Microsoft Cloud Services Event Hub True Fashion Add-on for Splunk

This add-on provides natural access to field names being delivered through Azure Event Hubs in conjunction with Splunk Add-on for Microsoft Cloud Services. No extra field extractions or CIM compatibility is done. Instead it uses SEDCMDs to re-format Event Hub message format structure safely. This way Splunk can keep JSON format parsing intact (KV_MODE=json) while overhead in processing and field naming does get reduced. Because of minor changes how data is being indexed upcoming schema changes (new fields) by vendor Microsoft are automatically supported. Using this add-on will give the following advantages: - Direct field name access as designed by the original format on the backend, prior data was sent to Event Hub (no more body.properties or body.records.properties prefix prefix in field names for example) - Cuts off unnecessary fields from Event Hub messages (x-opt-sequence-number, x-opt-offset and x-opt-enqueued-time) - Ingested data via Event Hub is easier interpreted because of original field names. SPLs and detections are easier to write because field names are kept in original format. Supports Azure Event Hubs messages sent by: * Microsoft 365 Defender Streaming-API - Advanced Hunting telemetry like: DeviceAlertEvents DeviceProcessEvents DeviceNetworkInfo DeviceLogonEvents DeviceEvents DeviceTvmSoftwareVulnerabilitiesKB etc. * Azure Blade monitor logs - Azure platform telemetry like: AuditLogs SignInLogs NonInteractiveUserSignInLogs ServicePrincipalSignInLogs ManagedIdentitySignInLogs RiskyUsers UserRiskEvents etc.