icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Windows Defender ATP Modular Inputs TA
SHA256 checksum (windows-defender-atp-modular-inputs-ta_100.tgz) f5829b764a11105f6dde3c2e6dd65bc4ad962629ad48863b302e8af6ff612a32
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Windows Defender ATP Modular Inputs TA

Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
***This TA is tested on 8.0.1 using default python version which is 2.7 and working without any issues***
****This TA doesn't support python3. If your Splunk Enterprise is forced to use python3 still you can make this TA work by just putting python.version=python2 in inputs.conf of TA****

The new TA Add-on for Microsoft Defender ATP Known as Windows Defender ATP (https://splunkbase.splunk.com/app/5038/) is updated version of this TA and The new TA supports Splunk Enterprise Version 8 and python3.

It fetches windows security centre alerts from Azure cloud.

Prerequisite :

First you need to enable SIEM integration in Windows Defender ATP. This will give Client ID , Client Secret. These two are required to get the logs in to Splunk.

Below link provides the documentation on how to enable SIEM integration in Windows Defender ATP :


This TA Requires following attributes:
Endpoint - Use the URI applicable for your region
For EU: https://wdatp-alertexporter-eu.securitycenter.windows.com
For US: https://wdatp-alertexporter-us.securitycenter.windows.com
Tenant ID - It is required to get an access token and this will be used to fetch events from Azure windows security centre
Resource - defaults to https://graph.windows.net
Client ID - This is found in Windows Defender ATP
Client Secret - This is also found in WDATP

For troubleshooting:

Open the app from app menu and click on configuration tab under that click on logging and set log level to debug.

use below query to see for more details on how the script is executed:

index=_internal sourcetype="tawindows:defender:log"

Release Notes

Version 1.0.0
Aug. 20, 2018


Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.