Configure Alert Actions to collect data for the Splunk Add-on for Microsoft Security
You can configure an alert action for Advanced Hunting and Update Incidents in the Splunk Add-on for Microsoft Security in order to collect data into Splunk ad-hoc rather than proactively
- Navigate to Add-on UI > Settings > Searches, Reports and Alerts.
- Click New Alert.
- Click Create Alert and provide the appropriate information.
- Select a value from Add Action dropdown
- Defender Advanced Hunting : For collecting Advanced Hunting Events
- Defender Update Incident : For updating incidents and collecting events of updated incidents
- Defender Update Incident via Graph API: For updating incidents and collecting events of updated incidents using the Microsoft Graph API
- Select desired action and provide the requested information.
- Click Save.
Note the following:
- Alert Action queries are not supported on Classic Cloud instances.
- When you create a Defender Advanced Hunting Alert Action, you must provide the Query
- You can optionally provide a Tenant ID corresponding to the selected Account to authenticate API calls for Alert Actions
- In clustered environments, configure the Alert Action on either the Victoria stack or HF as it collects data.
PREVIOUS Configure inputs for the Splunk Add-on for Microsoft Security |
NEXT Use Dashboards to view the analytics for the Splunk Add-on for Microsoft Security |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!