A new add-on from Microsoft enables customers to easily integrate security alerts and insights from its security products, services, and partners in Splunk Enterprise. The new Splunk add-on is built by Microsoft, certified by Splunk, and is available on Splunkbase at no additional cost.
This add-on, powered by the Microsoft Graph Security API, supports streaming of alerts from the following Microsoft and partner solutions into Splunk using a single add-on and common schema, enabling easier correlation of data across these products:
- Azure Security Center
- Azure Active Directory Identity Protection
- Microsoft Cloud App Security
- Microsoft Defender Advanced Threat Protection
- Azure Advanced Threat Protection
- Office 365 Advanced Threat Protection
- Azure Information Protection (preview)
- Azure Sentinel (preview)
- Palo Alto Networks
Note: Security products are continuously onboarded; Refer to the Microsoft Graph Security alerts providers table for the latest product list.
Since the new add-on extends support across a broader set of security products, it will replace the Azure Monitor add-on for Splunk as the preferred method for integrating with the Microsoft Graph Security API.
Follow these steps to install and configure the app. Refer to the documentation for more details.
- Register your application for this Splunk add-on on Azure portal.
- Configure permissions and be sure to add the SecurityEvents.Read.All permission to your application. Get your Azure AD tenant administrator to grant tenant administrator consent to your application. This is a one-time activity unless permissions change for the application.
- Copy and save your registered Application ID and Directory ID from the Overview page. You will need them later to complete the add-on configuration process as illustrated below. Application registration
- Generate an application secret by going to Certificates & secrets Save the generated secret as well for add-on configuration purposes.
- In Splunk, click on Splunk Apps to browse more apps.
- Search for ‘Microsoft Graph Security’ and install Microsoft Graph Security API add-on for Splunk
- If Splunk Enterprise prompts you to restart, do so.
- Verify that the add-on appears in the list of apps and add-ons as shown in the diagram below. Microsoft Graph Security add-on for Splunk
- Configure Microsoft Graph Security data inputs illustrated in the diagram below as per the detailed guidance in the installation documentation for this add-on. This add-on provides the capability to pre-filter your data by specific alert providers or by alert category or severity, etc. by specifying the OData Filter field as shown in the diagram below. Add-on input configuration
Now you can use your Microsoft Graph Security alerts for further processing in Splunk, in dashboards, etc.
If you have Splunk and relevant add-ons running behind a proxy server, follow the additional steps for Splunk behind a Proxy Server in the installation documentation for this add-on.
We are working to enable support for this add-on on Splunk Cloud. We would love to hear your feedback on this add-on so that we can factor that before making it available on Splunk Cloud. Please share your feedback by filing a GitHub issue.