Splunk® Supported Add-ons

Splunk Add-on for Microsoft Security

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Release history

Version 2.1.1 is the latest release of the Splunk Add-on for Microsoft Security. See Release notes for more information.

Version 2.1.0

Version 2.1.0 of the Splunk Add-on for Microsoft Security was released on June 13, 2023. It is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 9.0.x
CIM 5.0.1
Platforms Platform independent
Vendor Products Microsoft 365 Defender, Defender for Endpoint

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 2.1.0 of the Splunk Add-on for Microsoft Security has the following new features.

  • Provides dashboards to give insights of the Add-On, informational insights and errors and its action items
  • Provides support for configuring the add-on from the deployment server
  • Shows warning message when creating an input with duplicate values


CIM Data Model Changes

There are no CIM Data Model or field extraction changes between the Splunk add-on for Microsoft Security v2.0.1 vs v2.1.0

Fixed issues

Version 2.1.0 of the Splunk Add-on for Microsoft Security contains no fixed issues.

Known issues

Version 2.1.0 of the Splunk Add-on for Microsoft Security contains the following known issues.


Date filed Issue number Description
2023-07-03 ADDON-63131 Proxy details not used while creating/updating the input

Third-party software attributions

Version 2.1.0 of the Splunk Add-on for Microsoft Security incorporates the following third-party software or libraries: Media:MS-Security-v2.1.0-third-party.pdf

Version 2.0.1

Version 2.0.1 of the Splunk Add-on for Microsoft Security was released on Apr 14, 2023. It is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 8.1.x, 8.2.x, 9.0.x
CIM 5.0.1
Platforms Platform independent
Vendor Products Microsoft 365 Defender, Defender for Endpoint

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 2.0.1 of the Splunk Add-on for Microsoft Security has the following new features.

  • Provided support of Microsoft Graph API for getting incidents and alerts
  • Provided support of Microsoft Graph API for updating incidents and running advanced hunting queries
  • Updated look and feel of the input and configuration pages
  • Account configuration now supports providing a default value for tenant Id
  • The data collected via Microsoft Graph API is CIM compliant


CIM Data Model Changes

There are no CIM Data Model changes between the Splunk add-on for Microsoft Security v1.3.1 vs v2.0.1 but there are the following new mappings.

Field Changes

Source-type category Fields added Fields removed
['ms:defender:atp:alerts'] LateralMovement, Discovery, PrivilegeEscalation, SuspiciousActivity, DefenseEvasion, Collection, CredentialAccess, Execution, CommandAndControl, InitialAccess signature_id
['ms:defender:atp:alerts'] None, Persistence signature_id, user
Source-type threatFamilyName Fields added Fields removed
['ms365:defender:incident:alerts'] null signature_id

Note: Previously, for the above signature_id and user fields, values such as "null" were extracted, which now won't be extracted. There are no field changes for m365:defender:incident:advanced_hunting sourcetype

Fixed issues

Version 2.0.1 of the Splunk Add-on for Microsoft Security contains no fixed issues.


Date resolved Issue number Description
2023-04-11 ADDON-61739 Advance Hunt query results aren't ingested when using Microsoft Graph APIs

Known issues

Version 2.0.1 of the Splunk Add-on for Microsoft Security contains the following known issues.


Date filed Issue number Description
2023-07-03 ADDON-63131 Proxy details not used while creating/updating the input

Third-party software attributions

Version 2.0.1 of the Splunk Add-on for Microsoft Security incorporates the following third-party software or libraries: Media:MS-Security-v2.0.1-third-party.pdf

Version 1.3.1

Version 1.3.1 of the Splunk Add-on for Microsoft Security was released on October 13, 2022. It is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 8.1, 8.2, 9.0
CIM 5.0.1
Platforms Platform independent
Vendor Products Microsoft 365 Defender, Defender for Endpoint

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 1.3.0 of the Splunk Add-on for Microsoft Security has the following new features.

