Microsoft Azure Add on for Splunk
Overview
Details
* Azure AD Data
- Users - Azure AD user data
- Sign-ins - Azure AD sign-ins including conditional access policies and MFA
- Directory audits - Azure AD directory changes including old and new values
*Event Hubs - generic Event Hub collector
* Metrics
* Estimated billing and consumption
* Inventory metadata
- Resource Groups - Resource group configuration
- Virtual Machines - VM, Disk, Image, and Snapshot configurations
- Virtual Networks - VNET, NSG, and Public IP configurations
- Managed Disks
- Subscriptions - Subscription name, ID, and type
- Topology - IaaS relationships
* Azure Security Center
- Alerts
- Tasks
* Azure Resource Graph
Microsoft Azure Add-on for Splunk
This add-on collects data from Microsoft Azure including the following:
- Azure AD Data
- Users - Azure AD user data
- Sign-ins - Azure AD sign-ins including conditional access policies and MFA
- Directory audits - Azure AD directory changes including old and new values
- Event Hubs - generic Event Hub collector
- Metrics
- Estimated billing and consumption
- Inventory metadata
- Resource Groups - Resource group configuration
- Virtual Machines - VM, Disk, Image, and Snapshot configurations
- Virtual Networks - VNET, NSG, and Public IP configurations
- Managed Disks
- Subscriptions - Subscription name, ID, and type
- Topology - IaaS relationships
- Azure Security Center
- Alerts
- Tasks
- Azure Resource Graph
About
- Version: 2.0.2
- Vendor Products:
- Microsoft Azure Active Directory Sign-ins, Audit, and Users
- Microsoft Azure Consumption API
- Microsoft Azure Virtual Machine API, Disks API, Network Watcher API
- Splunk platform versions: 6.6 and later
- Platforms: Unbuntu or Darwin for Event Hubs. All other inputs are platform independent
- Visible: Yes, this add-on contains configuration
Prerequisites
- An active Azure Subscription
- For Azure Active Directory Sign-in data, an Azure Active Directory Premium P1 or P2 edition
- An Azure Active Directory Application
Required APIs and Permissions
Azure/O365 Add-on Required Permissions
Installing
Where to install this add-on
Unless otherwise noted, all supported add-ons can be safely installed to all tiers of a distributed Splunk platform deployment. See Where to install Splunk add-ons in Splunk Add-ons for more information.
This table provides a reference for installing this specific add-on to a distributed deployment of Splunk Enterprise.
| Splunk platform component | Supported | Required | Comments |
|---|---|---|---|
| Search Heads | Yes | Yes | This add-on contains search-time knowledge. It is recommended to turn visibility off on your search heads to prevent data duplication errors that can result from running inputs on your search heads instead of (or in addition to) on your data collection node. |
| Heavy Forwarders | Yes | No (but recommended) | It is recommended to install this add-on on a heavy forwarder for data collection. Data collection should be configured in only 1 place to avoid duplicates. |
| Indexers | Yes | No | Not required as the parsing operations occur on the forwarders. |
| Universal Forwarders | No | No | Universal forwarders are not supported for data collection because the modular inputs require Python and the Splunk REST handler. |
Configuration
Ensure the prerequisites are met above.
- Most inputs require an Azure AD application registration. Refer to the in-app documentation for details on setting this up.
CIM Compliance
Version 4.13.0
- Authentication model
- Azure AD sign-in events
- Inventory model
- Azure AD user events
- User model
- Azure AD user events
Troubleshooting
- Refer to the Troubleshooting menu in the add-on.
Release Notes
2.0.2
- Added a check for number of threads in the metrics input to ensure no more than 25 threads can be specified. This is a necessary check for Splunk Cloud.
2.0.1
- Added Instance View collection for Virtual Machines. Instance View keeps track of the provisioning and power state of Virtual Machines.
- Fixed an issue with Security Center Alerts and Tasks retrieving duplicate records.
2.0.0
- This add-on was formerly known as the Azure Active Directory Add-on for Splunk. The following other add-ons have been consolidated into this updated add-on:
- Microsoft Azure Active Directory Add-on for Splunk
- Microsoft Azure Metadata Inventory Add-on for Splunk
- Microsoft Azure Billing Add-on for Splunk
- The following inputs have been added to this add-on:
- Event Hubs
- Metrics
- Resource Graph
- Resource Reservation Recommendations
Privacy
Use of this add-on is permitted subject to your obligations, including data privacy obligations, under your agreement with Splunk and Splunk's Privacy Policy.
Contributors
- Jason Conger
- Ryan Lait
- Johnny Blizzard
Third-party software attributions
Refer to the README.md file included in this package for details.
Release Notes
Version 2.0.2
Added a check for number of threads in the metrics input to ensure no more than 25 threads can be specified. This is a necessary check for Splunk Cloud.
Version 2.0.1
* Added Instance View collection for Virtual Machines. Instance View keeps track of the provisioning and power state of Virtual Machines.
* Fixed an issue with Security Center Alerts and Tasks retrieving duplicate records.
Version 2.0.0
Consolidates the following add-ons into this one add-on:
- Microsoft Azure Billing Add-on for Splunk
- Microsoft Azure Active Directory Add-on for Splunk
- Microsoft Azure Metadata Inventory Add-on for Splunk
Added inputs for the following:
- Event Hubs
- Metrics
- Resource Graph
- Reservation Recommendations