Microsoft 365 Defender ATP Data
App Installation
| App | Search Head | Indexer | Heavy Forwarder | UF / Deployment Server | Additional Details |
|---|---|---|---|---|---|
| Splunk Add-on for Microsoft Security | Required | - | Required | - | Installation Guide |
Important inputs to be configured
- Microsoft Defender for Endpoint Alerts
Collect Defender ATP Status Logs from Windows Servers
App Installation
| App | Search Head | Indexer | Heavy Forwarder | UF / Deployment Server | Additional Details |
|---|---|---|---|---|---|
| Defender ATP Status Check Add-on | Required | - | - | Required (only for Windows) | Collect Defender ATP Status Logs from Windows Servers |
- Add the following stanza to inputs.conf in the local directory for the TA-defender-atp-status-check add-on:
[powershell://generate_defender_atp_status_logs]
disabled = 0
index = defenderatp
- Deploy the addon from deployment server to all windows machines.
Audit Defender ATP Configuration Status
Use the Microsoft Defender ATP Audit dashboard (Cyences Settings > Microsoft 365 Defender ATP Audit) to audit the configuration status for Defender ATP.
Note : Create an index named defenderatp or update the cs_o365_defender_atp and cs_o365_defender_atp_audit macro definitions from Cyences app configuration page (Cyences Settings > Cyences App Configuration > Products Setup).
Estimated Data Size
TODO