Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Azure Sentinel Side-by-Side with Splunk
Published Mar 05 2020 05:38 AM 82K Views
Microsoft
For a more advanced integration, refer to
Sending enriched Azure Sentinel alerts to 3rd party SIEM and
Ticketing Systems

 

This blog is intent to describe how Azure Sentinel can be used as Side-by-Side approach with Splunk.

 

As most of the enterprises consume more and more cloud services, there is a huge requirement for Cloud-Native SIEM where Azure Sentinel comes in play and has following advantages.

 

  • Easy collection from cloud sources
  • Effortless infinite scale
  • Integrated automation capabilities
  • Continually maintained cloud and onprem use cases enhanced with Microsoft TI and ML
  • Github community
  • Microsoft research and ML capabilities
  • Avoid sending cloud telemetry downstream

There are several best practice integration options available how to operate Azure Sentinel in Side-by-Side.

 

 

Alerts

Events

Upstream to sentinel

CEF

Logstash

Logic Apps

API

CEF

Logstash

API

Downstream from Sentinel

Security Graph Security API PowerShell

Logic Apps

API

API

PowerShell

 

This blog post has the focus to ingest Azure Sentinel alerts into Splunk by using the Microsoft Graph Security API.

 

The Microsoft Graph Security API provides a unified interface and schema to integrate with security solutions from Microsoft and ecosystem partners. This empowers customers to streamline security operations and better defend against increasing cyber threats. The Microsoft Graph Security API federates queries to all onboarded security providers and aggregates responses.

 

SOC.jpgSource: Azure Security Compass Workshop from Mark Simos

 

Preparation & Use

The following tasks describe the necessary preparation steps.

  • Onboard Azure Sentinel
  • Optional: Installation of Splunk
  • Preparation Steps in Splunk
  • Registration of an application in Azure AD
  • Configuration Steps in Splunk
  • Using of Azure Sentinel alerts in Splunk

 

Onboard Azure Sentinel

Detailed steps how to onboard Azure Sentinel is not part of this blog, however let me share a high-level checklist - how to fast-start Azure Sentinel.

 

  

Task

Description

1

Onboard Azure Sentinel

https://docs.microsoft.com/en-us/azure/sentinel/quickstart-onboard

2

Connect your data sources

https://docs.microsoft.com/en-us/azure/sentinel/connect-data-sources

3

Enable Built-In Workbooks

https://docs.microsoft.com/en-us/azure/sentinel/tutorial-monitor-your-data

 

https://docs.microsoft.com/en-us/azure/sentinel/quickstart-get-visibility#use-built-in-workbooks

4

Enable out of the box detection rules

https://docs.microsoft.com/en-us/azure/sentinel/tutorial-detect-threats-built-in

 

5

Create custom detection rules based on use cases

How to create custom rules - https://docs.microsoft.com/en-us/azure/sentinel/tutorial-detect-threats-custom

GitHub samples - https://github.com/Azure/Azure-Sentinel

6

Investigate incidents with Azure Sentinel

https://docs.microsoft.com/en-us/azure/sentinel/tutorial-investigate-cases

7

Hunt for threats within Azure Sentinel

 

https://docs.microsoft.com/en-us/azure/sentinel/hunting

8

Use Jupyter Notebooks to hunt for security threats

 

https://docs.microsoft.com/en-us/azure/sentinel/notebooks

9

Set up automated threat responses in Azure Sentinel

 

https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook

10

Configure Splunk to run in Side-by-Side with Azure Sentinel

https://splunkbase.splunk.com/app/4564/#/details

 

 

Installation of Splunk

Usually in an enterprise where customer already decided for Splunk has a running environment. The primary reason to add this part was more to use the installation steps to build a lab environment or for evaluation propose.

 

In my environment I decided to use an Ubuntu server and build it in Azure.

 

Install the latest updates on the server

sudo apt-get update && sudo apt-get -y upgrade && sudo apt-get -y dist-upgrade && sudo apt autoclean && sudo apt-get clean && sudo apt-get autoremove -y

 

Create an account and download the latest version of Splunk for Debian/Ubuntu distribution (.deb) - here

 

Install the Splunk package

sudo dpkg -i splunk-8.0.1-xxxxxx.deb

 

Start Splunk for usage and define credentials for login (username/passwords)

sudo /opt/splunk/bin/splunk start --accept-license

 

Expected output: The Splunk web interface is at http://splunk:8000

 

Ones Splunk is started the web interface is available at http://splunk:8000.

 

Run the following command line to enable autostart for Splunk when server starts.

sudo /opt/splunk/bin/splunk enable boot-start

 

Register an Application in Azure AD

The installed app requires read access to the SecurityEvents.Read.All field in Microsoft Graph Security API. The steps how to register an app in Azure are described here: Walkthrough: Register an app with Azure Active Directory .

 

For further configuration in Splunk make a note of following settings:

Azure AD Application ID

Azure AD Application Secret

Tenant ID

 

Preparation Steps in Splunk

There is an app available which allows you to ingest Microsoft Security alerts from Microsoft Graph Security API. Use the following steps to install the app in Splunk.

 

Login with provided login credentials (username / password) during the installation of Splunk.

 

P1.png

 

Logging and download the Microsoft Graph Security API Add-On for Splunk app from following source

https://splunkbase.splunk.com/app/4564/

 

P2.png

 

In Splunk portal click to Manage Apps

 

p3.png

 

In Manage Apps click to Install app from file and use the downloaded file microsoft-graph-security-api-add-on-for-splunk_011.tgz before for the installation, and click Upload.

 

4.png

 

Ones the app is installed reboot of Splunk is required, click to Restart Now.

 

5.png

 

After reboot the Microsoft Graph Security API Add-On for Splunk app can be used to ingest Azure Sentinel alerts into Splunk.

 

Preparation Steps in Splunk

Now is time to configure the app to connect with Microsoft Graph Security API.

 

In Splunk portal click to Microsoft Graph Security Add-on for Splunk

 

6.png

 

Click to Create New Input

7.png

 

Configure the input settings with noted data for registered Azure AD app configuration (Azure AD Application ID, Azure AD Application Secret and Tenant ID). Odata Filter can be used to filter alerts if required - Link, e.g. for Azure Sentinel alerts use - /security/alerts?$filter=vendorInformation/provider eq 'Azure Sentinel'.

 

8.png

 

Using of Azure Sentinel alerts in Splunk

Once the ingestion is processed, you can query the data by using sourcetype=GraphSecurityAlert in search field.

 

9.png

 

Now you see we have connected Splunk with Microsoft Graph Security API, and ingesting Azure Sentinel alerts into Splunk.

 

Summary

 

We just walked through the process of standing up Azure Sentinel Side-by-Side with Splunk. In this way, you can use Azure Sentinel to enrich alerts from your cloud workloads providing additional context and prioritization as they are then ingested into Splunk. This will help you easily address your cloud security gaps while maintaining your existing SIEM.

 

11 Comments

Thanks for Sharing with the community :cool:

Copper Contributor

Great write up @Alp Babayigit 

Brass Contributor

Hi @Alp Babayigit ,

 

How can we write the Incident link to Splunk or rather create a pivot link..

So for https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/2ee1-a4ce-a...

 

The last bit of Incident ID in the URL, that is not present in the SecurityAlerts table. Needed to do this.

 

Iron Contributor

Thanks for the great info; sharing with my Linkedin Network

Copper Contributor

@Joseph-Abraham you can create a logic app that receives the alert ID (GET request) and gets the incident ID using the built-in sentinel incident conector ou using log analytics query.

With this you can response to the user a 302 redirect the browser to the incident URL.

 

Also, there are some alerts that are not in Sentinel yet and then you can get the user to the other portal.

Brass Contributor

@gollima Thank you for the response.

Actually when I posted this question the Get Incident action had not been released.

It's possible now as you say.

 

Thanks again for your answer. :)

Copper Contributor

Hi, nice writeup.

But I need one more step: How can I respond to Sentinel alerts via Splunk. Particularly, I need to change Sentinel incident status out of Splunk. Any idea would be appriciated

Copper Contributor

@m4ttb1ss Thanks!

 

I did it creating a rule on splunk that detects the incident status change and then used a webhook action on splunk to call other logic app url (that you need to create) to change the status, add comments, etc

 

Also, in my case, this incident status change is not from splunk itself, since we use other tool to track the incident.

This tool logs are on splunk.

 

Hope it helps.

Copper Contributor

@gollima 

This is what I thought I could do. The issue is, I need to change the status in Splunk and send the change to Sentinel. I don't have (and don't want to have) access to

the Sentinel instance, but I get the incidents ingested via Splunk TA

Copper Contributor

@m4ttb1ss 

 

Well, may be what you mean by access to sentinel is on a broader way, but, if its literal, i think you can set the logic app access to the sentinel instead of a user.

There is other more complex ways using APIs and App Registrations. Logic apps abstract that complexity.

 

You need to get information to Sentinel, logic app is one way. You can send logs from splunk to sentinel, and create a rule and logic app to work internally on Sentinel.

Microsoft

This guide is old and out of date.

 

Workarounds are to use another connector that allows to directly query the log analytics workspace Splunk Add on for Microsoft Azure | Splunkbase

And setting this up to run every 5 minutes with a query like:

 

SecurityIncident

| where ingestion_time() > ago(6m)

 

Or export only the Sentinel incidents by configuring the export of the Log Analytics SecurityIncident table into an event hub https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-data-export?tabs=portal and then ingesting the event hub event in Splunk https://www.splunk.com/en_us/blog/platform/splunking-azure-event-hubs.html

Version history
Last update:
‎Nov 02 2021 05:51 PM
Updated by: