Home
%3CLINGO-SUB%20id%3D%22lingo-sub-815972%22%20slang%3D%22en-US%22%3EIntroducing%20the%20new%20Microsoft%20Graph%20Security%20API%20add-on%20for%20Splunk!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-815972%22%20slang%3D%22en-US%22%3E%3CP%3EA%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fgraphsecuritysplunkaddon%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Enew%20add-on%20from%20Microsoft%3C%2FA%3Eenables%20customers%20to%20easily%20integrate%20security%20alerts%20and%20insights%20from%20its%20security%20products%2C%20services%2C%20and%20partners%20in%20%3CA%20href%3D%22https%3A%2F%2Fsplunkbase.splunk.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESplunk%20Enterprise%3C%2FA%3E.%20The%20new%20Splunk%20add-on%20is%20built%20by%20Microsoft%2C%20certified%20by%20Splunk%2C%20and%20is%20available%20on%20Splunkbase%20at%20no%20additional%20cost.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20add-on%2C%20powered%20by%20the%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fgraphsecuritydocs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20Graph%20Security%20API%3C%2FA%3E%2C%20supports%20streaming%20of%20alerts%20from%20the%20following%20Microsoft%20and%20partner%20solutions%20into%20Splunk%20using%20a%20single%20add-on%20and%20common%20schema%2C%20enabling%20easier%20correlation%20of%20data%20across%20these%20products%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EAzure%20Security%20Center%3C%2FLI%3E%0A%3CLI%3EAzure%20Active%20Directory%20Identity%20Protection%3C%2FLI%3E%0A%3CLI%3EMicrosoft%20Cloud%20App%20Security%3C%2FLI%3E%0A%3CLI%3EMicrosoft%20Defender%20Advanced%20Threat%20Protection%3C%2FLI%3E%0A%3CLI%3EAzure%20Advanced%20Threat%20Protection%3C%2FLI%3E%0A%3CLI%3EOffice%20365%20Advanced%20Threat%20Protection%3C%2FLI%3E%0A%3CLI%3EAzure%20Information%20Protection%20(preview)%3C%2FLI%3E%0A%3CLI%3EAzure%20Sentinel%20(preview)%3C%2FLI%3E%0A%3CLI%3EPalo%20Alto%20Networks%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSTRONG%3ENote%3C%2FSTRONG%3E%3A%20Security%20products%20are%20continuously%20onboarded%3B%20Refer%20to%20the%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fgraphsecurityalerts%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20Graph%20Security%20alerts%20providers%20table%3C%2FA%3Efor%20the%20latest%20product%20list.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESince%20the%20new%20add-on%20extends%20support%20across%20a%20broader%20set%20of%20security%20products%2C%20it%20will%20replace%20the%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoft%2FAzureMonitorAddonForSplunk%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Monitor%20add-on%20for%20Splunk%3C%2FA%3Eas%20the%20preferred%20method%20for%20integrating%20with%20the%20Microsoft%20Graph%20Security%20API.%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId-2013971830%22%20id%3D%22toc-hId-2013971830%22%20id%3D%22toc-hId-2013971830%22%20id%3D%22toc-hId-2013971830%22%20id%3D%22toc-hId-2013971830%22%20id%3D%22toc-hId-2013971830%22%20id%3D%22toc-hId-2013971830%22%20id%3D%22toc-hId-2013971830%22%20id%3D%22toc-hId-2013971830%22%20id%3D%22toc-hId-2013971830%22%20id%3D%22toc-hId-2013971830%22%3EGetting%20Started%3C%2FH1%3E%0A%3CP%3EFollow%20these%20steps%20to%20install%20and%20configure%20the%20app.%20Refer%20to%20the%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fgraphsecuritysplunkaddoninstallsteps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Edocumentation%3C%2FA%3Efor%20more%20details.%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fauth-v2-service%231-register-your-app%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ERegister%20your%20application%3C%2FA%3Efor%20this%20Splunk%20add-on%20on%20Azure%20portal.%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fauth-v2-service%232-configure-permissions-for-microsoft-graph%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EConfigure%20permissions%3C%2FA%3Eand%20be%20sure%20to%20add%20the%20SecurityEvents.Read.All%20permission%20to%20your%20application.%20Get%20your%20Azure%20AD%20tenant%20administrator%20to%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fauth-v2-service%233-get-administrator-consent%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Egrant%20tenant%20administrator%20consent%3C%2FA%3E%20to%20your%20application.%20This%20is%20a%20one-time%20activity%20unless%20permissions%20change%20for%20the%20application.%3C%2FLI%3E%0A%3CLI%3ECopy%20and%20save%20your%20registered%20Application%20ID%20and%20Directory%20ID%20from%20the%20%3CSTRONG%3EOverview%20page%3C%2FSTRONG%3E.%20You%20will%20need%20them%20later%20to%20complete%20the%20add-on%20configuration%20process%20as%20illustrated%20below.%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F127885iEE30A5C1C542AD5A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Registration_Process_Overview.png%22%20title%3D%22Registration_Process_Overview.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EApplication%20registration%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3EGenerate%20an%20application%20secret%20by%20going%20to%20%3CSTRONG%3ECertificates%20%26amp%3B%20secrets%3C%2FSTRONG%3ESave%20the%20generated%20secret%20as%20well%20for%20add-on%20configuration%20purposes.%3C%2FLI%3E%0A%3CLI%3EIn%20Splunk%2C%20click%20on%20%3CSTRONG%3ESplunk%20Apps%3C%2FSTRONG%3Eto%20browse%20more%20apps.%3C%2FLI%3E%0A%3CLI%3ESearch%20for%20%E2%80%98Microsoft%20Graph%20Security%E2%80%99%20and%20install%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fgraphsecuritysplunkaddon%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSTRONG%3EMicrosoft%20Graph%20Security%20API%20add-on%20for%20Splunk%3C%2FSTRONG%3E%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EIf%20Splunk%20Enterprise%20prompts%20you%20to%20restart%2C%20do%20so.%3C%2FLI%3E%0A%3CLI%3EVerify%20that%20the%20add-on%20appears%20in%20the%20list%20of%20apps%20and%20add-ons%20as%20shown%20in%20the%20diagram%20below.%20%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F127887iEA76273C12DA6B1B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22splunk_homepage.PNG%22%20title%3D%22splunk_homepage.PNG%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EMicrosoft%20Graph%20Security%20add-on%20for%20Splunk%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3EConfigure%20Microsoft%20Graph%20Security%20data%20inputs%20illustrated%20in%20the%20diagram%20below%20as%20per%20the%20detailed%20guidance%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fgraphsecuritysplunkaddoninstallsteps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Einstallation%20documentation%20for%20this%20add-on%3C%2FA%3E.%20This%20add-on%20provides%20the%20capability%20to%20pre-filter%20your%20data%20by%20specific%20alert%20providers%20or%20by%20alert%20category%20or%20severity%2C%20etc.%20by%20specifying%20the%20%3CSTRONG%3EOData%20Filter%3C%2FSTRONG%3Efield%20as%20shown%20in%20the%20diagram%20below.%20%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F127888iE1B59ED703B21BF6%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22new_input.PNG%22%20title%3D%22new_input.PNG%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EAdd-on%20input%20configuration%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3ENow%20you%20can%20use%20your%20Microsoft%20Graph%20Security%20alerts%20for%20further%20processing%20in%20Splunk%2C%20in%20dashboards%2C%20etc%3C%2FFONT%3E.%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CP%3EIf%20you%20have%20Splunk%20and%20relevant%20add-ons%20running%20behind%20a%20proxy%20server%2C%20follow%20the%20additional%20steps%20for%20%3CSTRONG%3ESplunk%20behind%20a%20Proxy%20Server%3C%2FSTRONG%3Ein%20the%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fgraphsecuritysplunkaddoninstallsteps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Einstallation%20documentation%20for%20this%20add-on%3C%2FA%3E.%3C%2FP%3E%0A%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CH1%20id%3D%22toc-hId--538185131%22%20id%3D%22toc-hId--538185131%22%20id%3D%22toc-hId--538185131%22%20id%3D%22toc-hId--538185131%22%20id%3D%22toc-hId--538185131%22%20id%3D%22toc-hId--538185131%22%20id%3D%22toc-hId--538185131%22%20id%3D%22toc-hId--538185131%22%20id%3D%22toc-hId--538185131%22%20id%3D%22toc-hId--538185131%22%20id%3D%22toc-hId--538185131%22%3EWhat%E2%80%99s%20Next%3F%3C%2FH1%3E%0A%3CP%3EWe%20are%20working%20to%20enable%20support%20for%20this%20add-on%20on%20Splunk%20Cloud.%20We%20would%20love%20to%20hear%20your%20feedback%20on%20this%20add-on%20so%20that%20we%20can%20factor%20that%20before%20making%20it%20available%20on%20Splunk%20Cloud.%20Please%20share%20your%20feedback%20by%20filing%20a%20GitHub%20issue.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-815972%22%20slang%3D%22en-US%22%3E%3CP%3EInstall%20the%20new%20Microsoft%20Graph%20Security%20API%20add-on%20for%20Splunk%20to%20stream%20your%20alerts%20from%20different%20Microsoft%20and%20partner%20security%20products%20into%20Splunk.%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F127896i84C5B9826C4F351A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22splunk_homepage.PNG%22%20title%3D%22splunk_homepage.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-816121%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20the%20new%20Microsoft%20Graph%20Security%20API%20add-on%20for%20Splunk!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-816121%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20insight%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F164339%22%20target%3D%22_blank%22%3E%40Preeti%20Krishna%3C%2FA%3E.%20Does%20support%20for%20Microsoft%20Cloud%20App%20Security%20automagically%20include%20support%20for%20Office%20365%20Cloud%20App%20Security%20as%20well%2C%20or%20is%20that%20a%20separate%20item%20that%20might%20be%20added%20in%20the%20future%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-824215%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20the%20new%20Microsoft%20Graph%20Security%20API%20add-on%20for%20Splunk!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-824215%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20post%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoft%2FAzureMonitorAddonForSplunk%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Monitor%20add-on%20for%20Splunk%3C%2FA%3E%26nbsp%3Bis%20used%20for%20pulling%20AAD%20audit%20%26amp%3B%20Sign-In%20logs%20where%20as%20the%20Microsoft%20Graph%20Security%20API%20add-on%20for%20Splunk%20seems%20to%20pull%20only%20security%20events%20from%20various%20security%20products%20of%20Microsoft%2C%20wondering%20how%20this%20one%20can%20replace%20the%20Azure%20Monitor%20unless%20you%20are%20planing%20to%20expose%20AAD%20Sign-in%20%26amp%3B%20Audit%20events%20as%20well.%26nbsp%3B%20Please%20advice.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-826551%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20the%20new%20Microsoft%20Graph%20Security%20API%20add-on%20for%20Splunk!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-826551%22%20slang%3D%22en-US%22%3EThe%20App%20only%20importing%20the%20alerts%20from%20said%20security%20products%20but%20not%20the%20activity%20associated%20with%20the%20alert%2C%20it's%20tedious%20for%20someone%20to%20try%20and%20co-relate%20the%20alert%20with%20associated%20activity%20as%20the%20alert%20provides%20very%20few%20fields%20that%20are%20in%20common%20in%20both%20alert%20%26amp%3B%20the%20actual%20activity%20events.%20Is%20there%20a%20plan%20to%20extend%20the%20applications%20functionality%20so%20that%20one%20can%20export%20both%20alert%20and%20activity%20list%20to%20their%20own%20SIEM%20for%20further%20processing%20of%20the%20data.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-826552%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20the%20new%20Microsoft%20Graph%20Security%20API%20add-on%20for%20Splunk!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-826552%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F164339%22%20target%3D%22_blank%22%3E%40Preeti%20Krishna%3C%2FA%3EThe%20App%20only%20importing%20the%20alerts%20from%20said%20security%20products%20but%20not%20the%20activity%20associated%20with%20the%20alert%2C%20it's%20tedious%20for%20someone%20to%20try%20and%20co-relate%20the%20alert%20with%20associated%20activity%20as%20the%20alert%20provides%20very%20few%20fields%20that%20are%20in%20common%20in%20both%20alert%20%26amp%3B%20the%20actual%20activity%20events.%20Is%20there%20a%20plan%20to%20extend%20the%20applications%20functionality%20so%20that%20one%20can%20export%20both%20alert%20and%20activity%20list%20to%20their%20own%20SIEM%20for%20further%20processing%20of%20the%20data.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-826766%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20the%20new%20Microsoft%20Graph%20Security%20API%20add-on%20for%20Splunk!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-826766%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F24874%22%20target%3D%22_blank%22%3E%40Michael%20Sampson%3C%2FA%3E-%20Office%20365%20Cloud%20App%20Security%20comes%20with%20Office%20365%20Advanced%20Threat%20Protection.%20You%20can%20look%20at%20the%20list%20of%20products%20of%20which%20you%20can%20stream%20alerts%20into%20Splunk%20using%20the%20Microsoft%20Graph%20Security%20add-on%26nbsp%3B%40%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fgraphsecurityalerts%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2Fgraphsecurityalerts%3C%2FA%3E.%20You%20would%20need%20subscriptions%20to%20the%20relevant%20products%20to%20be%20able%20to%20get%20alerts%20from%20these.