5.6 KiB
title, description, keywords, search.product, search.appverid, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.author, author, ms.localizationpriority, manager, audience, ms.collection, ms.topic
| title | description | keywords | search.product | search.appverid | ms.prod | ms.mktglfcycl | ms.sitesec | ms.pagetype | ms.author | author | ms.localizationpriority | manager | audience | ms.collection | ms.topic |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Configure Splunk to pull Microsoft Defender ATP detections | Configure Splunk to receive and pull detections from Microsoft Defender Security Center. | configure splunk, security information and events management tools, splunk | eADQiWindows 10XVcnh | met150 | w10 | deploy | library | security | macapara | mjcaparas | medium | dansimp | ITPro | M365-security-compliance | article |
Configure Splunk to pull Microsoft Defender ATP detections
Applies to:
Want to experience Microsoft Defender ATP? Sign up for a free trial.
You'll need to configure Splunk so that it can pull Microsoft Defender ATP detections.
Note
- Microsoft Defender ATP Alert is composed from one or more detections
- Microsoft Defender ATP Detection is composed from the suspicious event occurred on the Machine and its related Alert details.
Before you begin
-
Install the open source Windows Defender ATP Modular Inputs TA in Splunk.
-
Make sure you have enabled the SIEM integration feature from the Settings menu. For more information, see Enable SIEM integration in Microsoft Defender ATP
-
Have the details file you saved from enabling the SIEM integration feature ready. You'll need to get the following values:
- OAuth 2 Token refresh URL
- OAuth 2 Client ID
- OAuth 2 Client secret
-
Have the refresh token that you generated from the SIEM integration feature ready.
Configure Splunk
-
Login in to Splunk.
-
Click Search & Reporting, then Settings > Data inputs.
-
Click REST under Local inputs.
NOTE: This input will only appear after you install the Windows Defender ATP Modular Inputs TA.
-
Click New.
-
Type the following values in the required fields, then click Save:
NOTE: All other values in the form are optional and can be left blank.
Field Value Endpoint URL Depending on the location of your datacenter, select any of the following URL:
For EU:https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts
For US:https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts
For UK:https://wdatp-alertexporter-uk.securitycenter.windows.com/api/alertsHTTP Method GET Authentication Type oauth2 OAuth 2 Access token Use the value that you generated when you enabled the SIEM integration feature.
NOTE: The access token expires after an hour.OAuth 2 Refresh Token Use the value that you generated when you enabled the SIEM integration feature. OAuth 2 Token Refresh URL Use the value from the details file you saved when you enabled the SIEM integration feature. OAuth 2 Client ID Use the value from the details file you saved when you enabled the SIEM integration feature. OAuth 2 Client Secret Use the value from the details file you saved when you enabled the SIEM integration feature. Response type Json Response Handler JSONArrayHandler Polling Interval Number of seconds that Splunk will ping the Microsoft Defender ATP machine. Accepted values are in seconds. Set sourcetype Manual Source type _json
After completing these configuration steps, you can go to the Splunk dashboard and run queries.
View detections using Splunk solution explorer
Use the solution explorer to view detections in Splunk.
-
In Splunk, go to Settings > Searchers, reports, and alerts.
-
Select New.
-
Enter the following details:
-
Destination app: Select Search & Reporting (search)
-
Search name: Enter a name for the query
-
Search: Enter a query, for example:
source="rest://windows atp alerts"|spath|table*Other values are optional and can be left with the default values.
-
-
Click Save. The query is saved in the list of searches.
-
Find the query you saved in the list and click Run. The results are displayed based on your query.
Tip
To mininimize Detection duplications, you can use the following query:
source="rest://windows atp alerts" | spath | dedup _raw | table *