You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I wanted to let you know that we’re having issues with the TA for Splunk when it comes to normalizing fields from Microsoft 365 Defender. We are forwarding the security alerts from Microsoft Defender for Endpoint to our Splunk using this TA but the fields don’t seem to be normalizing properly, which is making it tough for us to analyze and work with the data effectively using datamodels, primarily [ Malware.Malware_Attacks] in Splunk. I also had a look inside of the props.conf in the TA and didn't find the EVAL commands I was looking for. In this case there's no mapping of [hostStates] OR [hostStates.{}.fqdn] to user.
Could you look into this and let us know if there’s a fix or any updates coming up soon? If there’s anything we can do on our end to help resolve this, please let us know.
The text was updated successfully, but these errors were encountered:
I wanted to let you know that we’re having issues with the TA for Splunk when it comes to normalizing fields from Microsoft 365 Defender. We are forwarding the security alerts from Microsoft Defender for Endpoint to our Splunk using this TA but the fields don’t seem to be normalizing properly, which is making it tough for us to analyze and work with the data effectively using datamodels, primarily [ Malware.Malware_Attacks] in Splunk. I also had a look inside of the props.conf in the TA and didn't find the EVAL commands I was looking for. In this case there's no mapping of [hostStates] OR [hostStates.{}.fqdn] to user.
Could you look into this and let us know if there’s a fix or any updates coming up soon? If there’s anything we can do on our end to help resolve this, please let us know.
The text was updated successfully, but these errors were encountered: