Splunk® Supported Add-ons

Splunk Add-on for Microsoft Cloud Services

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Migrate from the Splunk Add-on for Microsoft Azure

To collect Azure Active Directory data using an Azure Event Hub, migrate from the Splunk Add-on for Microsoft Azure to the Splunk Add-on for Microsoft Cloud Services. See the following steps:

  1. Install the latest version of Splunk Add-on for Microsoft Cloud Services.
  2. Configure an Active Directory Application in Azure AD for the Splunk Add-on for Microsoft Cloud Services.
  3. Configure a Storage Account in Microsoft Cloud Services.
  4. Connect to your Azure App Account with Splunk Add-on for Microsoft Cloud Services.
  5. Configure Azure Event Hub inputs for the Splunk Add-on for Microsoft Cloud Services.
  6. Run the following search to verify data collection: index=* sourcetype="azure:monitor:*".

Source type changes

See the following source type changes from the Splunk Add-on for Microsoft Azure to the Splunk Add-on for Microsoft Cloud Services:

Azure source type MSCS event type MSCS source type
azure:aad:user mscs_azure_aad_userlogs azure:monitor:aad
azure:aad:signin mscs_azure_aad_signinlogs azure:monitor:aad
azure:aad:audit mscs_azure_aad_auditlogs azure:monitor:aad

CIM field changes

See the following CIM Field Changes from the Splunk Add-on for Microsoft Azure to the Splunk Add-on for Microsoft Cloud Services:

CIM field The Splunk Add-on for Microsoft Azure Extraction The Splunk Add-on for MSCS Extraction
Vendor Product Microsoft Azure Active Directory Azure AD
src Event field: ipAddress

Instead of ipAddress, properties.ipAddress was found. So assume the current add-on field is not getting extracted.

Event field: callerIpAddress
src_ip Event field: ipAddress

Instead of ipAddress, properties.ipAddress was found. So assume the current add-on field is not getting extracted.

Event field: callerIpAddress
user_agent Event field: UserAgent

Instead of UserAgent, properties.userAgent was found. So assuming in the current add-on field is not getting extracted.

Event field: properties.userAgent
app Event field: appDisplayName

Instead of appDisplayName we found properties.appDisplayName. So assuming in the current TA field is not getting extracted.

Event field: properties.appDisplayName
dest Event field: resourceDisplayName Event field: tenantId
enabled Event field: accountEnabled

Instead of accountEnabled we found provisioningSteps.details.dynamicProperties.accountEnabled. So assume the current TA field is not getting extracted.

Event field: provisioningSteps.details.dynamicProperties.accountEnabled
authentication_method Event field: authenticationDetails{}.authenticationMethod

Sample values: Previously satisfied, Password

Event field: properties.isInteractive

If properties.isInteractive is true, then it is Interactive. Otherwise, it is nonInteractive.

user Event Field: userPrincipalName (Authentication Event), displayName(User event) case(operationName IN ("Add service principal","Update service principal"),mvindex('properties.targetResources{}.displayName',mvfind('properties.targetResources{}.type',"^ServicePrincipal$")), \ operationName IN ("Provisioning activity"),'properties.provisioningSteps{}.details.dynamicProperties.userPrincipalName', \ operationName IN ("Redeem external user invite","Delete external user","Viral user creation"),UPN, \ like(operationName,"Add member to role in PIM%") OR like(operationName,"Add eligible member to role in PIM%") OR operationName IN ("Add member to role","Add member to group","Add owner to application","Update user","Invite external user","Reset user password","Restore user","Add member to role outside of PIM (permanent)","Change password (self-service)","Reset password (by admin)","Add eligible member to role","Remove eligible member from role","Remove member from group","Change user password"),'properties.targetResources{}.userPrincipalName',operationName IN ("Add device"),'properties.initiatedBy.app.displayName', \ true(),coalesce('properties.initiatedBy.user.userPrincipalName','properties.userPrincipalName','properties.servicePrincipalName'))
user_id Event Field: userPrincipalName (Authentication Event), displayName(User event) case(isnotnull('properties.servicePrincipalId') AND 'properties.servicePrincipalId' != "", 'properties.servicePrincipalId', \ true(), 'properties.userId')

Configure an Active Directory Application in Azure AD for the Splunk Add-on for Microsoft Cloud Services

To gather data from the Windows Azure Service Management APIs, you must first create an active directory application in Azure AD.

Follow the instructions in the Microsoft documentation to create an active directory application: Use portal to create an Azure Active Directory application and service principal that can access resources for either your Azure portal or Azure Government portal.

When prompted, select or enter the following parameters:

  • Client ID: Required for Azure App account.
    • Copy this value. You need this value and a valid secret key to connect to your account from the add-on.
  • Key: Required for Azure App account.
    • Copy this value to a secure location as soon as the Azure AD admin console displays it.
  • Tenant ID: Required for Azure App account.
    • Copy this value for the future use.
  • Set the following permissions in the API Permissions > Add a permission page of the Azure Active Directory Application configuration. These permissions are required for the specific inputs for the Splunk Add-on for Microsoft Cloud Services.
Splunk Input Name API Description Permissions Type
Azure KQL Log Analytics Log Analytics API Read Log Analytics data Data.Read Application


Grant the Active Directory Application Read Access

After creating the Active Directory Application, login to either the Azure portal or the Azure Government portal , and perform the following steps:

  1. Navigate to Home > Subscriptions.
  2. Select the active subscription that you want to use from the Subscription Name column.
  3. Select Access control (IAM)
  4. Click Role assignments
  5. Click the Add role assignment button.
  6. In the Add role assignment menu, perform the following steps:
    1. Select Reader from the Role dropdown menu.
    2. Select User, group, or service principal from the Assign access to dropdown menu, if it has not already been selected.
    3. Select your Active Directory Application from the Select menu.
  7. Save your changes.

You must have a Premium P1 Active Directory level edition or higher to perform this operation. See Use portal to create an Azure Active Directory application and service principal that can access resources for more information.

Last modified on 27 September, 2023
PREVIOUS
Upgrade the Splunk Add-on for Microsoft Cloud Services 		  NEXT
Configure an active directory application in Azure Active Directory for the Splunk Add-on for Microsoft Cloud Services

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters