4.6 KiB
title, description, keywords, search.product, search.appverid, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.author, author, ms.localizationpriority, manager, audience, ms.collection, ms.topic
| title | description | keywords | search.product | search.appverid | ms.prod | ms.mktglfcycl | ms.sitesec | ms.pagetype | ms.author | author | ms.localizationpriority | manager | audience | ms.collection | ms.topic |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Configure Splunk to pull Microsoft Defender ATP detections | Configure Splunk to receive and pull detections from Microsoft Defender Security Center. | configure splunk, security information and events management tools, splunk | eADQiWindows 10XVcnh | met150 | w10 | deploy | library | security | macapara | mjcaparas | medium | dansimp | ITPro | M365-security-compliance | article |
Configure Splunk to pull Microsoft Defender ATP detections
Applies to:
Want to experience Microsoft Defender ATP? Sign up for a free trial.
You'll need to configure Splunk so that it can pull Microsoft Defender ATP detections.
Note
- Microsoft Defender ATP Alert is composed from one or more detections
- Microsoft Defender ATP Detection is composed from the suspicious event occurred on the Machine and its related Alert details.
Before you begin
-
Install the open source Windows Defender ATP Modular Inputs TA in Splunk.
-
Make sure you have enabled the SIEM integration feature from the Settings menu. For more information, see Enable SIEM integration in Microsoft Defender ATP
-
Have the details file you saved from enabling the SIEM integration feature ready. You'll need to get the following values:
- Tenant ID
- Client ID
- Client Secret
- Resource URL
Configure Splunk
-
Login in to Splunk.
-
Go to Settings > Data inputs.
-
Select Windows Defender ATP alerts under Local inputs.
NOTE: This input will only appear after you install the Windows Defender ATP Modular Inputs TA.
-
Click New.
-
Type the following values in the required fields, then click Save:
NOTE: All other values in the form are optional and can be left blank.
Field Value Name Name for the Data Input Login URL URL to authenticate the azure app (Default : https://login.microsoftonline.com) Endpoint Depending on the location of your datacenter, select any of the following URL:
For EU:https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts
For US:https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts
For UK:https://wdatp-alertexporter-uk.securitycenter.windows.com/api/alertsTenant ID Azure Tenant ID Resource Value from the SIEM integration feature page Client ID Value from the SIEM integration feature page Client Secret Value from the SIEM integration feature page
After completing these configuration steps, you can go to the Splunk dashboard and run queries.
View detections using Splunk solution explorer
Use the solution explorer to view detections in Splunk.
-
In Splunk, go to Settings > Searchers, reports, and alerts.
-
Select New.
-
Enter the following details:
-
Search: Enter a query, for example:
sourcetype="wdatp:alerts" |spath|table* -
App: Add-on for Windows Defender (TA_Windows-defender)
Other values are optional and can be left with the default values.
-
-
Click Save. The query is saved in the list of searches.
-
Find the query you saved in the list and click Run. The results are displayed based on your query.
Tip
To minimize Detection duplications, you can use the following query:
source="rest://wdatp:alerts" | spath | dedup _raw | table *