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-826804%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20the%20new%20Microsoft%20Graph%20Security%20API%20add-on%20for%20Splunk!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-826804%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F398912%22%20target%3D%22_blank%22%3E%40mpras2135%3C%2FA%3E-%20Thanks%2C%20for%20your%20feedback%20and%20questions.%20I'll%20respond%20to%20each%20of%20your%20questions%20across%20multiple%20comments%20in%20this%20one.%3C%2FP%3E%0A%3CP%3E1.%20The%20Microsoft%20Graph%20Security%20API%20add-on%20uses%20the%20API%20to%20stream%20alerts%20across%20different%20sources%20into%20Splunk.%20Microsoft%20Graph%20Security%20API%20does%20not%20stream%20logs%20or%20traces%20as%20these%20are%20pretty%20verbose%20to%20be%20schematized%20across%20various%20products.%20For%20streaming%20alerts%20in%20a%20unified%20format%20and%20make%20those%20available%20in%20Splunk%20use%20the%20Microsoft%20Graph%20Security%20API%20add-on%20for%20Splunk.%20Based%20on%20alert%20correlations%20and%20need%20to%20pull%20in%20additional%20logs%20and%20traces%2C%20use%20the%20Azure%20Monitor%20add-on.%20Hope%20this%20clarifies.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E2.%20The%20activity%20logs%20can%20be%20made%20available%20via%20Azure%20Monitor%20add-on%20for%20Splunk%20as%20mentioned%20in%20point%20%231%20above.%20The%20Microsoft%20Graph%20Security%20alerts%20have%20alert%20specific%20information%20associated%20with%20users%20(logon%20location%2C%20IP%2C%20risk%20score%20etc.)%2C%20devices%20(IP%2C%20FQDN%2C%20domain%20etc.)%2C%20and%20more%20-%20refer%20to%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fgraph%2Fapi%2Fresources%2Falert%3Fview%3Dgraph-rest-1.0%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMicrosoft%20Graph%20Security%20alert%20schema%3C%2FA%3Efor%20more%20details.%20We%20are%20looking%20into%20building%20contextual%20information%20about%20the%20specific%20alert%20entities%20that%20we%20can%20expose%20through%20the%20Microsoft%20Graph%20Security%20API%2C%20but%20we%20most%20likely%20won't%20plan%20to%20expose%20complete%20logs%20or%20traces%20as%20those%20can't%20be%20really%20schematized%20across%20different%20products.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFeel%20free%20to%20reach%20out%20to%20me%20with%20specific%20details%20on%20your%20scenarios%20at%20graphsecfeedback_at_microsoft_dot_com%20and%20happy%20to%20help.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-833019%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20the%20new%20Microsoft%20Graph%20Security%20API%20add-on%20for%20Splunk!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-833019%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Preeti%3CBR%20%2F%3EWe've%20completed%20the%20steps%20described%20in%20your%20article%2C%20but%20so%20far%20we%20are%20able%20to%20see%20logs%20in%20Splunk%20from%20these%203%20products%20(appearing%20under%20field%20name%20vendorInformation.provider)%3A%20MCAS%2C%20Office%20365%20Security%20and%20Compliance%20and%20IPC.%3CBR%20%2F%3EWe%20are%20still%20not%20seeing%20anything%20from%20Azure%20Security%20Center%2C%20Microsoft%20Defender%20Advanced%20Threat%20Protection%20or%20Azure%20Information%20Protection.%3CBR%20%2F%3EIs%20there%20anything%20we%20need%20to%20do%20in%20the%20Azure%20back%20end%20to%20make%20these%20products%20to%20send%20alerts%20to%20MS%20Graph%3F%3CBR%20%2F%3EThanks%20in%20advance.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-895422%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20the%20new%20Microsoft%20Graph%20Security%20API%20add-on%20for%20Splunk!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-895422%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Microsoft%20lia-component-message-view-widget-author-username%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F164339%22%20target%3D%22_blank%22%3E%40Preeti%20Krishna%3C%2FA%3E%26nbsp%3BThanks%20for%20the%20content.%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Microsoft%20lia-component-message-view-widget-author-username%22%3EI%20have%20installed%20this%20add%20on%20in%20Splunk%20Enterprise%20and%20gave%20the%20write%20access%20to%20my%20customers(Power%20users)%20but%20to%20my%20surprise%20they%20are%20not%20able%20to%20edit%20the%20app%20contents(creating%20new%20inputs%2Fconfiguration%20etc)%20.Only%20admin%20access%20users%20are%20able%20to%20edit%2Fcreate%20the%20app%20inputs.Do%20we%20have%20any%20restrictions%20on%20this%20app%20only%20admins%20can%20have%20the%20access%26nbsp%3B%20%3F%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

A new add-on from Microsoft enables customers to easily integrate security alerts and insights from its security products, services, and partners in Splunk Enterprise. The new Splunk add-on is built by Microsoft, certified by Splunk, and is available on Splunkbase at no additional cost.

 

This add-on, powered by the Microsoft Graph Security API, supports streaming of alerts from the following Microsoft and partner solutions into Splunk using a single add-on and common schema, enabling easier correlation of data across these products:

  1. Azure Security Center
  2. Azure Active Directory Identity Protection
  3. Microsoft Cloud App Security
  4. Microsoft Defender Advanced Threat Protection
  5. Azure Advanced Threat Protection
  6. Office 365 Advanced Threat Protection
  7. Azure Information Protection (preview)
  8. Azure Sentinel (preview)
  9. Palo Alto Networks

Note: Security products are continuously onboarded; Refer to the Microsoft Graph Security alerts providers table for the latest product list.

 

Since the new add-on extends support across a broader set of security products, it will replace the Azure Monitor add-on for Splunk as the preferred method for integrating with the Microsoft Graph Security API.

Getting Started

Follow these steps to install and configure the app. Refer to the documentation for more details.

  1. Register your application for this Splunk add-on on Azure portal.
  2. Configure permissions and be sure to add the SecurityEvents.Read.All permission to your application. Get your Azure AD tenant administrator to grant tenant administrator consent to your application. This is a one-time activity unless permissions change for the application.
  3. Copy and save your registered Application ID and Directory ID from the Overview page. You will need them later to complete the add-on configuration process as illustrated below. Registration_Process_Overview.pngApplication registration
  4. Generate an application secret by going to Certificates & secrets Save the generated secret as well for add-on configuration purposes.
  5. In Splunk, click on Splunk Apps to browse more apps.
  6. Search for ‘Microsoft Graph Security’ and install Microsoft Graph Security API add-on for Splunk
  7. If Splunk Enterprise prompts you to restart, do so.
  8. Verify that the add-on appears in the list of apps and add-ons as shown in the diagram below.  splunk_homepage.PNGMicrosoft Graph Security add-on for Splunk
  9. Configure Microsoft Graph Security data inputs illustrated in the diagram below as per the detailed guidance in the installation documentation for this add-on. This add-on provides the capability to pre-filter your data by specific alert providers or by alert category or severity, etc. by specifying the OData Filter field as shown in the diagram below.  new_input.PNGAdd-on input configuration
  10. Now you can use your Microsoft Graph Security alerts for further processing in Splunk, in dashboards, etc.

