icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.
Log4Shell Vulnerability: Information and guidance for you. Get resources.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Microsoft Sentinel Add-On for Splunk
SHA256 checksum (microsoft-sentinel-add-on-for-splunk_106.tgz) 09782ed8fd535b720ba06571d76647a90770efaeb0e8361bf7cf44569ab6e6f1
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

splunk

Microsoft Sentinel Add-On for Splunk

Splunk Cloud
Overview
Details
Microsoft Sentinel Add-On for Splunk allows Azure Log Analytics and Microsoft Sentinel users to ingest security logs from Splunk platform using the Azure HTTP Data Collector API. Learn more about Microsoft Sentinel at https://aka.ms/microsoftsentinel

Follow the setup and configuration steps in the 'Details' tab of this add-on to use it.

Details on pre-requisites, configuring the add-on and viewing the data in Azure Sentinel is covered in this section.

Background

When you add data to Splunk, the Splunk indexer processes it and stores it in a designated index (either, by default, in the main index or in the one that you identify). Searching in Splunk involves using the indexed data for the purpose of creating metrics, dashboards and alerts. This Splunk add-on triggers an action based on the alert in Splunk. You can use Alert actions to define third-party integrations (like Microsoft Sentinel Log Analytics).

This add-on uses the Azure Log Analytics Data Collector API to send log data to Microsoft Sentinel. All data in the Log Analytics workspace is stored as a record with a particular record type. You can format your data to send to the HTTP Data Collector API as multiple records in JSON. When you submit the data, an individual record is created in the repository for each record in the request payload.

Pre-requisites

  • Onboard Splunk instance(latest release)
  • Get the Log Analytics workspace parameters: Workspace ID and Primary Key from here
  • Install the Microsoft Sentinel Add-on for Splunk

    • In Splunk home screen, on the left side sidebar, click "+ Find More Apps" in the apps list, or click the gear icon next to Apps then select Browse more apps.

    Figure 1. Install Add-On

    • Search for Microsoft Sentinel in the text box, find the Microsoft Sentinel Add-On for Splunk and click Install.
    • After the add-on is installed reboot of Splunk is required, click Restart Now.

Configure the Microsoft Sentinel add-on for Splunk

Refer to Define RealTime Alerts documentation to set up Splunk alerts to send logs to Microsoft Sentinel. To validate the integration, the audit index is used as an example, for an “_audit”- this repository stores events from the file system change monitor, auditing, and all user search history. You can query the data by using index=”_audit” in the search field as illustrated below.

Figure 2. Searching "_audit"

Then use a scheduled or real-time alert to monitor events or event patterns as they happen. You can create real-time alerts with per-result triggering or rolling time window triggering. Real-time alerts can be costly in terms of computing resources, so consider using a scheduled alert, when possible.

Set up alert actions, which can help you respond to triggered alerts. You can enable one or more alert actions. Select “Send to Microsoft Sentinel” action, which appears after you install the Microsoft-Sentinel add-on as shown in the diagram below.

Figure 3. Sending alert to Microsoft Sentinel

Fill in the required parameters as shown in the diagram below:

  • Customer_id: Microsoft Sentinel Log Analytics Workspace ID
  • Shared_key: Microsoft Sentinel Log Analytics Primary Key
  • Log_Type: Microsoft Sentinel custom log name

Note: These parameters are required and will be used by the application to send data to Microsoft Sentinel through the HTTP Data Collector API.

Figure 4. Configuring required parameters

View Splunk Data in Microsoft Sentinel
The logs will go to a custom Microsoft Sentinel table called ‘Splunk_Audit_Events_CL’ as shown below. The table name aligns with the log name provided in the Figure 4 above. It can take few minutes for events to be available.

Figure 5. Splunk data in Azure Sentinel

You can query the data in Microsoft Sentinel using Kusto Query Language (KQL) as shown below.

Splunk_Audit_Events_CL 
 | summarize count() by user_s, action_s
 | render barchart 

When a correlation search included in the Splunk Enterprise Security or added by a user, identifies an event or pattern of events, it creates an incident called notable event. Correlation searches filter the IT security data and correlate across events to identify a particular type of incident (or pattern of events) and then create notable events.
Correlation searches run at regular intervals (for example, every hour) or continuously in real-time and search events for a particular pattern or type of activity. The notable event is stored in a dedicated notable index. You can import all notable events into Azure Sentinel using the same procedure described above.

Figure 6. Splunk Notable Events

The results will be added to a custom Microsoft Sentinel table called ‘Splunk_Notable_Events_CL’ as shown below.

Figure 7. Splunk Notable Events in Azure Sentinel

Release Notes

Version 1.0.6
March 7, 2022

If you are using previous versions, we highly recommend to upgrade to this version. We have made some significant changes in this version to handle timeouts and faster ingestion.
- Name change to Microsoft Sentinel (previously known as Azure Sentinel)
- Added support to send large volumes of data to Microsoft Sentinel
- Added filtering options to choose while configuring “Send to Microsoft Sentinel” trigger Action


Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.