August 21, 2019

The following is provided from Microsoft Security and Compliance blogs at TechCommunity:

A new add-on from Microsoft enables customers to easily integrate security alerts and insights from its security products, services, and partners in Splunk Enterprise. The new Splunk add-on is built by Microsoft, certified by Splunk, and is available on Splunkbase at no additional cost.


This add-on, powered by the Microsoft Graph Security API, supports streaming of alerts from the following Microsoft and partner solutions into Splunk using a single add-on and common schema, enabling easier correlation of data across these products:

  1. Azure Security Center
  2. Azure Active Directory Identity Protection
  3. Microsoft Cloud App Security
  4. Microsoft Defender Advanced Threat Protection
  5. Azure Advanced Threat Protection
  6. Office 365 Advanced Threat Protection
  7. Azure Information Protection (preview)
  8. Azure Sentinel (preview)
  9. Palo Alto Networks

Note: Security products are continuously onboarded; Refer to the Microsoft Graph Security alerts providers table for the latest product list.


Since the new add-on extends support across a broader set of security products, it will replace the Azure Monitor add-on for Splunk as the preferred method for integrating with the Microsoft Graph Security API.

Getting Started

Follow these steps to install and configure the app. Refer to the documentation for more details.

  1. Register your application for this Splunk add-on on Azure portal.
  2. Configure permissions and be sure to add the SecurityEvents.Read.All permission to your application. Get your Azure AD tenant administrator to grant tenant administrator consent to your application. This is a one-time activity unless permissions change for the application.
  3. Copy and save your registered Application ID and Directory ID from the Overview page. You will need them later to complete the add-on configuration process as illustrated below. Registration_Process_Overview.pngApplication registration
  4. Generate an application secret by going to Certificates & secrets Save the generated secret as well for add-on configuration purposes.
  5. In Splunk, click on Splunk Apps to browse more apps.
  6. Search for ‘Microsoft Graph Security’ and install Microsoft Graph Security API add-on for Splunk
  7. If Splunk Enterprise prompts you to restart, do so.
  8. Verify that the add-on appears in the list of apps and add-ons as shown in the diagram below.  splunk_homepage.PNGMicrosoft Graph Security add-on for Splunk
  9. Configure Microsoft Graph Security data inputs illustrated in the diagram below as per the detailed guidance in the installation documentation for this add-on. This add-on provides the capability to pre-filter your data by specific alert providers or by alert category or severity, etc. by specifying the OData Filter field as shown in the diagram below.  new_input.PNGAdd-on input configuration
  10. Now you can use your Microsoft Graph Security alerts for further processing in Splunk, in dashboards, etc.

  11. If you have Splunk and relevant add-ons running behind a proxy server, follow the additional steps for Splunk behind a Proxy Server in the installation documentation for this add-on.

What’s Next?

We are working to enable support for this add-on on Splunk Cloud. We would love to hear your feedback on this add-on so that we can factor that before making it available on Splunk Cloud. Please share your feedback by filing a GitHub issue

The above was provided from Microsoft Security and Compliance blogs at TechCommunity

You May Also Like…