  11. If you have Splunk and relevant add-ons running behind a proxy server, follow the additional steps for Splunk behind a Proxy Server in the installation documentation for this add-on.

What’s Next?

We are working to enable support for this add-on on Splunk Cloud. We would love to hear your feedback on this add-on so that we can factor that before making it available on Splunk Cloud. Please share your feedback by filing a GitHub issue

8 Comments
Occasional Contributor

Thanks for the insight @Preeti Krishna. Does support for Microsoft Cloud App Security automagically include support for Office 365 Cloud App Security as well, or is that a separate item that might be added in the future? 

Occasional Visitor

Thanks for the post, Azure Monitor add-on for Splunk is used for pulling AAD audit & Sign-In logs where as the Microsoft Graph Security API add-on for Splunk seems to pull only security events from various security products of Microsoft, wondering how this one can replace the Azure Monitor unless you are planing to expose AAD Sign-in & Audit events as well.  Please advice.

Occasional Visitor
The App only importing the alerts from said security products but not the activity associated with the alert, it's tedious for someone to try and co-relate the alert with associated activity as the alert provides very few fields that are in common in both alert & the actual activity events. Is there a plan to extend the applications functionality so that one can export both alert and activity list to their own SIEM for further processing of the data.
Occasional Visitor
@Preeti Krishna The App only importing the alerts from said security products but not the activity associated with the alert, it's tedious for someone to try and co-relate the alert with associated activity as the alert provides very few fields that are in common in both alert & the actual activity events. Is there a plan to extend the applications functionality so that one can export both alert and activity list to their own SIEM for further processing of the data.
Microsoft

@Michael Sampson - Office 365 Cloud App Security comes with Office 365 Advanced Threat Protection. You can look at the list of products of which you can stream alerts into Splunk using the Microsoft Graph Security add-on @ https://aka.ms/graphsecurityalerts . You would need subscriptions to the relevant products to be able to get alerts from these. 

Microsoft

@mpras2135 - Thanks, for your feedback and questions. I'll respond to each of your questions across multiple comments in this one.

1. The Microsoft Graph Security API add-on uses the API to stream alerts across different sources into Splunk. Microsoft Graph Security API does not stream logs or traces as these are pretty verbose to be schematized across various products. For streaming alerts in a unified format and make those available in Splunk use the Microsoft Graph Security API add-on for Splunk. Based on alert correlations and need to pull in additional logs and traces, use the Azure Monitor add-on. Hope this clarifies. 

 

2. The activity logs can be made available via Azure Monitor add-on for Splunk as mentioned in point #1 above. The Microsoft Graph Security alerts have alert specific information associated with users (logon location, IP, risk score etc.), devices (IP, FQDN, domain etc.), and more - refer to the Microsoft Graph Security alert schema for more details. We are looking into building contextual information about the specific alert entities that we can expose through the Microsoft Graph Security API, but we most likely won't plan to expose complete logs or traces as those can't be really schematized across different products. 

 

Feel free to reach out to me with specific details on your scenarios at graphsecfeedback_at_microsoft_dot_com and happy to help. 

Occasional Visitor

Hi Preeti
We've completed the steps described in your article, but so far we are able to see logs in Splunk from these 3 products (appearing under field name vendorInformation.provider): MCAS, Office 365 Security and Compliance and IPC.
We are still not seeing anything from Azure Security Center, Microsoft Defender Advanced Threat Protection or Azure Information Protection.
Is there anything we need to do in the Azure back end to make these products to send alerts to MS Graph?
Thanks in advance.

Occasional Visitor
@Preeti Krishna Thanks for the content.
 
I have installed this add on in Splunk Enterprise and gave the write access to my customers(Power users) but to my surprise they are not able to edit the app contents(creating new inputs/configuration etc) .Only admin access users are able to edit/create the app inputs.Do we have any restrictions on this app only admins can have the access  ?