This blog is intent to describe how Azure Sentinel can be used as Side-by-Side approach with Splunk.
As most of the enterprises consume more and more cloud services, there is a huge requirement for Cloud-Native SIEM where Azure Sentinel comes in play and has following advantages.
Easy collection from cloud sources
Effortless infinite scale
Integrated automation capabilities
Continually maintained cloud and onprem use cases enhanced with Microsoft TI and ML
Microsoft research and ML capabilities
Avoid sending cloud telemetry downstream
There are several best practice integration options available how to operate Azure Sentinel in Side-by-Side.
Upstream to sentinel
Downstream from Sentinel
Security Graph Security API PowerShell
This blog post has the focus to ingest Azure Sentinel alerts into Splunk by using the Microsoft Graph Security API.
The Microsoft Graph Security API provides a unified interface and schema to integrate with security solutions from Microsoft and ecosystem partners. This empowers customers to streamline security operations and better defend against increasing cyber threats. The Microsoft Graph Security API federates queries to all onboarded security providers and aggregates responses.
Usually in an enterprise where customer already decided for Splunk has a running environment. The primary reason to add this part was more to use the installation steps to build a lab environment or for evaluation propose.
In my environment I decided to use an Ubuntu server and build it in Azure.
In Manage Apps click to Install app from file and use the downloaded file microsoft-graph-security-api-add-on-for-splunk_011.tgz before for the installation, and click Upload.
Ones the app is installed reboot of Splunk is required, click to Restart Now.
After reboot the Microsoft Graph Security API Add-On for Splunk app can be used to ingest Azure Sentinel alerts into Splunk.
Preparation Steps in Splunk
Now is time to configure the app to connect with Microsoft Graph Security API.
In Splunk portal click to Microsoft Graph Security Add-on for Splunk
Click to Create New Input
Configure the input settings with noted data for registered Azure AD app configuration (Azure AD Application ID, Azure AD Application Secret and Tenant ID). Odata Filter can be used to filter alerts if required - Link, e.g. for Azure Sentinel alerts use - /security/alerts?$filter=vendorInformation/provider eq 'Azure Sentinel'.
Using of Azure Sentinel alerts in Splunk
Once the ingestion is processed, you can query the data by using sourcetype=GraphSecurityAlert in search field.
Now you see we have connected Splunk with Microsoft Graph Security API, and ingesting Azure Sentinel alerts into Splunk.
We just walked through the process of standing up Azure Sentinel Side-by-Side with Splunk. In this way, you can use Azure Sentinel to enrich alerts from your cloud workloads providing additional context and prioritization as they are then ingested into Splunk. This will help you easily address your cloud security gaps while maintaining your existing SIEM.