This add-on collects data from Microsoft Azure including the following:
Microsoft Entra ID (formerly Azure Active Directory) Data
- Users - Microsoft Entra ID user data
- Interactive Sign-ins - Microsoft Entra ID sign-ins including conditional access policies and MFA
- Directory audits - Microsoft Entra ID directory changes including old and new values
- Devices - Registered devices
- Groups
- Risk Detection
Microsoft Security Graph API
Topology - IaaS relationships
Azure Security Center
- Alerts
- Tasks
Azure Resource Graph
This add-on contains the following alert actions:
- Stop Azure VM - stops an Azure Virtual Machine.
- Add member to group - adds a user to a group. This can be useful if you need to enable additional policies like MFA based on search results.
- Dismiss Azure Alert - dismisses an Azure Security Center alert.
Version 3.0.0 and later of the Microsoft Azure Add-on for Splunk is compatible only with Splunk Enterprise version 8.0.0 and above.
While this app is not formally supported, the developer can be reached at https://github.com/splunk/splunk-add-on-microsoft-azure/issues. Responses are made on a best-effort basis. Feedback is always welcome and appreciated!