icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.
Splunkbase will be undergoing a scheduled migration and will be unavailable on Saturday, Oct 1, 2022, from 11AM to 3PM PDT

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Microsoft Defender Advanced Hunting Add-on for Splunk
SHA256 checksum (microsoft-defender-advanced-hunting-add-on-for-splunk_131.tgz) 4bc937f6f8940967ebe73acf9602445f77a037eff1fffb0a5d3ed284112a0431 SHA256 checksum (microsoft-defender-advanced-hunting-add-on-for-splunk_130.tgz) 97cacbbde1db077cc955c5646269b150663557cfa0d2b45d286fee35c98bc35a SHA256 checksum (microsoft-defender-advanced-hunting-add-on-for-splunk_122.tgz) 58886315342966d90cbc1388551e7b5dcdd08a066a22c96fe7200e3f686f6d2f SHA256 checksum (microsoft-defender-advanced-hunting-add-on-for-splunk_121.tgz) a1af489d1755c82a6abad9833b3d343d2e026798e10fd91b1959990c6d40425b SHA256 checksum (microsoft-defender-advanced-hunting-add-on-for-splunk_120.tgz) 51fa5ebe8f5ba22df8843691e028df5e517420bb61479efc6181bb500df67d3d SHA256 checksum (microsoft-defender-advanced-hunting-add-on-for-splunk_116.tgz) 3c6724ed4e2edeafe6bd85413255b9df0771c125082f14d1a6bf397368e2d8a0 SHA256 checksum (microsoft-defender-advanced-hunting-add-on-for-splunk_115.tgz) 33f25d0e8cb70622ba68f5009e3a0e464b14890572faf9605a4614ed2094afee SHA256 checksum (microsoft-defender-advanced-hunting-add-on-for-splunk_114.tgz) 01dfb02a6dfd6db80fb6199cebdea322ebba06c8d3e86fc04aca34df28b809f9 SHA256 checksum (microsoft-defender-advanced-hunting-add-on-for-splunk_111.tgz) 89bdb2fdbbeae789d6ed9b3eae808128dadd25022b0c9f2cfc67886ec6fe4b28
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

splunk

Microsoft Defender Advanced Hunting Add-on for Splunk

Splunk Cloud
Splunk Labs
This app is NOT supported by Splunk. Please read about what that means for you here.
Overview
Details
This add-on provides field extractions and CIM compatibility for the Endpoint datamodel for Microsoft Defender Advanced Hunting data.
The data is similar in content to Sysmon data and can be used by Detection Searches in i.e. Splunk Enterprise Security Content Update.

Future versions may include support for Microsoft Defender for Office 365, Microsoft Defender for Identity and other products in the Microsoft 365 suite.

Please see the Details tab for more info.

Microsoft Defender for Endpoint Advanced Hunting Add-on for Splunk

Introduction

This add-on provides field extractions and CIM compatibility for the Endpoint datamodel for Microsoft Defender Advanced Hunting data.
It also maps Device Alert events to the Alerts datamodel.
The data is similar in content to Sysmon data and can be used by Detection Searches in i.e. Splunk Enterprise Security Content Update.

Future versions may include support for Microsoft Defender for Office 365, Microsoft Defender for Identity and other products in the Microsoft 365 suite.

How is this different from other Microsoft Defender Add-ons for Splunk?

Splunk Add-on for Microsoft Security

  • The above uses REST API to get data, and the REST API is rate limited, whereas this TA uses Event Hub
  • The above will only give you Alerts and Incidents, not the raw logs
  • The above maps to the Alerts CIM data model, not the Endpoint CIM data model

My advice: Use both Microsoft Defender Advanced Hunting Add-on and Splunk Add-on for Microsoft Security, in order to get both alerts and the raw logs!

Installation

  1. Configure Microsoft Defender for Endpoint to stream Advanced Hunting events to an Azure Event Hub

General Notes
* https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/raw-data-export-event-hub?view=o365-worldwide
* Use a separate Event Hub Name for Advanced Hunting data. Don't mix this data with other types of data. Failing to do so will render this Add-on useless

  1. Install this add-on on your Search Heads, Indexers and Heavy Forwarders (if part of your data collection topology)

  2. Install and use this Splunk add-on to ingest the data:

  3. Splunk Add-on for Microsoft Cloud Services (https://splunkbase.splunk.com/app/3110/) version 4.3.3+

  4. When setting the up the input, enter:

  5. Sourcetype: mscs:azure:eventhub:defender:advancedhunting

  6. Verify that raw data is arriving by running the following search: index=* eventtype="ms_defender_advanced_hunting_sourcetypes"

  7. Enable the scheduled saved searches mentioned in Data Models below, on one Search Head (preferably ES) in order to populate the Malware and Email data models.

  8. Verify that data for the Malware and Email data models is generated by the scheduled saved searches by running the following search: index=* sourcetype IN ("defender:advancedhunting:malware","defender:advancedhunting:email")

  9. Bear in mind that due to the latency in data arriving in Event Hub from the Azure services, the data produced by the saved searches will be up to 15 minutes late (sometimes more).
  10. You will need to account for this in any downstream detections in ES or the likes, either by increasing the search window or by basing the searches on indexed time as opposed to event time.

Data Models

Data Model Compatibility:

Product Dataset Category Status Special Instructions
MS Defender for Endpoint Endpoint.Ports AdvancedHunting-DeviceNetworkEvents Completed
MS Defender for Endpoint Endpoint.Processes AdvancedHunting-DeviceProcessEvents Completed
MS Defender for Endpoint Endpoint.Services N/A
MS Defender for Endpoint Endpoint.Filesystem AdvancedHunting-DeviceFileEvents Completed
MS Defender for Endpoint Endpoint.Registry AdvancedHunting-DeviceRegistryEvents Completed
MS Defender for Endpoint Alerts AdvancedHunting-DeviceAlertEvents
AdvancedHunting-AlertInfo
AdvancedHunting-AlertEvidence
Completed
MS Defender for Endpoint Email AdvancedHunting-EmailEvents
AdvancedHunting-EmailAttachmentInfo
Completed Enable saved search Summary - Defender Advanced Hunting Email Summary
MS Defender for Endpoint Malware AdvancedHunting-AlertInfo
AdvancedHunting-AlertEvidence
Completed Enable saved search Summary - Defender Advanced Hunting Malware Summary
MS Defender for Endpoint Authentication AdvancedHunting-IdentityLogonEvents
AdvancedHunting-DeviceLogonEvents
Under Consideration
MS Defender for Endpoint Change AdvancedHunting-IdentityDirectoryEvents Under Consideration

Schema reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide

Data Samples

So how does this data look like when it's ingested into Splunk? Prettified, of course:

{
  "time": "2021-04-14T18:50:42.1532345Z",
  "tenantId": "4a653e38-cdfe-1337-beef-abcdefabcdef",
  "operationName": "Publish",
  "category": "AdvancedHunting-DeviceProcessEvents",
  "properties": {
    "ProcessVersionInfoCompanyName": "Microsoft Corporation",
    "ProcessVersionInfoProductName": "Microsoft® Windows® Operating System",
    "ProcessVersionInfoProductVersion": "10.0.18362.1",
    "ProcessVersionInfoInternalFileName": "whoami.exe",
    "ProcessVersionInfoOriginalFileName": "whoami.exe",
    "ProcessVersionInfoFileDescription": "whoami - displays logged on user information",
    "ProcessIntegrityLevel": "System",
    "AccountSid": "S-1-5-18",
    "LogonId": 999,
    "AccountName": "system",
    "AccountDomain": "nt authority",
    "AccountUpn": null,
    "AccountObjectId": null,
    "ProcessTokenElevation": "TokenElevationTypeDefault",
    "ProcessCreationTime": "2021-04-14T18:49:17.528333Z",
    "ProcessId": 40288,
    "FileName": "whoami.exe",
    "ProcessCommandLine": "\"whoami.exe\" /user",
    "FolderPath": "C:\\Windows\\System32\\whoami.exe",
    "FileSize": 71168,
    "MD5": "2eeeec89e705f73ffbcae014e1828788",
    "SHA256": "a8a4c4719113b071bb50d67f6e12c188b92c70eeafdfcd6f5da69b6aaa99a7fd",
    "SHA1": "8f1f9e265911956c7f8f3861c34def9b8fa63813",
    "AdditionalFields": null,
    "InitiatingProcessVersionInfoCompanyName": "Microsoft Corporation",
    "InitiatingProcessVersionInfoProductName": "Microsoft® Windows® Operating System",
    "InitiatingProcessVersionInfoProductVersion": "10.0.18362.1",
    "InitiatingProcessVersionInfoInternalFileName": "POWERSHELL",
    "InitiatingProcessVersionInfoOriginalFileName": "PowerShell.EXE",
    "InitiatingProcessVersionInfoFileDescription": "Windows PowerShell",
    "InitiatingProcessSignatureStatus": "Valid",
    "InitiatingProcessSignerType": "OsVendor",
    "InitiatingProcessFolderPath": "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe",
    "InitiatingProcessFileSize": 451584,
    "InitiatingProcessMD5": "cda48fc75952ad12d99e526d0b6bf70a",
    "InitiatingProcessSHA256": "908b64b1971a979c7e3e8ce4621945cba84854cb98d76367b791a6e22b5f6d53",
    "InitiatingProcessSHA1": "36c5d12033b2eaf251bae61c00690ffb17fddc87",
    "InitiatingProcessLogonId": 999,
    "InitiatingProcessAccountSid": "S-1-5-18",
    "InitiatingProcessAccountDomain": "nt authority",
    "InitiatingProcessAccountName": "system",
    "InitiatingProcessAccountUpn": null,
    "InitiatingProcessAccountObjectId": null,
    "InitiatingProcessCreationTime": "2021-04-14T18:49:15.9040226Z",
    "InitiatingProcessId": 39240,
    "InitiatingProcessFileName": "powershell.exe",
    "InitiatingProcessCommandLine": "\"powershell.exe\" -executionPolicy bypass -file  \"C:\\Program Files (x86)\\Microsoft Intune Management Extension\\Content\\DetectionScripts\\7bdb56a9-0db0-4fd3-a373-4a50613270bc_1.ps1\" ",
    "InitiatingProcessParentCreationTime": "2021-04-14T18:49:15.6500648Z",
    "InitiatingProcessParentId": 42028,
    "InitiatingProcessParentFileName": "AgentExecutor.exe",
    "InitiatingProcessIntegrityLevel": "System",
    "InitiatingProcessTokenElevation": "TokenElevationTypeDefault",
    "DeviceId": "df5b716f594eb30d61bf2b73998fea62a9b448e3",
    "AppGuardContainerId": "",
    "MachineGroup": null,
    "Timestamp": "2021-04-14T18:49:17.7849324Z",
    "DeviceName": "bobslaptop.example.com",
    "ReportId": 30779,
    "ActionType": "ProcessCreated"
  }
}
{  
   "Tenant": "DefaultTenant",
   "category": "AdvancedHunting-EmailEvents",
   "operationName": "Publish",
   "properties": { 
     "AttachmentCount": 0,
     "ConfidenceLevel": {"Phish":"Normal","Spam":"Moderate"},
     "Connectors": null,
     "DeliveryAction": "Junked",
     "DeliveryLocation": "Junk folder",
     "DetectionMethods": {"Phish":["Spoof external domain"],"Spam":["Advanced filter"]},
     "EmailAction": "Move to junk mail folder",
     "EmailActionPolicy": "Anti-phishing spoof",
     "EmailActionPolicyGuid": "3c810b43-bc2c-4e2a-8a8f-113b5ba6a790",
     "EmailClusterId": 2887796428,
     "EmailDirection": "Inbound",
     "EmailLanguage": "en",
     "InternetMessageId": "<1624300224965.52303495.145763391.18243936023@abcsend.com>",
     "NetworkMessageId": "1ecd7b63-c817-437f-a571-2615776a3eb9",
     "OrgLevelAction": null,
     "OrgLevelPolicy": null,
     "RecipientEmailAddress": "charlie.brown@splunk.com",
     "RecipientObjectId": "0075753e-5633-4063-9ccd-00631a7b8073",
     "ReportId": "1ecd7b63-c817-437f-a571-2615776a3eb9-14781866014961308009-1",
     "SenderDisplayName": "Charles Schultz",
     "SenderFromAddress": "snoopy@peanuts.org",
     "SenderFromDomain": "peanuts.org",
     "SenderIPv4": "142.21.91.241",
     "SenderIPv6": null,
     "SenderMailFromAddress": "bounce@peanuts.org",
     "SenderMailFromDomain": "peanuts.org",
     "SenderObjectId": null,
     "Subject": "Need dogfood ASAP? click here!",
     "ThreatNames": null,
     "ThreatTypes": "Phish, Spam",
     "Timestamp": "2021-06-21T18:34:06Z",
     "UrlCount": 10,
     "UserLevelAction": null,
     "UserLevelPolicy": null,
   },
   "tenantId": "fd794b87-38b3-41bf-8055-1a790cf2efd4",
   "time": "2021-06-21T18:39:44.2979096Z"
}
{
  "time": "2021-09-12T17:13:58.0041354Z",
  "tenantId": "2f6f2e73-daa8-4198-8b75-748a977c6016",
  "operationName": "Publish",
  "category": "AdvancedHunting-AlertInfo",
  "properties": {
    "AlertId": "da637670636373905367_-2042055267",
    "Timestamp": "2021-09-12T16:36:48.7090029Z",
    "Title": "Suspicious process injection observed",
    "ServiceSource": "Microsoft Defender for Endpoint",
    "Category": "DefenseEvasion",
    "Severity": "Medium",
    "DetectionSource": "EDR",
    "MachineGroup": null,
    "AttackTechniques": "[\"Process Injection (T1055)\",\"Portable Executable Injection (T1055.002)\"]"
  }
}
{
  "time": "2021-09-12T17:13:58.5882514Z",
  "tenantId": "2f6f2e73-daa8-4198-8b75-748a977c6016",
  "operationName": "Publish",
  "category": "AdvancedHunting-AlertEvidence",
  "properties": {
    "AlertId": "da637670636373905367_-2042055267",
    "ServiceSource": "Microsoft Defender for Endpoint",
    "Timestamp": "2021-09-12T16:36:48.7090029Z",
    "EntityType": "Machine",
    "EvidenceRole": "Impacted",
    "SHA1": null,
    "SHA256": null,
    "ThreatFamily": null,
    "RemoteIP": null,
    "LocalIP": null,
    "RemoteUrl": null,
    "AdditionalFields": "{\"$id\":\"1\",\"HostName\":\"win-dspitz\",\"IsDomainJoined\":false,\"Type\":\"host\",\"MachineId\":\"a119946e5cbc8a4c5bde193bb12347c62a6dd3e8\",\"MachineIdType\":3,\"IsIoc\":false}",
    "AccountName": null,
    "AccountDomain": null,
    "AccountSid": null,
    "AccountObjectId": null,
    "DeviceId": "a119946e5cbc8a4c5bde193bb12347c62a6dd3e8",
    "DeviceName": "win-dspitz",
    "NetworkMessageId": null,
    "EvidenceDirection": null,
    "MachineGroup": null,
    "FileName": null,
    "FolderPath": null,
    "ProcessCommandLine": null,
    "EmailSubject": null,
    "ApplicationId": null,
    "Application": null,
    "FileSize": null,
    "RegistryKey": null,
    "RegistryValueName": null,
    "RegistryValueData": null,
    "AccountUpn": null,
    "OAuthApplicationId": null
  }
}

Summary for Malware DM

{
  "action": "unknown",
  "category": "credential theft malware",
  "dest": "win-dspitz",
  "file_hash": "15c8ecf4e91a523333193e95f7a5b9729ea6142c",
  "file_name": "mimikatz-1.bat",
  "file_path": "C:\\temp\\APTSimulator-master\\APTSimulator-master\\test-sets\\credential-access",
  "id": "da637674644562536345_-97009046",
  "severity": "low",
  "signature": "Populf",
  "time": 1631867656.623709,
  "vendor_product": "Microsoft Defender for Endpoint"
}

Summary for Email DM

{
  "action": "delivered",
  "file_hash": [
    "2e485c7828aa33c8d80539b0d7f0a694a29de6127f5545d467d06310531ce599",
    "e094271bec517651dced23a19f150a1ec9be817f349278c7b9148ced53b20edd"
  ],
  "file_name": [
    "2022-01-01 11.00.10.jpg",
    "DSP-1.2.2-patch01-Admin-Upgrade.pdf"
  ],
  "file_size": [
    186002,
    4025543
  ],
  "filter_action": "null",
  "internal_message_id": "4feeacb0-f1c4-4769-69df-08d9d0f76bb4",
  "message_id": "<CAD9ghe884qGEKNZ7QxuRCiADbNtpP4FN-KiCnc6Jzo2WusGsEA@mail.gmail.com>",
  "message_info": "null",
  "recipient": [
    "denver@spitz.life"
  ],
  "recipient_count": 1,
  "recipient_domain": [
    "spitz.life"
  ],
  "signature": "No action taken",
  "signature_extra": "null",
  "signature_id": "null",
  "src": "216.71.154.95",
  "src_user": "mbjerkeland@splunk.com",
  "src_user_domain": "splunk.com",
  "subject": "Fwd: Greetings from Norway",
  "time": 1641461542
}

Support

This add-on is provided without official support, but is supported on a best-effort basis by the community.
Contributions and pull requests are more than welcome.
Git repository: https://github.com/splunk/TA-microsoft-365-defender-advanced-hunting-add-on

Contact

Authored by Mikael Bjerkeland (mbjerkeland@splunk.com).

Contributors

  • Mikael Bjerkeland (Splunk)
  • Thomas Hillesøy (Sens Consulting)
  • Denver Spitz (Splunk)

Copyright

Copyright 2021 Splunk Inc.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

Release Notes

Version 1.3.1
Jan. 19, 2022
  • Fixed Timestamping issue (we now use the Timestamp from the body, not the envelope timestamp)
  • The app is now ONLY compatible with the Splunk Add-on for Microsoft Cloud Services version 4.3.3 and above (removed need for SEDCMD). DO NOT use this Add-on to ingest NEW data with versions of Splunk Add-on for Microsoft Cloud Services below 4.3.3
  • Backwards compatibility with previously ingested data with versions prior to Splunk Add-on for Microsoft Cloud Services version 4.3.3
  • Deprecated support for Microsoft Azure Add-on for Splunk, but backwards compatibility is retained.
Version 1.3.0
Jan. 5, 2022
  • The app is now ONLY compatible with the Splunk Add-on for Microsoft Cloud Services version 4.3.3 and above (removed need for SEDCMD). DO NOT use this Add-on to ingest NEW data with versions of Splunk Add-on for Microsoft Cloud Services below 4.3.3
  • Backwards compatibility with previously ingested data with versions prior to Splunk Add-on for Microsoft Cloud Services version 4.3.3
  • Deprecated support for Microsoft Azure Add-on for Splunk, but backwards compatibility is retained.
Version 1.2.2
Oct. 27, 2021
  • Fixed incorrect src field
  • Fix hard coded sourcetype definition
  • Make the whitespace optional in SEDCMD
  • Changed schema naming of AlertInfo table
  • Fixed savedsearch
Version 1.2.1
Sept. 20, 2021
  • Support for the Malware data model using a saved search.
  • Various bug fixes
  • Due to the use of the tojson command, only Splunk 8.2+ is supported.
  • SEDCMD added to the mscs:azure:eventhub:defender:advancedhunting sourcetype to strip outer JSON nodes.
Version 1.2.0
Sept. 20, 2021
  • Support for the Malware data model using a saved search.
  • Various bug fixes
  • Due to the use of the tojson command, only Splunk 8.2+ is supported.
  • SEDCMD added to the mscs:azure:eventhub:defender:advancedhunting sourcetype to strip outer JSON nodes.
Version 1.1.6
June 23, 2021

Splunk Cloud compatibility

Version 1.1.5
June 23, 2021

Support Email datamodel

Version 1.1.4
June 16, 2021
Version 1.1.1
April 29, 2021

Introduction
This add-on provides field extractions and CIM compatibility for the Endpoint datamodel for Microsoft 365 Defender Advanced Hunting data.
The data is similar in content to Sysmon data and can be used by Detection Searches in i.e. Splunk Enterprise Security Content Update.

Future versions may include support for Microsoft Defender for Office 365, Microsoft Defender for Identity and other products in the Microsoft 365 suite.

How is this different from other Microsoft Defender Add-ons for Splunk?
The differences between Microsoft 365 Defender Add-on for Splunk and this TA are:

The above uses REST API to get data, and the REST API is rate limited, whereas this TA uses Event Hub
The above will only give you Alerts and Incidents, not the raw logs
The above maps to the Alerts CIM data model, not the Endpoint CIM data model
The differences between TA for Defender ATP hunting API and this TA are:

The above uses REST API to pull similar data at intervals, and the REST API is rate limited
The above is not CIM compliant


Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.