The Splunk Add-on for Microsoft Security collects incidents and alerts from Microsoft 365 Defender OR alerts from Microsoft Defender for Endpoint. Customers currently utilizing Microsoft 365 Defender Add-on for Splunk are strongly recommended to migrate to this new Splunk supported add-on after reading the migration section of the documentation. https://docs.splunk.com/Documentation/AddOns/released/MSSecurity/Migrate Customers migrating from Microsoft 365 Defender Add-on for Splunk who would like to continue using the dashboards it includes should install Microsoft 365 App for Splunk, as the functionality has been moved there. https://splunkbase.splunk.com/app/3786/ Microsoft 365 Defender Incidents * Incident (impossible travel, activity from Tor IP, suspicious inbox forwarding, successful logon using potentially stolen credentials, etc.) * Assignee * Classification * Severity * Status * Alerts associated with the Incident Microsoft Defender for Endpoint Alerts * Categories (Malware, Initial Access, Execution, etc.) * Detection source * Evidence * Computer name * Related user * Severity * Status