The Microsoft Graph Security API add-on for Splunk is now supported on Splunk Cloud, in addition to Splunk Enterprise, and includes support for Python 3.0. The support is enabled as an enhancement to the Microsoft Graph Security API add-on for Splunk released last year. Refer to the Microsoft Graph Security API add-on for Splunk announcement blogpost for further details. This add-on enables customers to easily integrate security alerts and insights from their security products, services, and partners in Splunk. The Splunk add-on is built by Microsoft, certified by Splunk, and is available on Splunkbase at no additional cost.
This add-on, powered by the Microsoft Graph Security API, supports streaming of alerts from different Microsoft solutions like Microsoft Defender ATP, Azure Sentinel, Azure Security Center, and more into Splunk using a single add-on and common schema, enabling easier correlation of data across these products.
Note: If you have an earlier version of the Microsoft Graph Security API add-on installed on Splunk Enterprise, and upgrade to this version, please follow the upgrade guidance to reconfigure your inputs.
Choose one of these options depending on your scenario.
Scenario: New Installations on Splunk Cloud or Splunk Enterprise
Follow these steps to install and configure this app as a first-time add-on user. Refer to the documentation for more details.
Verify that the add-on appears in the list of apps and add-ons as shown in the diagram below.Add-on installed
Set up a new account in the Account tab in the Configuration page. Then click Add to create an account.
Enter a unique Account Name, the Application ID and Client Secret registered in abovementioned steps 1 through 4 as shown in the diagram below. Add account
Configure Microsoft Graph Security data inputs illustrated in the diagram below as per the detailed guidance in the section Configuring Microsoft Graph Security data input. This add-on provides the capability to pre-filter your data by specific alert providers or by alert category or severity, etc. by specifying the OData Filter field as shown in the diagram below. Add input
Now you can use your Microsoft Graph Security alerts for further processing in Splunk, in dashboards, etc.
If you have an existing version of the add-on installed on Splunk Enterprise that is lower than this version (1.1.0), the best practice recommended is to remove your older version of the Microsoft Graph Security API add-on for Splunk before re-installing version 1.1.0 of the Microsoft Graph Security API add-on for Splunk per abovementioned guidelines.
If you are upgrading on Splunk Enterprise, follow these steps.
Disable all your inputs before you upgrade the add-on. Otherwise you may see errors in the log files which may result data loss against your already configured inputs.
On the app list, navigate to the Microsoft Graph Security add-on for Splunk, to see an option to upgrade the app. Click on Update button.
A new screen appears with the standard Splunk Terms to upgrade an app. Click Accept and Continue. Splunk terms
Enter your username and password to log in the app. Click Login and Continue. Login and continue
After login, an Overview page appears, and the Update button disappears. Follow the instructions in the Configuring Microsoft Graph Security data inputs section in the installation documentation for this add-on to get alerts from Microsoft Graph Security API using the new configuration experience
We would love your continued feedback on this add-on. Please share your feedback by filing a GitHub issue.