A new add-on from Microsoft enables customers to easily integrate security alerts and insights from its security products, services, and partners in Splunk Enterprise. The new Splunk add-on is built by Microsoft, certified by Splunk, and is available on Splunkbase at no additional cost.
This add-on, powered by the Microsoft Graph Security API, supports streaming of alerts from the following Microsoft and partner solutions into Splunk using a single add-on and common schema, enabling easier correlation of data across these products:
Since the new add-on extends support across a broader set of security products, it will replace the Azure Monitor add-on for Splunk as the preferred method for integrating with the Microsoft Graph Security API.
Follow these steps to install and configure the app. Refer to the documentation for more details.
Copy and save your registered Application ID and Directory ID from the Overview page. You will need them later to complete the add-on configuration process as illustrated below. Application registration
Generate an application secret by going to Certificates & secrets Save the generated secret as well for add-on configuration purposes.
In Splunk, click on Splunk Apps to browse more apps.
If Splunk Enterprise prompts you to restart, do so.
Verify that the add-on appears in the list of apps and add-ons as shown in the diagram below. Microsoft Graph Security add-on for Splunk
Configure Microsoft Graph Security data inputs illustrated in the diagram below as per the detailed guidance in the installation documentation for this add-on. This add-on provides the capability to pre-filter your data by specific alert providers or by alert category or severity, etc. by specifying the OData Filter field as shown in the diagram below. Add-on input configuration
Now you can use your Microsoft Graph Security alerts for further processing in Splunk, in dashboards, etc.
We are working to enable support for this add-on on Splunk Cloud. We would love to hear your feedback on this add-on so that we can factor that before making it available on Splunk Cloud. Please share your feedback by filing a GitHub issue.