Follow these steps to setup and configure this add-on to get security alerts from various Microsoft and partner security products in a unified format in Splunk for further processing using Microsoft Graph Security API.
These steps are needed to authenticate with the Microsoft Graph Security API.
Follow these steps to register a new application:
Select New registration (3).
In the new registration form that opens, enter an application name (4).
Select Register (5).
Next, you'll see the overview page and your app ID (7), and Directory (tenant) ID (8). Copy and save these fields. You will need them later to complete the configuration process.
Click on View API Permissions (9) to display the Graph permissions screen.
In the API Permission screen, click on the Add a permission button (11) and select Microsoft Graph (12).
Next, select Application permissions (13) in the Request API permission pane that opens.
Under Request API permissions, select SecurityEvents.Read.All (14). Then click Add permissions (15).
[This step needs to be completed by the Azure Active Directory tenant admin] Login to the Azure Portal as the Azure Active Directory Tenant Administrator for your organization and navigate to App registration/API permissions screen. Click on Grant admin consent for 'the AAD tenant' (16).
Under Certificates & secrets (17), choose New client secret (18). A new secret will be displayed in the Value column. Copy this password – this is the only time you’ll be able to. You will need it later to complete the configuration process.
In Splunk home screen, on the left side sidebar, click "+ Find More Apps" in the apps list, or click the gear icon next to Apps then select Browse more apps.
Search for Microsoft Graph Security in the text box, find the Microsoft Graph Security API Add-On for Splunk and click Install. To learn more about where to install this add-on, please refer to the instructions below under Where to install this add-on section.
If Splunk Enterprise prompts you to restart, do so.
Verify that the add-on appears in the list of apps and add-ons as shown in the diagram below.
NOTE: There are changes in the configuration data inputs with the Microsoft Graph Security Add-on for Splunk version 1.1.0. In the previous Microsoft Graph Security Add-on for Splunk version 0.1.1, Application ID and Client Secret are entered directly under the Inputs tab. In the Microsoft Graph Security Add-on for Splunk version 1.1.0, these app credentials won't appear under the Inputs tab. The app credentials like Application ID and Client Secret need to be entered while creating a new Account in the Configuration tab.
Enter a unique Account Name, Application ID and Client Secret registered in the earlier section Register a new application for the Splunk Add-On.
Navigate to the Inputs page, select Create New Input.
Now you can search and create Splunk dashboards using your Microsoft Graph Security Alerts.
If you have Splunk and relevant add-ons running behind a proxy server, follow these additional steps. Refer to the following diagram for details.
The Add-on will now use your proxy settings.
Unless otherwise noted, all supported add-ons can be safely installed to all tiers of a distributed Splunk platform deployment. See Where to install Splunk add-ons in Splunk Add-ons for more information.
See Splunk Cloud install documentation for Splunk Cloud install.
This table provides a reference for installing this specific add-on to a distributed deployment of Splunk.
|Splunk platform component||Supported||Required||Comments|
|Search Heads||Yes||Yes||This add-on contains search-time knowledge. It is recommended to turn visibility off on your search heads to prevent data duplication errors that can result from running inputs on your search heads instead of (or in addition to) on your data collection node.|
|Heavy Forwarders||Yes||No (but recommended)||It is recommended to install this add-on on a heavy forwarder for data collection. Data collection should be configured in only 1 place to avoid duplicates.|
|Indexers||Yes||No||Not required as the parsing operations occur on the forwarders.|
|Universal Forwarders||No||No||Universal forwarders are not supported for data collection because the modular inputs require Python and the Splunk REST handler.|
NOTE: If you've had the 0.1.1 version installed, a best practice for upgrading the Microsoft Graph Security API add-on for Splunk is to remove your older version before re-installing version 1.1.0 of the Microsoft Graph Security API add-on for Splunk. If you are uninstalling and reinstalling the Microsoft Graph Security API add-on for Splunk, follow the steps for New Installation above.
The following migration guide is supported for upgrading from Microsoft Graph Security API add-on for Splunk version 0.1.1 to Microsoft Graph Security API add-on for Splunk versions 1.1.0 and higher.
If you are upgrading on Splunk Enterprise, follow these steps.
A new screen appears with the standard Splunk Terms to upgrade an app. Click Accept and Continue.
Enter your username and password to log in the app. Click Login and Continue.
After login, an Overview page appears and the Update button disappears. Follow the instructions in the section for Configuring Microsoft Graph Security data inputs to pull the alerts from Microsoft Graph Security API using the new configuration experience.
Additional changes to support Splunk Cloud
Updates to support Splunk Add-on Builder v4.0.0
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.