5.3 KiB
title, description, keywords, search.product, search.appverid, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.author, author, ms.localizationpriority, manager, audience, ms.collection, ms.topic, ms.date
| title | description | keywords | search.product | search.appverid | ms.prod | ms.mktglfcycl | ms.sitesec | ms.pagetype | ms.author | author | ms.localizationpriority | manager | audience | ms.collection | ms.topic | ms.date |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Configure Splunk to pull Microsoft Defender ATP alerts | Configure Splunk to receive and pull alerts from Microsoft Defender Security Center. | configure splunk, security information and events management tools, splunk | eADQiWindows 10XVcnh | met150 | w10 | deploy | library | security | macapara | mjcaparas | medium | dansimp | ITPro | M365-security-compliance | article | 10/16/2017 |
Configure Splunk to pull Microsoft Defender ATP alerts
Applies to:
Want to experience Microsoft Defender ATP? Sign up for a free trial.
You'll need to configure Splunk so that it can pull Microsoft Defender ATP alerts.
Before you begin
-
Install the REST API Modular Input app in Splunk.
-
Make sure you have enabled the SIEM integration feature from the Settings menu. For more information, see Enable SIEM integration in Microsoft Defender ATP
-
Have the details file you saved from enabling the SIEM integration feature ready. You'll need to get the following values:
- OAuth 2 Token refresh URL
- OAuth 2 Client ID
- OAuth 2 Client secret
-
Have the refresh token that you generated from the SIEM integration feature ready.
Configure Splunk
-
Login in to Splunk.
-
Click Search & Reporting, then Settings > Data inputs.
-
Click REST under Local inputs.
NOTE: This input will only appear after you install the REST API Modular Input app.
-
Click New.
-
Type the following values in the required fields, then click Save:
NOTE: All other values in the form are optional and can be left blank.
Field Value Endpoint URL Depending on the location of your datacenter, select any of the following URL:
For EU:https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts
For US:https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts
For UK:https://wdatp-alertexporter-uk.securitycenter.windows.com/api/alertsHTTP Method GET Authentication Type oauth2 OAuth 2 Access token Use the value that you generated when you enabled the SIEM integration feature.
NOTE: The access token expires after an hour.OAuth 2 Refresh Token Use the value that you generated when you enabled the SIEM integration feature. OAuth 2 Token Refresh URL Use the value from the details file you saved when you enabled the SIEM integration feature. OAuth 2 Client ID Use the value from the details file you saved when you enabled the SIEM integration feature. OAuth 2 Client Secret Use the value from the details file you saved when you enabled the SIEM integration feature. Response type Json Response Handler JSONArrayHandler Polling Interval Number of seconds that Splunk will ping the Microsoft Defender ATP machine. Accepted values are in seconds. Set sourcetype Manual Source type _json
After completing these configuration steps, you can go to the Splunk dashboard and run queries.
View alerts using Splunk solution explorer
Use the solution explorer to view alerts in Splunk.
-
In Splunk, go to Settings > Searchers, reports, and alerts.
-
Select New.
-
Enter the following details:
-
Destination app: Select Search & Reporting (search)
-
Search name: Enter a name for the query
-
Search: Enter a query, for example:
source="rest://windows atp alerts"|spath|table*Other values are optional and can be left with the default values.
-
-
Click Save. The query is saved in the list of searches.
-
Find the query you saved in the list and click Run. The results are displayed based on your query.
Tip
To mininimize alert duplications, you can use the following query:
source="rest://windows atp alerts" | spath | dedup _raw | table *