deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-24 06:43:38 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
Files
6573df90b3670dbbcf00f2fd5b49c5ce870971fe
windows-itpro-docs/windows/security/threat-protection/microsoft-defender-atp/configure-splunk.md
Dani Halfin 9577bd5fa2 resolving conflict
2019-09-03 15:17:59 -07:00

157 lines
5.6 KiB
Markdown
Raw Blame History

---
title: Configure Splunk to pull Microsoft Defender ATP detections
description: Configure Splunk to receive and pull detections from Microsoft Defender Security Center.
keywords: configure splunk, security information and events management tools, splunk
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Configure Splunk to pull Microsoft Defender ATP detections
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresplunk-abovefoldlink)
You'll need to configure Splunk so that it can pull Microsoft Defender ATP detections.
>[!Note]
>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
## Before you begin
- Install the open source [Windows Defender ATP Modular Inputs TA](https://splunkbase.splunk.com/app/4128/) in Splunk.
- Make sure you have enabled the **SIEM integration** feature from the **Settings** menu. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
- Have the details file you saved from enabling the **SIEM integration** feature ready. You'll need to get the following values:
- OAuth 2 Token refresh URL
- OAuth 2 Client ID
- OAuth 2 Client secret
- Have the refresh token that you generated from the SIEM integration feature ready.
## Configure Splunk
1. Login in to Splunk.
2. Click **Search & Reporting**, then **Settings** > **Data inputs**.
3. Click **REST** under **Local inputs**.
NOTE:
This input will only appear after you install the [Windows Defender ATP Modular Inputs TA](https://splunkbase.splunk.com/app/4128/).
4. Click **New**.
5. Type the following values in the required fields, then click **Save**:
NOTE:
All other values in the form are optional and can be left blank.
<table>
<tbody style="vertical-align:top;">
<tr>
<th>Field</th>
<th>Value</th>
</tr>
<tr>
<td>Endpoint URL</td>
<td>Depending on the location of your datacenter, select any of the following URL: </br></br> <strong>For EU</strong>: <code>https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts</code><br></br><strong>For US:</strong><code>https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts</code> <br><br> <strong>For UK:</strong><code>https://wdatp-alertexporter-uk.securitycenter.windows.com/api/alerts</code>
</tr>
<tr>
<td>HTTP Method</td>
<td>GET</td>
</tr>
<td>Authentication Type</td>
<td>oauth2</td>
<tr>
<td>OAuth 2 Access token</td>
<td>Use the value that you generated when you enabled the SIEM integration feature. </br></br> NOTE: The access token expires after an hour. </td>
</tr>
<tr>
<td>OAuth 2 Refresh Token</td>
<td>Use the value that you generated when you enabled the <strong>SIEM integration</strong> feature.</td>
</tr>
<tr>
<td>OAuth 2 Token Refresh URL</td>
<td>Use the value from the details file you saved when you enabled the <strong>SIEM integration</strong> feature.</td>
</tr>
<tr>
<td>OAuth 2 Client ID</td>
<td>Use the value from the details file you saved when you enabled the <strong>SIEM integration</strong> feature.</td>
</tr>
<tr>
<td>OAuth 2 Client Secret</td>
<td>Use the value from the details file you saved when you enabled the <strong>SIEM integration</strong> feature.</td>
</tr>
<tr>
<td>Response type</td>
<td>Json</td>
</tr>
<tr>
<td>Response Handler</td>
<td>JSONArrayHandler</td>
</tr>
<tr>
<td>Polling Interval</td>
<td>Number of seconds that Splunk will ping the Microsoft Defender ATP machine. Accepted values are in seconds.</td>
</tr>
<tr>
<td>Set sourcetype</td>
<td>Manual</td>
</tr>
<tr>
<td>Source type</td>
<td>_json</td>
</tr>
</tr>
</table>
After completing these configuration steps, you can go to the Splunk dashboard and run queries.
## View detections using Splunk solution explorer
Use the solution explorer to view detections in Splunk.
1. In Splunk, go to **Settings** > **Searchers, reports, and alerts**.
2. Select **New**.
3. Enter the following details:
- Destination app: Select Search & Reporting (search)
- Search name: Enter a name for the query
- Search: Enter a query, for example:</br>
`source="rest://windows atp alerts"|spath|table*`
Other values are optional and can be left with the default values.
4. Click **Save**. The query is saved in the list of searches.
5. Find the query you saved in the list and click **Run**. The results are displayed based on your query.
>[!TIP]
> To mininimize Detection duplications, you can use the following query:
>```source="rest://windows atp alerts" | spath | dedup _raw | table *```
## Related topics
- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
- [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md)
- [Microsoft Defender ATP Detection fields](api-portal-mapping.md)
- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md)
- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)
Reference in New Issue View Git Blame Copy Permalink