline for fixing this?
An alternative from the support is to use the graph api (https://graph.microsoft.com/v1.0/security/alerts/ with app: https://splunkbase.splunk.com/app/4564/ ) but we don't see the same level of detail of the incident API.
"IncidentURI" is missing and also useful fields like "Veridict", "InvestigationState"