Splunk SOAR

HTTP app and Graph/Azure

drew19
Path Finder

Hi,

while using Splunk SOAR we have several Apps for several integrations with Azure/Graph. Examples of such apps are: Microsoft 365 Defender, MS Graph for Sharepoint, etc.

However, most of such apps have limited functionalities (i.e. thay do not have an action for all the possibile APIs that can be used).

Hence, in order to use other APIs (not available through the standards Apps) we thought to configure the HTTP app with Graph (where we already have an app registration and several permissions - done via Azure).

However when we configure the client_id and the secret_id along with the other parameters we receive the following answer from the app:

drew19_0-1696425839987.png

This is the asset configuration:

drew19_1-1696425884231.png

 

Does anyone know what's wrong with my configuration? Did anyone make it to work?

 

Thank you in advance!

Tags (3)

phanTom
SplunkTrust
SplunkTrust

@drew19 I think with the complexity of Graph I would avoid using the HTTP app. Instead I would advise to update the Graph app itself as all the authentication etc is already built in the app. 

You can use the IDE to Clone & Update the app to your needs and this would be a lot more future proof. 

https://docs.splunk.com/Documentation/SOARonprem/6.1.1/DevelopApps/Overview 

0 Karma

drew19
Path Finder

Dear @phanTom,

we already evaluated that way. Customizing the Graph app (which app exactly?) is a way we considered already but we do not like it. Customizing the app means to not be subjected to updates of the app itself or, equivalently, it means that we must customize every new version of the app. This is something that we do not prefer.

For what concerns the use of the HTTP app, if you consider that:

We can just translate the problem into: why the HTTP app does not work with OAuth if it says that it is supported?

What seems to be missing in the app, is the possibility to specify a payload for the POST request that retrieves the authentication token. In the following screenshot (taken from the URL reported above), you can observe a sample payload and a sample answer:

drew19_1-1696429542595.png

For this reason, the question "why the HTTP app does not work with OAuth if it says that it is supported?" becomes "how to specify the payload for the OAuth POST request in the HTTP app?" or, equivalently, "why there is no possibility to specify a payload for the OAUTH POST request?"

 

Thank you in advance!

0 Karma

Iñigo
Explorer

Hi @drew19 

Did you manage to use the HTTP app with Azure authentication?

We opted for the app customization path as @phanTom and it certainly is a pain to maintain if you want to keep tabs with the out-of-the-box app(s). In the end it's just a custom app just as if you made it from scratch with its advantages and issues.

We are using more and more Power Automate since MS integrated proper authentication for their flows and for this matter we just need very simple POST and GET actions, but authenticated. Nothing more and nothing less. I got the same results as you when trying to authenticate.

Creating an additional app, even if this simple, just to pass an additional parameter for OAuth seems like reinventing the wheel.

0 Karma

drew19
Path Finder

@Iñigo ,

we finally customized the HTTP app by just using the authentication taken from Graph apps.

In our opinion, there is really no doubt about what is wrong: if you can specify a payload in OAuth and if HTTP supports OAuth, it must definetely provide the option to insert a payload, otherwise we can safely say that the app does not support OAuth really.

However, waiting Splunk to understand and acknowledge such thought is like a miracle so we proceeded to customize the app.

Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...