Download topic as PDF
Duplicate Events for
Source types for the Splunk Add-on for Microsoft Security
The Splunk Add-on for Microsoft Security provides the search-time knowledge for Microsoft Security logs in the following formats.
Source type | Description | CIM data models |
---|---|---|
ms:defender:atp:alerts
|
This sourcetype contains data related to alerts generated from the Microsoft 365 Defender portal. | Alerts |
ms365:defender:incident
|
This sourcetype contains data related to incidents generated from the Microsoft 365 Defender portal. | Ticket Management |
ms365:defender:incident:alerts
|
This sourcetype is newly introduced and contains data related to alerts associated with incidents in Microsoft 365 Defender. | Alerts |
m365:defender:incident:advanced_hunting
|
This sourcetype collects events from the alerts actions configured in the add-on | Email, Endpoint, Authentication |
ms:defender:simulations
|
This sourcetype contains data related to simulations generated from the Microsoft 365 Defender portal. | Alerts |
ms:defender:eventhub
|
This sourcetype contains advanced hunting events data generated from the Microsoft 365 Defender portal and collected from Azure Event Hub. | Certificates, Endpoint, |
Duplicate Events for ms365:defender:incident:alerts
sourcetype
- Microsoft Defender Incident Alerts can be collected as a part of Microsoft 365 Defender incidents API.
- When Microsoft 365 defender incidents are updated (status change, alerts added/removed, etc) a new event is generated and collected in Splunk for both
ms365:defender:incident:alerts
andms365:defender:incident
sourcetypes. - Whenever an event is updated some of its fields are modified but its related alerts may not be modified. So in the next API call when the event with the same incidentId is fetched it is assigned to both
ms365:defender:incident
andms365:defender:incident:alerts
sourcetypes causing probable data duplication in alerts sourcetype. - For example, if incidentId=21 is updated, during the next API call, "incidentId=21" is fetched and ingested in sourcetype=ms365:defender:incident in Splunk with updated field values, and its related alerts are ingested in sourcetype=ms365:defender:incident:alerts with the same field values causing probable data duplication.
Last modified on 24 April, 2024
PREVIOUS Troubleshoot the Splunk Add-on for Microsoft Security |
NEXT Release notes for the Splunk Add-on for Microsoft Security |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!