Azure Functions for Splunk and Microsoft Graph
A collection of Azure Functions for:
- Managing Microsoft Graph notification subscriptions
- Retrieving data about notifications received from Microsoft Graph subscriptions
- Sending Microsoft Graph resource data to Splunk via HTTP Event Collector
Getting Started
1. Register your application
When you register an application with Azure AD, you are creating an identity configuration. The Azure Functions in this project will use the application for authentication when interacting with the Microsoft Graph API.
Additional information
- Registering an Azure AD application provides a detailed walkthrough
- Application and service principal objects in Azure Active Directory
2. Deploy the functions to Azure
Use the above button to deploy the Azure Functions from this repo to your Azure account. During setup, you will be prompted for the following information:
- Client ID
- Client Secret
- Splunk HTTP Event Collector Endpoint
- Splunk HTTP Event Collector Token
Securing Azure Function settings
Microsoft stores the above values as application settings. These settings are stored encrypted, but you may opt to transfer one or more of these settings to a Key Vault. Refer to the following documentation for details on this procedure:
3. Create a Microsoft Graph subscription
A Microsoft Graph subscription defines where Microsoft should deliver notifications. To create a subscription, execute the create-subscription
function from the Azure Portal.
- Launch the Azure Portal
- Navigate to the Function app section in the portal
- Select the Function app created previously
- Click Functions -> create-subscription
- Note: only callRecords subscriptions are created in this release.
- In the Overview section, click Get Function Url
- Copy the URL and paste it in a new browser tab
Note: you may receive a timeout when executing this function for the first time. In this event, refresh your browser. The reason for this is the
create-subscription
function makes a call to thesubscription-webhook
function which may not be running yet.
- To list subscriptions, execute the
list-subscriptions
function. - To delete a subscription, copy the subscription's ID field and pass it as a query parameter named
subscriptionId
to thedelete-subscription
function.- Example:
https://FUNCTION-APP.azurewebsites.net/api/delete-subscription?code=CODE&subscriptionId=SUBSCRIPTION_ID
- Example:
4. View data in Splunk
Run the following Splunk query
sourcetype="m365:*"
(optional) Download and install the Microsoft 365 App for Splunk
Support
This software is released as-is. Splunk provides no warranty and no support on this software. If you have any issues with the software, please file an issue on the repository.
How it works
- When the
create-subscription
function successfully creates a Microsoft Graph subscription, the subscription ID and expiration date is written to a storage blob. - After a subscribed event occurs, a notification is sent to the
subscription-webhook
. Thesubscription-webhook
commits the data to a notification queue to keep things speedy. - When an event arrives on the notification queue, the
process-notification-queue
function is triggered. This function retrieves the data from Microsoft Graph and forwards the data to Splunk. - Since subscriptions have a short lifespan, the
update-subscriptions
function periodically reads the blobs and will update subscriptions if they are about to expire.