Introducing the new Microsoft Graph Security API add-on for Splunk!

Published 08-21-2019 02:16 PM 38.1K Views
Microsoft

A new add-on from Microsoft enables customers to easily integrate security alerts and insights from its security products, services, and partners in Splunk Enterprise. The new Splunk add-on is built by Microsoft, certified by Splunk, and is available on Splunkbase at no additional cost.

 

This add-on, powered by the Microsoft Graph Security API, supports streaming of alerts from the following Microsoft and partner solutions into Splunk using a single add-on and common schema, enabling easier correlation of data across these products:

  1. Azure Security Center
  2. Azure Active Directory Identity Protection
  3. Microsoft Cloud App Security
  4. Microsoft Defender Advanced Threat Protection
  5. Azure Advanced Threat Protection
  6. Office 365 Advanced Threat Protection
  7. Azure Information Protection (preview)
  8. Azure Sentinel (preview)
  9. Palo Alto Networks

Note: Security products are continuously onboarded; Refer to the Microsoft Graph Security alerts providers table for the latest product list.

 

Since the new add-on extends support across a broader set of security products, it will replace the Azure Monitor add-on for Splunk as the preferred method for integrating with the Microsoft Graph Security API.

Getting Started

Follow these steps to install and configure the app. Refer to the documentation for more details.

  1. Register your application for this Splunk add-on on Azure portal.
  2. Configure permissions and be sure to add the SecurityEvents.Read.All permission to your application. Get your Azure AD tenant administrator to grant tenant administrator consent to your application. This is a one-time activity unless permissions change for the application.
  3. Copy and save your registered Application ID and Directory ID from the Overview page. You will need them later to complete the add-on configuration process as illustrated below. Application registrationApplication registration
  4. Generate an application secret by going to Certificates & secrets Save the generated secret as well for add-on configuration purposes.
  5. In Splunk, click on Splunk Apps to browse more apps.
  6. Search for ‘Microsoft Graph Security’ and install Microsoft Graph Security API add-on for Splunk
  7. If Splunk Enterprise prompts you to restart, do so.
  8. Verify that the add-on appears in the list of apps and add-ons as shown in the diagram below.  Microsoft Graph Security add-on for SplunkMicrosoft Graph Security add-on for Splunk
  9. Configure Microsoft Graph Security data inputs illustrated in the diagram below as per the detailed guidance in the installation documentation for this add-on. This add-on provides the capability to pre-filter your data by specific alert providers or by alert category or severity, etc. by specifying the OData Filter field as shown in the diagram below.  Add-on input configurationAdd-on input configuration
  10. Now you can use your Microsoft Graph Security alerts for further processing in Splunk, in dashboards, etc.

  11. If you have Splunk and relevant add-ons running behind a proxy server, follow the additional steps for Splunk behind a Proxy Server in the installation documentation for this add-on.

What’s Next?

We are working to enable support for this add-on on Splunk Cloud. We would love to hear your feedback on this add-on so that we can factor that before making it available on Splunk Cloud. Please share your feedback by filing a GitHub issue

16 Comments
Occasional Contributor

Thanks for the insight @Preeti_Krishna. Does support for Microsoft Cloud App Security automagically include support for Office 365 Cloud App Security as well, or is that a separate item that might be added in the future? 

Occasional Visitor

Thanks for the post, Azure Monitor add-on for Splunk is used for pulling AAD audit & Sign-In logs where as the Microsoft Graph Security API add-on for Splunk seems to pull only security events from various security products of Microsoft, wondering how this one can replace the Azure Monitor unless you are planing to expose AAD Sign-in & Audit events as well.  Please advice.

Occasional Visitor
The App only importing the alerts from said security products but not the activity associated with the alert, it's tedious for someone to try and co-relate the alert with associated activity as the alert provides very few fields that are in common in both alert & the actual activity events. Is there a plan to extend the applications functionality so that one can export both alert and activity list to their own SIEM for further processing of the data.
Occasional Visitor
@Preeti_Krishna The App only importing the alerts from said security products but not the activity associated with the alert, it's tedious for someone to try and co-relate the alert with associated activity as the alert provides very few fields that are in common in both alert & the actual activity events. Is there a plan to extend the applications functionality so that one can export both alert and activity list to their own SIEM for further processing of the data.
Microsoft

@Michael Sampson - Office 365 Cloud App Security comes with Office 365 Advanced Threat Protection. You can look at the list of products of which you can stream alerts into Splunk using the Microsoft Graph Security add-on @ https://aka.ms/graphsecurityalerts . You would need subscriptions to the relevant products to be able to get alerts from these. 

Microsoft

@mpras2135 - Thanks, for your feedback and questions. I'll respond to each of your questions across multiple comments in this one.

1. The Microsoft Graph Security API add-on uses the API to stream alerts across different sources into Splunk. Microsoft Graph Security API does not stream logs or traces as these are pretty verbose to be schematized across various products. For streaming alerts in a unified format and make those available in Splunk use the Microsoft Graph Security API add-on for Splunk. Based on alert correlations and need to pull in additional logs and traces, use the Azure Monitor add-on. Hope this clarifies. 

 

2. The activity logs can be made available via Azure Monitor add-on for Splunk as mentioned in point #1 above. The Microsoft Graph Security alerts have alert specific information associated with users (logon location, IP, risk score etc.), devices (IP, FQDN, domain etc.), and more - refer to the Microsoft Graph Security alert schema for more details. We are looking into building contextual information about the specific alert entities that we can expose through the Microsoft Graph Security API, but we most likely won't plan to expose complete logs or traces as those can't be really schematized across different products. 

 

Feel free to reach out to me with specific details on your scenarios at graphsecfeedback_at_microsoft_dot_com and happy to help. 

Occasional Visitor

Hi Preeti
We've completed the steps described in your article, but so far we are able to see logs in Splunk from these 3 products (appearing under field name vendorInformation.provider): MCAS, Office 365 Security and Compliance and IPC.
We are still not seeing anything from Azure Security Center, Microsoft Defender Advanced Threat Protection or Azure Information Protection.
Is there anything we need to do in the Azure back end to make these products to send alerts to MS Graph?
Thanks in advance.

Occasional Visitor
@Preeti_Krishna Thanks for the content.
 
I have installed this add on in Splunk Enterprise and gave the write access to my customers(Power users) but to my surprise they are not able to edit the app contents(creating new inputs/configuration etc) .Only admin access users are able to edit/create the app inputs.Do we have any restrictions on this app only admins can have the access  ?
 

 

Occasional Contributor

@Preeti_Krishna In the OData Filter to filter by product, we need to use a filter like "vendorInformation/provider eq 'ASC' ", is there a documented list of the keywords of the product names to be used. I was searching for what I should use for Azure Sentinel, I guess it might be "ASI" but not sure. Can you please point me to where this is documented for other products like Defender ATP.

Microsoft

@Joseph-Abraham , you can run this query on Graph Explorer to get a list of alert providers you've subscribed to. Let us know if this works for you.

https://graph.microsoft.com/v1.0/security/alerts?$top=1&$select=vendorInformation

Occasional Contributor

@Chi_Nguyen  Thank you for the reply, I understand that we can query the alerts using the api and see the vendorinformation field.
I was just hoping if this information is available as a standard document in a clear table.
Ex:,
Product Keyword
Azure Security Center -- ASC
Azure Sentinel -- ASI(not sure)
Defender ATP ....
...
It would be useful to standardize the security api usage.

Senior Member

This a great add on. I have implemented it and have been mostly successful.
I am, however, struggling with a few of my implementations. In particular, app created, splunk configured, etc... And Splunk appears to be connected but waiting for data. The data is never received.

It seems to be stuck on [{"_key" : "xxxxxxxx_is_first_time_collecting_events", "state" : "\\"true"\\"}]

 

Has anyone experienced anything like this and possibly have an resolution?

Microsoft

@bpirone Has the add-on returned any alerts before you noticed this error? Which version of the add-on are you using? 

Senior Member

@Chi_Nguyen 

Thanks for the response. The add on (in this instance) has never yielded any alerts. We are using v0.1.1 currently. 
It is working for other tenants though. That is why I am not able to pinpoint where the failure is.

 

Thank you!

Microsoft

@bpirone You may want to check the permissions of your application to make sure it has proper authorization. Are you using App-Only or UserDelegated API permissions?

In either permissions case, Application or Delegated Permissions, you need to have at least the Security Event Read permissions granted by the tenant admin. In the case of Delegated Permissions, besides the mentioned permissions, the user needs to be assigned as “Security Reader” by the tenant admin to be able to read the alerts.

For more details, please refer to step 9-12 of the add-on instructions.

 

If permissions look good, then please check to see if you have any filters set up in your Inputs. Please send a screenshot of your Splunk log with error details if possible.

Senior Member

@Chi_Nguyen 

I checked and permissions are correct. I will get the logs. Thanks for the help!

Version history
Last update:
‎Aug 21 2019 02:16 PM
Updated by: