Search for ‘Microsoft Graph Security’ and install Microsoft Graph Security API add-on for Splunk.In Splunk, click on Splunk Apps to browse more apps.Generate an application secret by going to Certificates & secrets Save the generated secret as well for add-on configuration purposes.You will need them later to complete the add-on configuration process as illustrated below. Copy and save your registered Application ID and Directory ID from the Overview page.This is a one-time activity unless permissions change for the application. Get your Azure AD tenant administrator to grant tenant administrator consent to your application.
Configure permissions and be sure to add the permission to your application.Register your application for this Splunk add-on on Azure portal.Refer to the documentation for more details. Getting Startedįollow these steps to install and configure the app. Since the new add-on extends support across a broader set of security products, it will replace the Azure Monitor add-on for Splunk as the preferred method for integrating with the Microsoft Graph Security API. Note: Security products are continuously onboarded Refer to the Microsoft Graph Security alerts providers table for the latest product list. Microsoft Defender Advanced Threat Protection.Azure Active Directory Identity Protection.
This add-on, powered by the Microsoft Graph Security API, supports streaming of alerts from the following Microsoft and partner solutions into Splunk using a single add-on and common schema, enabling easier correlation of data across these products: The new Splunk add-on is built by Microsoft, certified by Splunk, and is available on Splunkbase at no additional cost. A new add-on from Microsoft enables customers to easily integrate security alerts and insights from its security products, services, and partners in Splunk Enterprise.