February 5, 2020

The Microsoft Graph Security API add-on for Splunk is now supported on Splunk Cloud, in addition to Splunk Enterprise, and includes support for Python 3.0. The support is enabled as an enhancement to the Microsoft Graph Security API add-on for Splunk released last year. Refer to the Microsoft Graph Security API add-on for Splunk announcement blogpost for further details. This add-on enables customers to easily integrate security alerts and insights from their security products, services, and partners in Splunk. The Splunk add-on is built by Microsoft, certified by Splunk, and is available on Splunkbase at no additional cost.

 

This add-on, powered by the Microsoft Graph Security API, supports streaming of alerts from different Microsoft solutions like Microsoft Defender ATP, Azure Sentinel, Azure Security Center, and more into Splunk using a single add-on and common schema, enabling easier correlation of data across these products.

 

Note: If you have an earlier version of the Microsoft Graph Security API add-on installed on Splunk Enterprise, and upgrade to this version, please follow the upgrade guidance to reconfigure your inputs.

 

Getting Started

Choose one of these options depending on your scenario.

 

Scenario: New Installations on Splunk Cloud or Splunk Enterprise

Follow these steps to install and configure this app as a first-time add-on user. Refer to the documentation for more details.

  1. Register your application for this Splunk add-on on Azure portal.
  2. Configure permissions and be sure to add the SecurityEvents.Read.All permission to your application. Get your Azure AD tenant administrator to grant tenant administrator consent to your application. This is a one-time activity unless permissions change for the application.
  3. Copy and save your registered Application ID and Directory ID from the Overview page. You will need them later to complete the add-on configuration process. 
  4. Generate an application secret by going to Certificates & secrets Save the generated secret as well for add-on configuration purposes.
  5. In Splunk, click on Find More Apps to browse more apps.
  6. Search for Microsoft Graph Security as shown below (the picture below is on Splunk Cloud).    Find the add-onFind the add-on

     

  7. Installation of the add-on
    1. For Splunk Enterprise – Install Microsoft Graph Security API add-on for Splunk. Restart, if prompted to do so. 
    2. For Splunk Cloud – This add-on requires an Inputs Data Manager (IDM) on Splunk Cloud. Contact Splunk Cloud support per the Splunk Cloud IDM installation guidance
  8. Verify that the add-on appears in the list of apps and add-ons as shown in the diagram below.Add-on installedAdd-on installed
  9. Set up a new account in the Account tab in the Configuration page. Then click Add to create an account.
  10. Enter a unique Account Name, the Application ID and Client Secret registered in abovementioned steps 1 through 4 as shown in the diagram below. Add accountAdd account
  11.  Configure Microsoft Graph Security data inputs illustrated in the diagram below as per the detailed guidance in the section Configuring Microsoft Graph Security data input. This add-on provides the capability to pre-filter your data by specific alert providers or by alert category or severity, etc. by specifying the OData Filter field as shown in the diagram below. Add inputAdd input
  12. Now you can use your Microsoft Graph Security alerts for further processing in Splunk, in dashboards, etc.

If you have Splunk and relevant add-ons running behind a proxy server, follow the additional steps for Splunk behind a Proxy Server in the installation documentation for this add-on. For specific guidance on distributed set up, follow the steps in Where to Install the add-on in the installation documentation for this add-on

 

Scenario: Upgrade on Splunk Enterprise

If you have an existing version of the add-on installed on Splunk Enterprise that is lower than this version (1.1.0), the best practice recommended is to remove your older version of the Microsoft Graph Security API add-on for Splunk before re-installing version 1.1.0 of the Microsoft Graph Security API add-on for Splunk per abovementioned guidelines.

 

If you are upgrading on Splunk Enterprise, follow these steps.

  1. Disable all your inputs before you upgrade the add-on. Otherwise you may see errors in the log files which may result data loss against your already configured inputs.
  2. On the app list, navigate to the Microsoft Graph Security add-on for Splunk, to see an option to upgrade the app. Click on Update button.
  3. A new screen appears with the standard Splunk Terms to upgrade an app. Click Accept and ContinueSplunk termsSplunk terms
  4. Enter your username and password to log in the app. Click Login and ContinueLogin and continueLogin and continue

  5. After login, an Overview page appears, and the Update button disappears. Follow the instructions in the Configuring Microsoft Graph Security data inputs section in the installation documentation for this add-on to get alerts from Microsoft Graph Security API using the new configuration experience

 

Closing

We would love your continued feedback on this add-on. Please share your feedback by filing a GitHub issue.

 

You May Also Like…