Integrate Microsoft Graph Security API with Splunk

Integrate Microsoft Graph Security API with Splunk

Microsoft Graph Security API Add-On for Splunk allows users to onboard all security alerts of their organization using the Microsoft Graph Security API.

Register a new application for the Splunk TA


Below steps are required to authenticate with Microsoft Graph Security Api and for registration new application.

  1. Sign in to Azure portal (http://portal.azure.com/)
  2. Select App registration.




  3. Enter a new name of your application.
  4. In Supported account you can select relevant options depending upon to whom you wanted to give API access.

  5. Next page you will able to see App ID, tenant ID, copy and save these values we will need this value to complete the configuration process.

  6. Click on API permissions from left handside to exhibit Graph API permission page.
  7. click on Add a permission and select Microsoft Graph.

  8. Next, select Application permissions in the Request API permission panel.
  9. Also make sure to get secret key from certificate & secrets.

Download:-

Steps:

1. Visit to Splunk base https://splunkbase.splunk.com/app/4564

2. Login with your Splunk credentails.

3. Download :)

Installation:-

1. In Splunk home screen, on the left side sidebar, click on "Gear setting" in the apps list.

2. Then click on Install app from file

3. Select the app which we have downloaded from Splunk base.

4. If Splunk Enterprise prompts you to restart, do so.

Configuration Add-on :-

1. Open Microsoft Security API Add-on.

2. Navigate to the Configuration page, then select Account tab. Then click Add to create an account.

3. Enter a unique Account Name, Application ID and Client Secret which we have received in the earlier section.

4. Click on Add.

Proxy Configuration:-

You can also configure your proxy details by clicking on proxy tab.

Inputs:-

1. Navigate to the Inputs page, select Create New Input.

2. Enter a unique name for the data input.

3. Set an interval in my case I have selected 300 seconds.

4. Select an index to store your alerts.

5. Enter your Azure Tenant ID which we have received from above sections.

6. [Optional step] Set OData filter if needed.

7. For App Account, select the account created under Configuration tab.

8. Click on Add.

9. Now lets try to search data.

As we can see here we are not able to retrieve data. Let's troubleshoot and resolve a issue.

Troubleshooting:-

Let's search error log in internal index.

we have not installed SSL cert and beacuse of that we are getting above error and we are not able to fetch data.

Let's disable SSL. .

Note: - It is recommended that one should installed SSL certificate in real-time scenario.

Steps:-

1. Open putty session of instance where we had installed Microosft Security Add-on

2. Go to
/opt/splunk/etc/apps/TA-microsoft-graph-security-add-on-for-splunk/bin/ta_microsoft_graph_security_add_on_for_splunk/requests

3. Open session.py and search for self.verify, just change True to False

This will disable SSL settings and we should able to search to see data. Make sure to save file.

I hope you like this post, for more such amazing post make sure to subscribe/follow. Thank you and see you in next post, also if you have any questions feel free to ask.

What's Your Reaction?

like
0
dislike
0
love
1
funny
0
angry
0
sad
0
wow
0