Configure Splunk to pull Windows Defender ATP alerts

Applies to:

Want to experience Windows Defender ATP? Sign up for a free trial.

You'll need to configure Splunk so that it can pull Windows Defender ATP alerts.

Before you begin

  • Install the REST API Modular Input app in Splunk.
  • Make sure you have enabled the SIEM integration feature from the Settings menu. For more information, see Enable SIEM integration in Windows Defender ATP

  • Have the details file you saved from enabling the SIEM integration feature ready. You'll need to get the following values:

    • OAuth 2 Token refresh URL
    • OAuth 2 Client ID
    • OAuth 2 Client secret
  • Have the refresh token that you generated from the SIEM integration feature ready.

Configure Splunk

  1. Login in to Splunk.

  2. Click Search & Reporting, then Settings > Data inputs.

  3. Click REST under Local inputs.

    NOTE: This input will only appear after you install the REST API Modular Input app.

  4. Click New.

  5. Type the following values in the required fields, then click Save:

    NOTE: All other values in the form are optional and can be left blank.

    Field Value
    Endpoint URL Depending on the location of your datacenter, select any of the following URL:
    For EU: https://wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts
    For US:https://wdatp-alertexporter-us.securitycenter.windows.com/api/alerts

    For UK:https://wdatp-alertexporter-uk.securitycenter.windows.com/api/alerts
    HTTP Method GET
    Authentication Type oauth2
    OAuth 2 Access token Use the value that you generated when you enabled the SIEM integration feature.
    NOTE: The access token expires after an hour.
    OAuth 2 Refresh Token Use the value that you generated when you enabled the SIEM integration feature.
    OAuth 2 Token Refresh URL Use the value from the details file you saved when you enabled the SIEM integration feature.
    OAuth 2 Client ID Use the value from the details file you saved when you enabled the SIEM integration feature.
    OAuth 2 Client Secret Use the value from the details file you saved when you enabled the SIEM integration feature.
    Response type Json
    Response Handler JSONArrayHandler
    Polling Interval Number of seconds that Splunk will ping the Windows Defender ATP machine. Accepted values are in seconds.
    Set sourcetype Manual
    Source type _json

After completing these configuration steps, you can go to the Splunk dashboard and run queries.

View alerts using Splunk solution explorer

Use the solution explorer to view alerts in Splunk.

  1. In Splunk, go to Settings > Searchers, reports, and alerts.

  2. Select New.

  3. Enter the following details:

    • Destination app: Select Search & Reporting (search)
    • Search name: Enter a name for the query
    • Search: Enter a query, for example:
      source="rest://windows atp alerts"|spath|table*

      Other values are optional and can be left with the default values.

  4. Click Save. The query is saved in the list of searches.

  5. Find the query you saved in the list and click Run. The results are displayed based on your query.

Tip

To mininimize alert duplications, you can use the following query: source="rest://windows atp alerts" | spath | dedup _raw | table *