  • Updated the eventtype name from ms_defender to ms_security for Splunk Add-On for Microsoft Security
Old Eventtype Name New Eventtype Name
ms_defender_incident ms_security_incident
ms_defender_atp_alert ms_security_atp_alert
ms_defender_advanced_hunting_sourcetypes ms_security_advanced_hunting
ms_defender_advanced_hunting_process. ms_security_advanced_hunting_process
ms_defender_advanced_hunting_filesystem ms_security_advanced_hunting_filesystem
ms_defender_advanced_hunting_registry ms_security_advanced_hunting_registry
ms_defender_advanced_hunting_delivery ms_security_advanced_hunting_delivery
ms_defender_advanced_hunting_email ms_security_advanced_hunting_email
ms_defender_advanced_hunting_authentication ms_security_advanced_hunting_authentication
ms_defender_incident_alerts ms_security_incident_alerts
  • Added the support of host field for the events ingested via Alert Actions.
  • Updated the system path to prioritize Add-on's third-party libraries for data collection.
  • Enhanced validations for better user experience.
  • Added support of "Tenant ID" input field in the Alert actions configuration
  • Enhanced user experience to select "Account Name" input field in the Alert actions configuration
  • Updated extraction of _time field in the sourcetypes ms:defender:atp:alerts and ms365:defender:incident:alerts. It will be extracted based on the "last update time" of the event


Fixed issues

Version 1.3.1 of the Splunk Add-on for Microsoft Security contains no fixed issues.


Known issues

Version 1.3.1 of the Splunk Add-on for Microsoft Security contains the following known issues.


Third-party software attributions

Version 1.3.1 of the Splunk Add-on for Microsoft Security incorporates the following third-party software or libraries: Media:Splunk_TA_MS_Security_120.pdf

Version 1.3.0 of the Splunk Add-on for Microsoft Security was released on March 23, 2022. See Release notes for more information.

Version 1.2.0

Version 1.2.0 of the Splunk Add-on for Microsoft Security was released on March 23, 2022. It is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 8.1, 8.2
CIM 5.0.0
Platforms Platform independent
Vendor Products Microsoft 365 Defender, Defender for Endpoint

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 1.2.0 of the Splunk Add-on for Microsoft Security has the following new features.

  • Added support for GCC and GCC High environments. Users can now collect data from these environments if they have credentials for these environments.
  • Updated working of alert action - defender_update_incident
  • CIM v5.0.0 support

Fixed issues

Version 1.2.0 of the Splunk Add-on for Microsoft Security contains no fixed issues.


Known issues

Version 1.2.0 of the Splunk Add-on for Microsoft Security contains the following known issues.


Third-party software attributions

Version 1.2.0 of the Splunk Add-on for Microsoft Security incorporates the following third-party software or libraries: Media:Splunk_TA_MS_Security_120.pdf

Version 1.1.0

Version 1.1.0 of the Splunk Add-on for MS Security was released on January 24, 2021. It is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 8.1, 8.2
CIM 4.20.2
Platforms Platform independent
Vendor Products Microsoft 365 Defender, Defender for Endpoint

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 1.1.0 of the Splunk Add-on for Microsoft Security has the following new features.

  • This is a brand new release for Splunk Add-on for MS Security. The add-on is migrated from the Microsoft 365 Defender Add-on for Splunk.
  • The sourcetype m365:defender:incident is renamed to ms365:defender:incident and is now mapped to Ticket_Management:Incident CIM data model instead of Alerts CIM data model
  • Enhanced CIM field mapping for ms:defender:atp:alerts, m365:defender:incident:advanced:hunting
  • Introduced new sourcetype ms365:defender:incident:alerts which contains alerts related data bifurcated from incident events from old sourcetype=m365:defender:incident
  • Earlier, the events in old sourcetype m365:defender:incident consisted of alerts data and incident data. Alerts related data was not relevant in this sourcetype. So in this release, the events are bifurcated at index time in such a way that alerts related data gets indexed into the new sourcetype ms365:defender:incident:alerts and only incident related data gets ingested in the renamed sourcetype ms365:defender:incident
  • Removed dashboard panels - alert_queue, incident_queue, overview_alert, overview_detections, advanced_hunting, incident_detail, incident_overview, incident_update, microsoft_defender_atp_alerts
  • Added support for CIM v4.20.2

Fixed issues

Version 1.1.0 of the Splunk Add-on for Microsoft Security contains no fixed issues.


Known issues

Version 1.1.0 of the Splunk Add-on for MS Security contains the following known issues.


Third-party software attributions

Version 1.1.0 of the Splunk Add-on for Microsoft Security incorporates the following third-party software or libraries: Media:Microsoft_Security_3rd_party_1_0.pdf

Last modified on 28 November, 2023
PREVIOUS
Release notes for the Splunk Add-on for Microsoft Security 		 

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters