The Splunk Add-on for Microsoft Security collects incidents and alerts from Microsoft 365 Defender OR alerts from Microsoft Defender for Endpoint.
Customers currently utilizing Microsoft 365 Defender Add-on for Splunk are strongly recommended to migrate to this new Splunk supported add-on after reading the migration section of the documentation. https://docs.splunk.com/Documentation/AddOns/released/MSSecurity/Migrate
Customers migrating from Microsoft 365 Defender Add-on for Splunk who would like to continue using the dashboards it includes should install Microsoft 365 App for Splunk, as the functionality has been moved there.
https://splunkbase.splunk.com/app/3786/
Microsoft 365 Defender Incidents
* Incident (impossible travel, activity from Tor IP, suspicious inbox forwarding, successful logon using potentially stolen credentials, etc.)
* Assignee
* Classification
* Severity
* Status
* Alerts associated with the Incident
Microsoft Defender for Endpoint Alerts
* Categories (Malware, Initial Access, Execution, etc.)
* Detection source
* Evidence
* Computer name
* Related user
* Severity
* Status
Resources
Log in to report this app listing