It allows you to create queries to onboard the relevant parts of Defender ATP telemetry into Splunk.
- Defender ATP has a lot of valuable telemetry data that can be used for correlation in Splunk (Enterprise Security).
- Because Microsoft made their Defender ATP API generally available on 22 April 2019 https://twitter.com/MsftSecIntel/status/1120381773639143424
- There was previously no way to onboard Defender ATP telemetry data into Splunk.
This add-on works on Linux and Windows
| Splunk version | Linux | Windows |
|---|---|---|
| 6.3 | Yes | Yes |
| 6.4 | Yes | Yes |
| 6.5 | Yes | Yes |
| 6.6 | Yes | Yes |
| 7.0 | Yes | Yes |
| 7.1 | Yes | Yes |
| 7.2 | Yes | Yes |
| 7.3 | Yes | Yes |
| 8.0 | Yes | Yes |
- In Splunk, click "Manage apps"
- Click "Browse more apps", search for TA-defender-atp-hunting
- Install the add-on
| Instance type | Supported | Required | Description |
|---|---|---|---|
| Search head | Yes | Yes | Install this add-on on your search head(s) for proper field extraction |
| Indexer | Yes | No | This add-on should be installed on a heavy forwarder that does the index time parsing and event breaking. There is no need to install this add-on on an indexer too. |
| Universal Forwarder | No | No | This add-on is not supported on a Universal Forwarder because it requires Python |
| Heavy Forwarder | Yes | Yes | Install this add-on on a heavy forwarder |
Find the Client ID and Azure AD Tenant ID first in portal.azure.com:
- In Azure portal go to Azure Active Directory -> App Registrations
- Go to WindowsDefenderATPThreatIntelAPI
- Click overview, and find:
- Application (client) Id
- Directory (tenant) Id
- Create a new Client Secret, see the "How do I configure the Azure side of things"
In Splunk, with all this information you can start to configure a new input in the add-on:
- Go to Configure, and create a new account. Paste the client id under username, and the client secret under password. Give it a name e.g. client_id_013d1963_d5a9_4329_bc1b_99d8e6db624d
- Go to inputs and Create a new input:
-
interval: recommended to 900 seconds or greater given the delays in Defender ATP telemetry
-
query: be sure to include a "where" statement that prevents duplicate events. Example query:
ProcessCreationEvents | where EventTime > ago(1200s) and EventTime < ago(300s)Note that the API is rate limited, and also returns max 10000 events to make sure to include extra where clauses to stay below this limit.
-
- In Azure portal go to Azure Active Directory -> App Registrations
- Go to WindowsDefenderATPThreatIntelAPI
- Under API permissions add "AdvancedQuery.Read.All", and grant admin consent
- Under Certificates and Secrets add a new Client secret. The secret is only shown once, so make sure to copy to your favourite password manager.