Release notes for the Splunk Add-on for Microsoft Security
About this release
Version 2.2.0 of the Splunk Add-on for Microsoft Security was released on April 24, 2024. It is compatible with the following software, CIM versions, and platforms.
Splunk platform versions | 9.0.x, 9.1.0.x |
CIM | 5.2.0 |
Platforms | Windows, Linux based Operating Systems |
Vendor Products | Microsoft 365 Defender, Defender for Endpoint, Azure Event Hubs |
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New features
Version 2.2.0 of the Splunk Add-on for Microsoft Security has the following new features.
- New modular input to collect simulations data from Microsoft 365 Defender Portal.
- New modular input to collect Microsoft Defender Advanced Hunting events from Azure Event Hub streamed from Defender portal via streaming API.
CIM Data Model Changes
There are no changes in the CIM Data Model for existing extractions. For new modular inputs introduced in v2.2.0, CIM Data Model mappings are as below:
Field Changes
Source-type | attackType | Fields added | Fields removed |
---|---|---|---|
['ms:defender:simulations']
|
social | type, user_name, severity, src, app, dest, user, signature, signature_id |
Source-type | category | Fields added | Fields removed |
---|---|---|---|
['ms:defender:eventhub']
|
AdvancedHunting-DeviceEvents | parent_process_name, user, parent_process_id, parent_process_path, action, original_file_name, process_exec, process_integrity_level, dest, process_path, vendor_product, process_id, process_hash, process_name, process | |
['ms:defender:eventhub']
|
AdvancedHunting-DeviceFileCertificateInfo | ssl_validity_window, src, ssl_issuer_common_name, dest, ssl_serial, ssl_subject_common_name, ssl_subject_organization, ssl_hash, ssl_start_time, ssl_signature_algorithm, ssl_end_time | |
['ms:defender:eventhub']
|
AdvancedHunting-DeviceFileEvents | file_name, file_create_time, file_hash, action, file_access_time, file_acl, dest, file_path, file_size, vendor_product, process_id, user | |
['ms:defender:eventhub']
|
AdvancedHunting-DeviceImageLoadEvents | file_name, file_hash, action, file_access_time, file_acl, dest, file_size, file_path, vendor_product, process_id, user | |
['ms:defender:eventhub']
|
AdvancedHunting-DeviceInfo | family, version, os, dest, vendor_product | |
['ms:defender:eventhub']
|
AdvancedHunting-DeviceLogonEvents, AdvancedHunting-DeviceNetworkEvents | parent_process_name, user, parent_process_id, parent_process_path, action, original_file_name, process_exec, process_integrity_level, dest, process_path, vendor_product, process_id, process_hash, process_name, process | |
['ms:defender:eventhub']
|
AdvancedHunting-DeviceNetworkInfo | mac, src_ip, name, ip, dest, interface, vendor_product, dns, status | |
['ms:defender:eventhub']
|
AdvancedHunting-DeviceProcessEvents | parent_process_name, user, parent_process_id, parent_process_path, action, parent_process, original_file_name, process_exec, process_integrity_level, dest, process_path, vendor_product, process_id, process_name, process | |
['ms:defender:eventhub']
|
AdvancedHunting-DeviceRegistryEvents | action, registry_path, dest, registry_key_name, registry_hive, process_id, registry_value_type, vendor_product, registry_value_name, user |
Note: There are no field mappings removed in this version. As a part of introducing new modular inputs, only new field mappings are added.
Fixed issues
Version 2.2.0 of the Splunk Add-on for Microsoft Security contains no fixed issues.
Known issues
Version 2.2.0 of the Splunk Add-on for Microsoft Security contains the following known issues.If no issues appear below, no issues have been reported.
Third-party software attributions
Version 2.2.0 of the Splunk Add-on for Microsoft Security incorporates the following third-party software or libraries: Media:MS-Security-v2.2.0-third-party.pdf
PREVIOUS Source types for the Splunk Add-on for Microsoft Security |
NEXT Release history |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!