HTTP app and Graph/Azure

drew19 · ‎10-04-2023

Hi,

while using Splunk SOAR we have several Apps for several integrations with Azure/Graph. Examples of such apps are: Microsoft 365 Defender, MS Graph for Sharepoint, etc.

However, most of such apps have limited functionalities (i.e. thay do not have an action for all the possibile APIs that can be used).

Hence, in order to use other APIs (not available through the standards Apps) we thought to configure the HTTP app with Graph (where we already have an app registration and several permissions - done via Azure).

However when we configure the client_id and the secret_id along with the other parameters we receive the following answer from the app:

This is the asset configuration:

Does anyone know what's wrong with my configuration? Did anyone make it to work?

Thank you in advance!

phanTom · ‎10-04-2023

@drew19 I think with the complexity of Graph I would avoid using the HTTP app. Instead I would advise to update the Graph app itself as all the authentication etc is already built in the app.

You can use the IDE to Clone & Update the app to your needs and this would be a lot more future proof.

https://docs.splunk.com/Documentation/SOARonprem/6.1.1/DevelopApps/Overview

drew19 · ‎10-04-2023

Dear @phanTom,

we already evaluated that way. Customizing the Graph app (which app exactly?) is a way we considered already but we do not like it. Customizing the app means to not be subjected to updates of the app itself or, equivalently, it means that we must customize every new version of the app. This is something that we do not prefer.

For what concerns the use of the HTTP app, if you consider that:

it supports OAuth;
OAuth is the authentication/authorization method accepted also by Azure/Graph (https://learn.microsoft.com/en-us/graph/auth-v2-service?tabs=http)

We can just translate the problem into: why the HTTP app does not work with OAuth if it says that it is supported?

What seems to be missing in the app, is the possibility to specify a payload for the POST request that retrieves the authentication token. In the following screenshot (taken from the URL reported above), you can observe a sample payload and a sample answer:

For this reason, the question "why the HTTP app does not work with OAuth if it says that it is supported?" becomes "how to specify the payload for the OAuth POST request in the HTTP app?" or, equivalently, "why there is no possibility to specify a payload for the OAUTH POST request?"

Thank you in advance!

Iñigo · ‎05-27-2024

Hi @drew19

Did you manage to use the HTTP app with Azure authentication?

We opted for the app customization path as @phanTom and it certainly is a pain to maintain if you want to keep tabs with the out-of-the-box app(s). In the end it's just a custom app just as if you made it from scratch with its advantages and issues.

We are using more and more Power Automate since MS integrated proper authentication for their flows and for this matter we just need very simple POST and GET actions, but authenticated. Nothing more and nothing less. I got the same results as you when trying to authenticate.

Creating an additional app, even if this simple, just to pass an additional parameter for OAuth seems like reinventing the wheel.

drew19 · ‎05-27-2024

@Iñigo ,

we finally customized the HTTP app by just using the authentication taken from Graph apps.

In our opinion, there is really no doubt about what is wrong: if you can specify a payload in OAuth and if HTTP supports OAuth, it must definetely provide the option to insert a payload, otherwise we can safely say that the app does not support OAuth really.

However, waiting Splunk to understand and acknowledge such thought is like a miracle so we proceeded to customize the app.

HTTP app and Graph/Azure

configuration

troubleshooting

using SOAR ⁄ Phantom

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

Explore the Latest Educational Offerings from Splunk (November Releases)