Add-on for Defender ATP Hunting Queries in Splunk

What does this add-on for Splunk do?

It allows you to create queries to onboard the relevant parts of Defender ATP telemetry into Splunk.

Defender ATP has a lot of valuable telemetry data that can be used for correlation in Splunk (Enterprise Security).
Because Microsoft made their Defender ATP API generally available on 22 April 2019 https://twitter.com/MsftSecIntel/status/1120381773639143424
There was previously no way to onboard Defender ATP telemetry data into Splunk.

This add-on works on Linux and Windows

Instance type	Supported	Required	Description
Search head	Yes	Yes	Install this add-on on your search head(s) for proper field extraction
Indexer	Yes	No	This add-on should be installed on a heavy forwarder that does the index time parsing and event breaking. There is no need to install this add-on on an indexer too.
Universal Forwarder	No	No	This add-on is not supported on a Universal Forwarder because it requires Python
Heavy Forwarder	Yes	Yes	Install this add-on on a heavy forwarder

Find the Client ID and Azure AD Tenant ID first in portal.azure.com:

In Azure portal go to Azure Active Directory -> App Registrations
Go to WindowsDefenderATPThreatIntelAPI
Click overview, and find:
Application (client) Id
Directory (tenant) Id
Create a new Client Secret, see the "How do I configure the Azure side of things"

In Splunk, with all this information you can start to configure a new input in the add-on:

Go to Configure, and create a new account. Paste the client id under username, and the client secret under password. Give it a name e.g. client_id_013d1963_d5a9_4329_bc1b_99d8e6db624d
Go to inputs and Create a new input:
- interval: recommended to 900 seconds or greater given the delays in Defender ATP telemetry
- query: be sure to include a "where" statement that prevents duplicate events. Example query:
ProcessCreationEvents | where EventTime > ago(1200s) and EventTime < ago(300s)

Note that the API is rate limited, and also returns max 10000 events to make sure to include extra where clauses to stay below this limit.

In Azure portal go to Azure Active Directory -> App Registrations
Go to WindowsDefenderATPThreatIntelAPI
Under API permissions add "AdvancedQuery.Read.All", and grant admin consent
Under Certificates and Secrets add a new Client secret. The secret is only shown once, so make sure to copy to your favourite password manager.