Splunk® Supported Add-ons

Splunk Add-on for Microsoft Security

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Source types for the Splunk Add-on for Microsoft Security

The Splunk Add-on for Microsoft Security provides the search-time knowledge for Microsoft Security logs in the following formats.

Source type Description CIM data models
ms:defender:atp:alerts This sourcetype contains data related to alerts generated from the Microsoft 365 Defender portal. Alerts
ms365:defender:incident This sourcetype contains data related to incidents generated from the Microsoft 365 Defender portal. Ticket Management
ms365:defender:incident:alerts This sourcetype is newly introduced and contains data related to alerts associated with incidents in Microsoft 365 Defender. Alerts
m365:defender:incident:advanced_hunting This sourcetype collects events from the alerts actions configured in the add-on Email, Endpoint, Authentication
ms:defender:simulations This sourcetype contains data related to simulations generated from the Microsoft 365 Defender portal. Alerts
ms:defender:eventhub This sourcetype contains advanced hunting events data generated from the Microsoft 365 Defender portal and collected from Azure Event Hub. Certificates, Endpoint,

Compute Inventory

Duplicate Events for ms365:defender:incident:alerts sourcetype

  • Microsoft Defender Incident Alerts can be collected as a part of Microsoft 365 Defender incidents API.
  • When Microsoft 365 defender incidents are updated (status change, alerts added/removed, etc) a new event is generated and collected in Splunk for both ms365:defender:incident:alerts and ms365:defender:incident sourcetypes.
  • Whenever an event is updated some of its fields are modified but its related alerts may not be modified. So in the next API call when the event with the same incidentId is fetched it is assigned to both ms365:defender:incident and ms365:defender:incident:alerts sourcetypes causing probable data duplication in alerts sourcetype.
  • For example, if incidentId=21 is updated, during the next API call, "incidentId=21" is fetched and ingested in sourcetype=ms365:defender:incident in Splunk with updated field values, and its related alerts are ingested in sourcetype=ms365:defender:incident:alerts with the same field values causing probable data duplication.
Last modified on 24 April, 2024
PREVIOUS
Troubleshoot the Splunk Add-on for Microsoft Security 		  NEXT
Release notes for the Splunk Add-on for Microsoft Security

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters