Splunk® Supported Add-ons

Splunk Add-on for Microsoft Security

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF


Create Active Directory permissions for configuring Microsoft Account

To collect data for Microsoft Security sourcetypes, you must configure an Active Directory Application Account with appropriate permissions in Azure Active Directory Portal. Permissions required for different sourcetypes:

Purpose Sourcetype Permission/Role Input type
Read Incidents and its associated Alerts ms365:defender:incident/ms365:defender:incident:alert Incident.Read.All, SecurityIncident.Read.All* Modular Input
Read Alerts ms:defender:atp:alerts Alert.Read.All, SecurityAlert.Read.All* Modular Input
Update Incidents ms365:defender:incident/ms365:defender:incident:alert Incident.ReadWrite.All, SecurityIncident.ReadWrite.All* Alert Action
Fetch Advance Hunt query results m365:defender:incident:advanced_hunting AdvancedHunting.Read.All, ThreatHunting.Read.All* Alert Action
Read Simulation reports data ms:defender:simulations AttackSimulation.Read.All Modular Input
Read Microsoft Defender generated Advanced Hunting events from Azure Event Hub using streaming API ms:defender:eventhub Azure Active Directory account with Role "Azure Event Hubs Data Receiver"** Modular input

Permissions with an (*) are required if you are pulling or pushing data via the Microsoft Graph REST APIs.

Role with an (**) is required for getting events from eventhub. You can refer to Microsoft docs for configuring streaming API to stream data from Microsoft 365 Defender Portal to Azure Event Hubs. After the streaming API has been configured, Advanced Hunting data will be streamed to Azure Event Hub in real time and add-on will collect the data from Azure Event Hub.


After creating the Active Directory Application, login to the Azure Portal and refer to the Azure documentation and:

  • Ensure that Alert permissions are set to
    • "Alert.Read.All" or "Alert.ReadWrite.All" when using Microsoft 365 APIs
    • "SecurityAlert.Read.All" or "SecurityAlert.ReadWrite.All" when using Microsoft Graph REST APIs
  • Ensure that Incidents permissions are set to
    • "Incident.ReadWrite.All" or "Incident.Read.All" or "AdvancedHunting.Read.All" when using Microsoft 365 APIs
    • "SecurityIncident.Read.All" or "SecurityIncident.ReadWrite.All" or "ThreatHunting.Read.All" when using Microsoft Graph REST APIs
Last modified on 24 April, 2024
PREVIOUS
Migrate and upgrade the Splunk add-on for Microsoft Security 		  NEXT
Configure inputs for the Splunk Add-on for Microsoft Security

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters