Splunk® Supported Add-ons

Splunk Add-on for Microsoft Security

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Release notes for the Splunk Add-on for Microsoft Security

About this release

Version 2.2.0 of the Splunk Add-on for Microsoft Security was released on April 24, 2024. It is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 9.0.x, 9.1.0.x
CIM 5.2.0
Platforms Windows, Linux based Operating Systems
Vendor Products Microsoft 365 Defender, Defender for Endpoint, Azure Event Hubs

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 2.2.0 of the Splunk Add-on for Microsoft Security has the following new features.

  • New modular input to collect simulations data from Microsoft 365 Defender Portal.
  • New modular input to collect Microsoft Defender Advanced Hunting events from Azure Event Hub streamed from Defender portal via streaming API.

CIM Data Model Changes

There are no changes in the CIM Data Model for existing extractions. For new modular inputs introduced in v2.2.0, CIM Data Model mappings are as below:

Field Changes

Source-type attackType Fields added Fields removed
['ms:defender:simulations'] social type, user_name, severity, src, app, dest, user, signature, signature_id
Source-type category Fields added Fields removed
['ms:defender:eventhub'] AdvancedHunting-DeviceEvents parent_process_name, user, parent_process_id, parent_process_path, action, original_file_name, process_exec, process_integrity_level, dest, process_path, vendor_product, process_id, process_hash, process_name, process
['ms:defender:eventhub'] AdvancedHunting-DeviceFileCertificateInfo ssl_validity_window, src, ssl_issuer_common_name, dest, ssl_serial, ssl_subject_common_name, ssl_subject_organization, ssl_hash, ssl_start_time, ssl_signature_algorithm, ssl_end_time
['ms:defender:eventhub'] AdvancedHunting-DeviceFileEvents file_name, file_create_time, file_hash, action, file_access_time, file_acl, dest, file_path, file_size, vendor_product, process_id, user
['ms:defender:eventhub'] AdvancedHunting-DeviceImageLoadEvents file_name, file_hash, action, file_access_time, file_acl, dest, file_size, file_path, vendor_product, process_id, user
['ms:defender:eventhub'] AdvancedHunting-DeviceInfo family, version, os, dest, vendor_product
['ms:defender:eventhub'] AdvancedHunting-DeviceLogonEvents, AdvancedHunting-DeviceNetworkEvents parent_process_name, user, parent_process_id, parent_process_path, action, original_file_name, process_exec, process_integrity_level, dest, process_path, vendor_product, process_id, process_hash, process_name, process
['ms:defender:eventhub'] AdvancedHunting-DeviceNetworkInfo mac, src_ip, name, ip, dest, interface, vendor_product, dns, status
['ms:defender:eventhub'] AdvancedHunting-DeviceProcessEvents parent_process_name, user, parent_process_id, parent_process_path, action, parent_process, original_file_name, process_exec, process_integrity_level, dest, process_path, vendor_product, process_id, process_name, process
['ms:defender:eventhub'] AdvancedHunting-DeviceRegistryEvents action, registry_path, dest, registry_key_name, registry_hive, process_id, registry_value_type, vendor_product, registry_value_name, user

Note: There are no field mappings removed in this version. As a part of introducing new modular inputs, only new field mappings are added.

Fixed issues

Version 2.2.0 of the Splunk Add-on for Microsoft Security contains no fixed issues.

Known issues

Version 2.2.0 of the Splunk Add-on for Microsoft Security contains the following known issues.If no issues appear below, no issues have been reported.


Third-party software attributions

Version 2.2.0 of the Splunk Add-on for Microsoft Security incorporates the following third-party software or libraries: Media:MS-Security-v2.2.0-third-party.pdf

Last modified on 24 April, 2024
PREVIOUS
Source types for the Splunk Add-on for Microsoft Security 		  NEXT
Release history

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters