Introducing the new Microsoft Graph Security API add-on for Splunk!

Published Aug 21 2019 02:16 PM 41.8K Views
Microsoft

A new add-on from Microsoft enables customers to easily integrate security alerts and insights from its security products, services, and partners in Splunk Enterprise. The new Splunk add-on is built by Microsoft, certified by Splunk, and is available on Splunkbase at no additional cost.

 

This add-on, powered by the Microsoft Graph Security API, supports streaming of alerts from the following Microsoft and partner solutions into Splunk using a single add-on and common schema, enabling easier correlation of data across these products:

  1. Azure Security Center
  2. Azure Active Directory Identity Protection
  3. Microsoft Cloud App Security
  4. Microsoft Defender Advanced Threat Protection
  5. Azure Advanced Threat Protection
  6. Office 365 Advanced Threat Protection
  7. Azure Information Protection (preview)
  8. Azure Sentinel (preview)
  9. Palo Alto Networks

Note: Security products are continuously onboarded; Refer to the Microsoft Graph Security alerts providers table for the latest product list.

 

Since the new add-on extends support across a broader set of security products, it will replace the Azure Monitor add-on for Splunk as the preferred method for integrating with the Microsoft Graph Security API.

Getting Started

Follow these steps to install and configure the app. Refer to the documentation for more details.

  1. Register your application for this Splunk add-on on Azure portal.
  2. Configure permissions and be sure to add the SecurityEvents.Read.All permission to your application. Get your Azure AD tenant administrator to grant tenant administrator consent to your application. This is a one-time activity unless permissions change for the application.
  3. Copy and save your registered Application ID and Directory ID from the Overview page. You will need them later to complete the add-on configuration process as illustrated below. Application registrationApplication registration
  4. Generate an application secret by going to Certificates & secrets Save the generated secret as well for add-on configuration purposes.
  5. In Splunk, click on Splunk Apps to browse more apps.
  6. Search for ‘Microsoft Graph Security’ and install Microsoft Graph Security API add-on for Splunk
  7. If Splunk Enterprise prompts you to restart, do so.
  8. Verify that the add-on appears in the list of apps and add-ons as shown in the diagram below.  Microsoft Graph Security add-on for SplunkMicrosoft Graph Security add-on for Splunk
  9. Configure Microsoft Graph Security data inputs illustrated in the diagram below as per the detailed guidance in the installation documentation for this add-on. This add-on provides the capability to pre-filter your data by specific alert providers or by alert category or severity, etc. by specifying the OData Filter field as shown in the diagram below.  Add-on input configurationAdd-on input configuration
  10. Now you can use your Microsoft Graph Security alerts for further processing in Splunk, in dashboards, etc.

  11. If you have Splunk and relevant add-ons running behind a proxy server, follow the additional steps for Splunk behind a Proxy Server in the installation documentation for this add-on.

What’s Next?

We are working to enable support for this add-on on Splunk Cloud. We would love to hear your feedback on this add-on so that we can factor that before making it available on Splunk Cloud. Please share your feedback by filing a GitHub issue

17 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-815972%22%20slang%3D%22en-US%22%3EIntroducing%20the%20new%20Microsoft%20Graph%20Security%20API%20add-on%20for%20Splunk!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-815972%22%20slang%3D%22en-US%22%3E%3CP%3EA%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fgraphsecuritysplunkaddon%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Enew%20add-on%20from%20Microsoft%3C%2FA%3Eenables%20customers%20to%20easily%20integrate%20security%20alerts%20and%20insights%20from%20its%20security%20products%2C%20services%2C%20and%20partners%20in%20%3CA%20href%3D%22https%3A%2F%2Fsplunkbase.splunk.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3ESplunk%20Enterprise%3C%2FA%3E.%20The%20new%20Splunk%20add-on%20is%20built%20by%20Microsoft%2C%20certified%20by%20Splunk%2C%20and%20is%20available%20on%20Splunkbase%20at%20no%20additional%20cost.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20add-on%2C%20powered%20by%20the%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fgraphsecuritydocs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Graph%20Security%20API%3C%2FA%3E%2C%20supports%20streaming%20of%20alerts%20from%20the%20following%20Microsoft%20and%20partner%20solutions%20into%20Splunk%20using%20a%20single%20add-on%20and%20common%20schema%2C%20enabling%20easier%20correlation%20of%20data%20across%20these%20products%3A%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3EAzure%20Security%20Center%3C%2FLI%3E%0A%3CLI%3EAzure%20Active%20Directory%20Identity%20Protection%3C%2FLI%3E%0A%3CLI%3EMicrosoft%20Cloud%20App%20Security%3C%2FLI%3E%0A%3CLI%3EMicrosoft%20Defender%20Advanced%20Threat%20Protection%3C%2FLI%3E%0A%3CLI%3EAzure%20Advanced%20Threat%20Protection%3C%2FLI%3E%0A%3CLI%3EOffice%20365%20Advanced%20Threat%20Protection%3C%2FLI%3E%0A%3CLI%3EAzure%20Information%20Protection%20(preview)%3C%2FLI%3E%0A%3CLI%3EAzure%20Sentinel%20(preview)%3C%2FLI%3E%0A%3CLI%3EPalo%20Alto%20Networks%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CSTRONG%3ENote%3C%2FSTRONG%3E%3A%20Security%20products%20are%20continuously%20onboarded%3B%20Refer%20to%20the%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fgraphsecurityalerts%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Graph%20Security%20alerts%20providers%20table%3C%2FA%3Efor%20the%20latest%20product%20list.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESince%20the%20new%20add-on%20extends%20support%20across%20a%20broader%20set%20of%20security%20products%2C%20it%20will%20replace%20the%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoft%2FAzureMonitorAddonForSplunk%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Monitor%20add-on%20for%20Splunk%3C%2FA%3Eas%20the%20preferred%20method%20for%20integrating%20with%20the%20Microsoft%20Graph%20Security%20API.%3C%2FP%3E%0A%3CH1%20id%3D%22toc-hId-2013971830%22%20id%3D%22toc-hId-2013971830%22%20id%3D%22toc-hId-2013971830%22%20id%3D%22toc-hId-2013971830%22%20id%3D%22toc-hId-2013971830%22%20id%3D%22toc-hId-2013971830%22%20id%3D%22toc-hId-2013971830%22%20id%3D%22toc-hId-2013971830%22%20id%3D%22toc-hId-2013971830%22%20id%3D%22toc-hId-2013971830%22%20id%3D%22toc-hId-2013971830%22%20id%3D%22toc-hId-2013971830%22%20id%3D%22toc-hId-2013971830%22%20id%3D%22toc-hId-2013971830%22%20id%3D%22toc-hId-2013971830%22%20id%3D%22toc-hId-2013971830%22%20id%3D%22toc-hId-2013971830%22%20id%3D%22toc-hId-2013971830%22%20id%3D%22toc-hId-2013971830%22%20id%3D%22toc-hId-2013971830%22%20id%3D%22toc-hId-2013971830%22%3EGetting%20Started%3C%2FH1%3E%0A%3CP%3EFollow%20these%20steps%20to%20install%20and%20configure%20the%20app.%20Refer%20to%20the%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fgraphsecuritysplunkaddoninstallsteps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Edocumentation%3C%2FA%3Efor%20more%20details.%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fauth-v2-service%231-register-your-app%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ERegister%20your%20application%3C%2FA%3Efor%20this%20Splunk%20add-on%20on%20Azure%20portal.%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fauth-v2-service%232-configure-permissions-for-microsoft-graph%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EConfigure%20permissions%3C%2FA%3Eand%20be%20sure%20to%20add%20the%20SecurityEvents.Read.All%20permission%20to%20your%20application.%20Get%20your%20Azure%20AD%20tenant%20administrator%20to%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fgraph%2Fauth-v2-service%233-get-administrator-consent%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Egrant%20tenant%20administrator%20consent%3C%2FA%3E%20to%20your%20application.%20This%20is%20a%20one-time%20activity%20unless%20permissions%20change%20for%20the%20application.%3C%2FLI%3E%0A%3CLI%3ECopy%20and%20save%20your%20registered%20Application%20ID%20and%20Directory%20ID%20from%20the%20%3CSTRONG%3EOverview%20page%3C%2FSTRONG%3E.%20You%20will%20need%20them%20later%20to%20complete%20the%20add-on%20configuration%20process%20as%20illustrated%20below.%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F127885iEE30A5C1C542AD5A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Registration_Process_Overview.png%22%20title%3D%22Registration_Process_Overview.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EApplication%20registration%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3EGenerate%20an%20application%20secret%20by%20going%20to%20%3CSTRONG%3ECertificates%20%26amp%3B%20secrets%3C%2FSTRONG%3ESave%20the%20generated%20secret%20as%20well%20for%20add-on%20configuration%20purposes.%3C%2FLI%3E%0A%3CLI%3EIn%20Splunk%2C%20click%20on%20%3CSTRONG%3ESplunk%20Apps%3C%2FSTRONG%3Eto%20browse%20more%20apps.%3C%2FLI%3E%0A%3CLI%3ESearch%20for%20%E2%80%98Microsoft%20Graph%20Security%E2%80%99%20and%20install%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fgraphsecuritysplunkaddon%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSTRONG%3EMicrosoft%20Graph%20Security%20API%20add-on%20for%20Splunk%3C%2FSTRONG%3E%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EIf%20Splunk%20Enterprise%20prompts%20you%20to%20restart%2C%20do%20so.%3C%2FLI%3E%0A%3CLI%3EVerify%20that%20the%20add-on%20appears%20in%20the%20list%20of%20apps%20and%20add-ons%20as%20shown%20in%20the%20diagram%20below.%20%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F127887iEA76273C12DA6B1B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22splunk_homepage.PNG%22%20title%3D%22splunk_homepage.PNG%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EMicrosoft%20Graph%20Security%20add-on%20for%20Splunk%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3EConfigure%20Microsoft%20Graph%20Security%20data%20inputs%20illustrated%20in%20the%20diagram%20below%20as%20per%20the%20detailed%20guidance%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fgraphsecuritysplunkaddoninstallsteps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Einstallation%20documentation%20for%20this%20add-on%3C%2FA%3E.%20This%20add-on%20provides%20the%20capability%20to%20pre-filter%20your%20data%20by%20specific%20alert%20providers%20or%20by%20alert%20category%20or%20severity%2C%20etc.%20by%20specifying%20the%20%3CSTRONG%3EOData%20Filter%3C%2FSTRONG%3Efield%20as%20shown%20in%20the%20diagram%20below.%20%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F127888iE1B59ED703B21BF6%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22new_input.PNG%22%20title%3D%22new_input.PNG%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EAdd-on%20input%20configuration%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3ENow%20you%20can%20use%20your%20Microsoft%20Graph%20Security%20alerts%20for%20further%20processing%20in%20Splunk%2C%20in%20dashboards%2C%20etc%3C%2FFONT%3E.%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CP%3EIf%20you%20have%20Splunk%20and%20relevant%20add-ons%20running%20behind%20a%20proxy%20server%2C%20follow%20the%20additional%20steps%20for%20%3CSTRONG%3ESplunk%20behind%20a%20Proxy%20Server%3C%2FSTRONG%3Ein%20the%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fgraphsecuritysplunkaddoninstallsteps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Einstallation%20documentation%20for%20this%20add-on%3C%2FA%3E.%3C%2FP%3E%0A%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CH1%20id%3D%22toc-hId--538185131%22%20id%3D%22toc-hId--538185131%22%20id%3D%22toc-hId--538185131%22%20id%3D%22toc-hId--538185131%22%20id%3D%22toc-hId--538185131%22%20id%3D%22toc-hId--538185131%22%20id%3D%22toc-hId--538185131%22%20id%3D%22toc-hId--538185131%22%20id%3D%22toc-hId--538185131%22%20id%3D%22toc-hId--538185131%22%20id%3D%22toc-hId--538185131%22%20id%3D%22toc-hId--538185131%22%20id%3D%22toc-hId--538185131%22%20id%3D%22toc-hId--538185131%22%20id%3D%22toc-hId--538185131%22%20id%3D%22toc-hId--538185131%22%20id%3D%22toc-hId--538185131%22%20id%3D%22toc-hId--538185131%22%20id%3D%22toc-hId--538185131%22%20id%3D%22toc-hId--538185131%22%20id%3D%22toc-hId--538185131%22%3EWhat%E2%80%99s%20Next%3F%3C%2FH1%3E%0A%3CP%3EWe%20are%20working%20to%20enable%20support%20for%20this%20add-on%20on%20Splunk%20Cloud.%20We%20would%20love%20to%20hear%20your%20feedback%20on%20this%20add-on%20so%20that%20we%20can%20factor%20that%20before%20making%20it%20available%20on%20Splunk%20Cloud.%20Please%20share%20your%20feedback%20by%20filing%20a%20GitHub%20issue.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-815972%22%20slang%3D%22en-US%22%3E%3CP%3EInstall%20the%20new%20Microsoft%20Graph%20Security%20API%20add-on%20for%20Splunk%20to%20stream%20your%20alerts%20from%20different%20Microsoft%20and%20partner%20security%20products%20into%20Splunk.%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F127896i84C5B9826C4F351A%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22splunk_homepage.PNG%22%20title%3D%22splunk_homepage.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-816121%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20the%20new%20Microsoft%20Graph%20Security%20API%20add-on%20for%20Splunk!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-816121%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20insight%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F164339%22%20target%3D%22_blank%22%3E%40Preeti%20Krishna%3C%2FA%3E.%20Does%20support%20for%20Microsoft%20Cloud%20App%20Security%20automagically%20include%20support%20for%20Office%20365%20Cloud%20App%20Security%20as%20well%2C%20or%20is%20that%20a%20separate%20item%20that%20might%20be%20added%20in%20the%20future%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-824215%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20the%20new%20Microsoft%20Graph%20Security%20API%20add-on%20for%20Splunk!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-824215%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20post%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FMicrosoft%2FAzureMonitorAddonForSplunk%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Monitor%20add-on%20for%20Splunk%3C%2FA%3E%26nbsp%3Bis%20used%20for%20pulling%20AAD%20audit%20%26amp%3B%20Sign-In%20logs%20where%20as%20the%20Microsoft%20Graph%20Security%20API%20add-on%20for%20Splunk%20seems%20to%20pull%20only%20security%20events%20from%20various%20security%20products%20of%20Microsoft%2C%20wondering%20how%20this%20one%20can%20replace%20the%20Azure%20Monitor%20unless%20you%20are%20planing%20to%20expose%20AAD%20Sign-in%20%26amp%3B%20Audit%20events%20as%20well.%26nbsp%3B%20Please%20advice.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-826551%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20the%20new%20Microsoft%20Graph%20Security%20API%20add-on%20for%20Splunk!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-826551%22%20slang%3D%22en-US%22%3EThe%20App%20only%20importing%20the%20alerts%20from%20said%20security%20products%20but%20not%20the%20activity%20associated%20with%20the%20alert%2C%20it's%20tedious%20for%20someone%20to%20try%20and%20co-relate%20the%20alert%20with%20associated%20activity%20as%20the%20alert%20provides%20very%20few%20fields%20that%20are%20in%20common%20in%20both%20alert%20%26amp%3B%20the%20actual%20activity%20events.%20Is%20there%20a%20plan%20to%20extend%20the%20applications%20functionality%20so%20that%20one%20can%20export%20both%20alert%20and%20activity%20list%20to%20their%20own%20SIEM%20for%20further%20processing%20of%20the%20data.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-826552%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20the%20new%20Microsoft%20Graph%20Security%20API%20add-on%20for%20Splunk!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-826552%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F164339%22%20target%3D%22_blank%22%3E%40Preeti%20Krishna%3C%2FA%3EThe%20App%20only%20importing%20the%20alerts%20from%20said%20security%20products%20but%20not%20the%20activity%20associated%20with%20the%20alert%2C%20it's%20tedious%20for%20someone%20to%20try%20and%20co-relate%20the%20alert%20with%20associated%20activity%20as%20the%20alert%20provides%20very%20few%20fields%20that%20are%20in%20common%20in%20both%20alert%20%26amp%3B%20the%20actual%20activity%20events.%20Is%20there%20a%20plan%20to%20extend%20the%20applications%20functionality%20so%20that%20one%20can%20export%20both%20alert%20and%20activity%20list%20to%20their%20own%20SIEM%20for%20further%20processing%20of%20the%20data.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-826766%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20the%20new%20Microsoft%20Graph%20Security%20API%20add-on%20for%20Splunk!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-826766%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F24874%22%20target%3D%22_blank%22%3E%40Michael%20Sampson%3C%2FA%3E-%20Office%20365%20Cloud%20App%20Security%20comes%20with%20Office%20365%20Advanced%20Threat%20Protection.%20You%20can%20look%20at%20the%20list%20of%20products%20of%20which%20you%20can%20stream%20alerts%20into%20Splunk%20using%20the%20Microsoft%20Graph%20Security%20add-on%26nbsp%3B%40%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fgraphsecurityalerts%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2Fgraphsecurityalerts%3C%2FA%3E.%20You%20would%20need%20subscriptions%20to%20the%20relevant%20products%20to%20be%20able%20to%20get%20alerts%20from%20these.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-826804%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20the%20new%20Microsoft%20Graph%20Security%20API%20add-on%20for%20Splunk!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-826804%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F398912%22%20target%3D%22_blank%22%3E%40mpras2135%3C%2FA%3E-%20Thanks%2C%20for%20your%20feedback%20and%20questions.%20I'll%20respond%20to%20each%20of%20your%20questions%20across%20multiple%20comments%20in%20this%20one.%3C%2FP%3E%0A%3CP%3E1.%20The%20Microsoft%20Graph%20Security%20API%20add-on%20uses%20the%20API%20to%20stream%20alerts%20across%20different%20sources%20into%20Splunk.%20Microsoft%20Graph%20Security%20API%20does%20not%20stream%20logs%20or%20traces%20as%20these%20are%20pretty%20verbose%20to%20be%20schematized%20across%20various%20products.%20For%20streaming%20alerts%20in%20a%20unified%20format%20and%20make%20those%20available%20in%20Splunk%20use%20the%20Microsoft%20Graph%20Security%20API%20add-on%20for%20Splunk.%20Based%20on%20alert%20correlations%20and%20need%20to%20pull%20in%20additional%20logs%20and%20traces%2C%20use%20the%20Azure%20Monitor%20add-on.%20Hope%20this%20clarifies.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E2.%20The%20activity%20logs%20can%20be%20made%20available%20via%20Azure%20Monitor%20add-on%20for%20Splunk%20as%20mentioned%20in%20point%20%231%20above.%20The%20Microsoft%20Graph%20Security%20alerts%20have%20alert%20specific%20information%20associated%20with%20users%20(logon%20location%2C%20IP%2C%20risk%20score%20etc.)%2C%20devices%20(IP%2C%20FQDN%2C%20domain%20etc.)%2C%20and%20more%20-%20refer%20to%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fgraph%2Fapi%2Fresources%2Falert%3Fview%3Dgraph-rest-1.0%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Graph%20Security%20alert%20schema%3C%2FA%3Efor%20more%20details.%20We%20are%20looking%20into%20building%20contextual%20information%20about%20the%20specific%20alert%20entities%20that%20we%20can%20expose%20through%20the%20Microsoft%20Graph%20Security%20API%2C%20but%20we%20most%20likely%20won't%20plan%20to%20expose%20complete%20logs%20or%20traces%20as%20those%20can't%20be%20really%20schematized%20across%20different%20products.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFeel%20free%20to%20reach%20out%20to%20me%20with%20specific%20details%20on%20your%20scenarios%20at%20graphsecfeedback_at_microsoft_dot_com%20and%20happy%20to%20help.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-833019%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20the%20new%20Microsoft%20Graph%20Security%20API%20add-on%20for%20Splunk!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-833019%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Preeti%3CBR%20%2F%3EWe've%20completed%20the%20steps%20described%20in%20your%20article%2C%20but%20so%20far%20we%20are%20able%20to%20see%20logs%20in%20Splunk%20from%20these%203%20products%20(appearing%20under%20field%20name%20vendorInformation.provider)%3A%20MCAS%2C%20Office%20365%20Security%20and%20Compliance%20and%20IPC.%3CBR%20%2F%3EWe%20are%20still%20not%20seeing%20anything%20from%20Azure%20Security%20Center%2C%20Microsoft%20Defender%20Advanced%20Threat%20Protection%20or%20Azure%20Information%20Protection.%3CBR%20%2F%3EIs%20there%20anything%20we%20need%20to%20do%20in%20the%20Azure%20back%20end%20to%20make%20these%20products%20to%20send%20alerts%20to%20MS%20Graph%3F%3CBR%20%2F%3EThanks%20in%20advance.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-895422%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20the%20new%20Microsoft%20Graph%20Security%20API%20add-on%20for%20Splunk!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-895422%22%20slang%3D%22en-US%22%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Microsoft%20lia-component-message-view-widget-author-username%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F164339%22%20target%3D%22_blank%22%3E%40Preeti%20Krishna%3C%2FA%3E%26nbsp%3BThanks%20for%20the%20content.%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%3CSPAN%20class%3D%22UserName%20lia-user-name%20lia-user-rank-Microsoft%20lia-component-message-view-widget-author-username%22%3EI%20have%20installed%20this%20add%20on%20in%20Splunk%20Enterprise%20and%20gave%20the%20write%20access%20to%20my%20customers(Power%20users)%20but%20to%20my%20surprise%20they%20are%20not%20able%20to%20edit%20the%20app%20contents(creating%20new%20inputs%2Fconfiguration%20etc)%20.Only%20admin%20access%20users%20are%20able%20to%20edit%2Fcreate%20the%20app%20inputs.Do%20we%20have%20any%20restrictions%20on%20this%20app%20only%20admins%20can%20have%20the%20access%26nbsp%3B%20%3F%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22lia-message-author-with-avatar%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1258369%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20the%20new%20Microsoft%20Graph%20Security%20API%20add-on%20for%20Splunk!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1258369%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F164339%22%20target%3D%22_blank%22%3E%40Preeti%20Krishna%3C%2FA%3E%26nbsp%3BIn%20the%20OData%20Filter%20to%20filter%20by%20product%2C%20we%20need%20to%20use%20a%20filter%20like%20%22%3CSPAN%3EvendorInformation%2Fprovider%20eq%20'ASC'%20%22%2C%20is%20there%20a%26nbsp%3Bdocumented%20list%20of%20the%20keywords%20of%20the%20product%20names%20to%20be%20used.%20I%20was%20searching%20for%20what%20I%20should%20use%20for%20Azure%20Sentinel%2C%20I%20guess%20it%20might%20be%20%22ASI%22%20but%20not%20sure.%20Can%20you%20please%20point%20me%20to%20where%20this%20is%20documented%20for%20other%20products%20like%20Defender%20ATP.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1259516%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20the%20new%20Microsoft%20Graph%20Security%20API%20add-on%20for%20Splunk!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1259516%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F387181%22%20target%3D%22_blank%22%3E%40joseph2165%3C%2FA%3E%26nbsp%3B%2C%20you%20can%20run%20this%20query%20on%26nbsp%3B%3CA%20title%3D%22Graph%20Explorer%22%20href%3D%22https%3A%2F%2Fdeveloper.microsoft.com%2Fen-us%2Fgraph%2Fgraph-explorer%26nbsp%3BGraph%20Explorer%26nbsp%3B%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EGraph%20Explorer%3C%2FA%3E%26nbsp%3Bto%20get%20a%20list%20of%20alert%20providers%20you've%20subscribed%20to.%20Let%20us%20know%20if%20this%20works%20for%20you.%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2Fsecurity%2Falerts%3F%24top%3D1%26amp%3B%24select%3DvendorInformation%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2Fsecurity%2Falerts%3F%24top%3D1%26amp%3B%24select%3DvendorInformation%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1277821%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20the%20new%20Microsoft%20Graph%20Security%20API%20add-on%20for%20Splunk!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1277821%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F419776%22%20target%3D%22_blank%22%3E%40Chi_Nguyen%3C%2FA%3E%26nbsp%3B%26nbsp%3BThank%20you%20for%20the%20reply%2C%20I%20understand%20that%20we%20can%20query%20the%20alerts%20using%20the%20api%20and%20see%20the%20vendorinformation%20field.%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3EI%20was%20just%20hoping%20if%20this%20information%20is%20available%20as%20a%20standard%20document%20in%20a%20clear%20table.%3C%2FSPAN%3E%3CBR%20%2F%3E%3CEM%3EEx%3A%3C%2FEM%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSTRONG%3EProduct%20Keyword%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSPAN%3EAzure%20Security%20Center%20--%20ASC%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3EAzure%20Sentinel%20--%20ASI(not%20sure)%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3EDefender%20ATP%20....%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3E...%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3EIt%20would%20be%20useful%20to%20standardize%20the%20security%20api%20usage.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1353211%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20the%20new%20Microsoft%20Graph%20Security%20API%20add-on%20for%20Splunk!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1353211%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20a%20great%20add%20on.%20I%20have%20implemented%20it%20and%20have%20been%20mostly%20successful.%3CBR%20%2F%3EI%20am%2C%20however%2C%20struggling%20with%20a%20few%20of%20my%20implementations.%20In%20particular%2C%20app%20created%2C%20splunk%20configured%2C%20etc...%20And%20Splunk%20appears%20to%20be%20connected%20but%20waiting%20for%20data.%20The%20data%20is%20never%20received.%3C%2FP%3E%3CP%3EIt%20seems%20to%20be%20stuck%20on%20%5B%7B%22_key%22%20%3A%20%22xxxxxxxx_is_first_time_collecting_events%22%2C%20%22state%22%20%3A%20%22%5C%5C%22true%22%5C%5C%22%7D%5D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHas%20anyone%20experienced%20anything%20like%20this%20and%20possibly%20have%20an%20resolution%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1354281%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20the%20new%20Microsoft%20Graph%20Security%20API%20add-on%20for%20Splunk!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1354281%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F644466%22%20target%3D%22_blank%22%3E%40bpirone%3C%2FA%3E%26nbsp%3BHas%20the%20add-on%20returned%20any%20alerts%20before%20you%20noticed%20this%20error%3F%20Which%20version%20of%20the%20add-on%20are%20you%20using%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1357925%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20the%20new%20Microsoft%20Graph%20Security%20API%20add-on%20for%20Splunk!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1357925%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F419776%22%20target%3D%22_blank%22%3E%40Chi_Nguyen%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20response.%20The%20add%20on%20(in%20this%20instance)%20has%20never%20yielded%20any%20alerts.%20We%20are%20using%20v0.1.1%20currently.%26nbsp%3B%3CBR%20%2F%3EIt%20is%20working%20for%20other%20tenants%20though.%20That%20is%20why%20I%20am%20not%20able%20to%20pinpoint%20where%20the%20failure%20is.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1358954%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20the%20new%20Microsoft%20Graph%20Security%20API%20add-on%20for%20Splunk!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1358954%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F644466%22%20target%3D%22_blank%22%3E%40bpirone%3C%2FA%3E%26nbsp%3BYou%20may%20want%20to%20check%20the%20permissions%20of%20your%20application%20to%20make%20sure%20it%20has%20proper%20authorization.%20Are%20you%20using%20App-Only%20or%20UserDelegated%20API%20permissions%3F%3C%2FP%3E%0A%3CP%3EIn%20either%20permissions%20case%2C%20Application%20or%20Delegated%20Permissions%2C%20you%20need%20to%20have%20at%20least%20the%20Security%20Event%20Read%20permissions%20granted%20by%20the%20tenant%20admin.%20In%20the%20case%20of%20Delegated%20Permissions%2C%20besides%20the%20mentioned%20permissions%2C%20the%20user%20needs%20to%20be%20assigned%20as%20%E2%80%9CSecurity%20Reader%E2%80%9D%20by%20the%20tenant%20admin%20to%20be%20able%20to%20read%20the%20alerts.%3C%2FP%3E%0A%3CP%3EFor%20more%20details%2C%20please%20refer%20to%20step%209-12%20of%20the%20add-on%20%3CA%20title%3D%22instructions%22%20href%3D%22https%3A%2F%2Fsplunkbase.splunk.com%2Fapp%2F4564%2F%23%2Fdetails%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Einstructions%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20permissions%20look%20good%2C%20then%20please%20check%20to%20see%20if%20you%20have%20any%20filters%20set%20up%20in%20your%20Inputs.%20Please%20send%20a%20screenshot%20of%20your%20Splunk%20log%20with%20error%20details%20if%20possible.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1364287%22%20slang%3D%22en-US%22%3ERe%3A%20Introducing%20the%20new%20Microsoft%20Graph%20Security%20API%20add-on%20for%20Splunk!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1364287%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F419776%22%20target%3D%22_blank%22%3E%40Chi_Nguyen%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20checked%20and%20permissions%20are%20correct.%20I%20will%20get%20the%20logs.%20Thanks%20for%20the%20help!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Aug 21 2019 02:16 PM
Updated by: