• About
• Splunk configuration
  • Installation
  • Configurations
• Data collection
• Azure configurations
  • Resources
  • Permissions needed
  • Create app to collect data
  • Azure device tagging
• Troubleshooting
  • Azure authentication
  • Data collection

This repository is two-folded:

1. It holds a Splunk add-on which utilzes MS Defender 365 vulnerabilties data; CIM normalizes the data into the Vulnerabilties data model and creates asset lookup lists for Enterprise Security.
2. Holds a python script which can be used to collect that said data to Splunk.

The app also provides an example view of how the data can be presented for a system manager (not so technical role). The view is included both as a Classic XML and also as a Dashboard Studio view. Use this as a starting point and tailor it to your own environment and needs.

Dashboard studio example

To further enchance your investigation options you should also be ingesting Defender for Endpoint events as well. We recommend using this add-on:

• Microsoft Defender for Endpoint Advanced Hunting Add-on for Splunk

Install the latest release package TA-microsoft-365-defender-threat-vulnerability-add-on-<tag>.tar.gz to the Splunk Search Head/SH Cluster via your usual methods.

Indexer(s) only needs props.conf, but it doesn't hurt to just install the whole add-on to them.

And if you rely on HFs for the data collection they need props.conf as well.

Install the add-on via the GUI or using the Splunk ACS API and you're all good!

The included dashboard and reports relies on macros.

1. ms_defender_index - needs to be set to where the vulnerability data is being indexed.
2. get_system_from_machinetags(<regex>) - this macro applies a given regex to the field machineTags in the lookup ms_defender_endpoint_machines_assets.csv

The last macro is needed to filter out unwanted Azure device tags in the dropdown menu of the dashboard, i.e. the inputed text functions as an allow list. For example. if your tags are named HR, Accounting and IT Services the regex would be get_system_from_machinetags((HR|Accounting|IT\sServices)).

After data is being indexed, run and enable the reports included. Make sure to have set the macro ms_defender_index first.

1. Lookup - MS Defender 365 - DeviceInfo
2. Lookup - MS Defender 365 - MachineInfo
3. Lookup - Vulnerabilities description

The provided script collects data from three sources and needs to be set to run periodically , e.g. a cronjob.

Depending on your environment and knowledge, you can select multiple routes of collecting these events.

1. Use the script as is on a HF to forward the data.
2. Use Azure Functions to the write the json-data to either HEC or an EventHub. It's the function write_results that has to be modified towards the desired output.
3. Use Splunk SOAR / Cribl to query the APIs directly and post the data to Splunk

The collection script uses two of Microsofts APIs:

• Defender 365 API - https://api.security.microsoft.com
• Defender for Endpoint - https://api.securitycenter.microsoft.com

• Hello World for Microsoft 365 Defender REST API
• Microsoft 365 Defender Advanced hunting API

Click for a detailed walkthrough!

1. App registration

Start of by registering the app that will be used in the script, for authentication.

2. Create a client secret

The secret will act as a password for the application in the OAuth flow. Make sure to copy the value of the secret when creating it - this will only be shown once.

2a. Add a client secret

2b. Copy ID and Secret (value)

3. Add API Permissions to the app

3a. API Permissions - Microsoft Threat Protection

Needed permission AdvancedHunting.Read.All

3b. API Permissions - WindowsDefenderATP

Needed permissions Machine.Read.All and Vulnerability.Read.All

4. Get an Azure admin to grant consent to the application permissions

5. Success!

6. Go back to your app and take note of the Client ID and Tenant ID

7. Use the credentials

In the config script either uncomment and use a Key Vault, or fill in hardcoded values (not recommended)

Setting custom tags on the devices lets us categorize which business system a device belongs to, if this information isn't coming to Splunk from some other place.

A tag can be e.g. HR or IT Support, and they can be set using GPO / Powershell / Intune / API. Using the API is probably preferable since it can be used regardless of the machine OS.

There are a couple of points to be aware of when you are using the registry to tag a machine:

1. The tag is fixed and cannot be changed through the portal, it can only be changed by modifying the registry.
2. Only one tag can be specified in the registry.

See below links for guides and code

• How to use tagging effectively (Part 1)
• How to use tagging effectively (Part 2)
• How to use tagging effectively (Part 3) - Scripting tags

1. Open the Defender 365 portal and select Device Inventory

2. Select a device and assign it a tag

3. How the device tag is shown in Splunk

You can use jwt.ms to validate that your returned auth token has the correct roles

If the delta export is set to run too often (e.g. every hour) it's been observed that the output file is blank. Defender doesn't update its tables in real time.