Splunk® Supported Add-ons

Splunk Add-on for Microsoft Cloud Services

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Migrate from the Splunk Add-on for Microsoft Azure

To collect Azure Active Directory data using the eventhub, migrate from the Splunk Add-on for Microsoft Azure to the Splunk Add-on for Microsoft Cloud Services. See the following steps:

  1. Install the latest version of Splunk Add-on for Microsoft Cloud Services.
  2. Configure an Active Directory Application in Azure AD for the Splunk Add-on for Microsoft Cloud Services.
  3. Configure a Storage Account in Microsoft Cloud Services.
  4. Connect to your Azure App Account with Splunk Add-on for Microsoft Cloud Services.
  5. Configure Azure Event Hub inputs for the Splunk Add-on for Microsoft Cloud Services.
  6. Execute the following query to verify data collection: index=* sourcetype="azure:monitor:*".

Source type changes

See the following source type changes from Microsoft Azure Add-on for Splunk to Splunk Add-on for Microsoft Cloud Services:

Azure Source type MSCS Even type MSCS Source type
azure:aad:user mscs_azure_aad_userlogs azure:monitor:aad
azure:aad:signin mscs_azure_aad_signinlogs azure:monitor:aad
azure:aad:audit mscs_azure_aad_auditlogs azure:monitor:aad

CIM Field Changes

See the following CIM Field Changes from Microsoft Azure Add-on for Splunk to Splunk Add-on for Microsoft Cloud Services:

CIM Field Azure TA Extraction MSCS TA Extraction
Vendor Product Microsoft Azure Active Directory Azure AD
src Event Field: ipAddress

Instead of ipAddress we found properties.ipAddress. So assume the current TA field is not getting extracted.

Event Field: callerIpAddress
src_ip Event Field: ipAddress

Instead of ipAddress we found properties.ipAddress. So assuming in the current TA field is not getting extracted.

Event Field: callerIpAddress
user_agent Event Field: UserAgent

Instead of UserAgent we found properties.userAgent. So assuming in the current TA field is not getting extracted.

Event Field: properties.userAgent
app Event Field: appDisplayName

Instead of appDisplayName we found properties.appDisplayName. So assuming in the current TA field is not getting extracted.

Event Field: properties.appDisplayName
dest Event Field: resourceDisplayName Event Field: tenantId
enabled Event Field: accountEnabled

Instead of accountEnabled we found provisioningSteps.details.dynamicProperties.accountEnabled. So assume the current TA field is not getting extracted.

Event field: provisioningSteps.details.dynamicProperties.accountEnabled
authentication_method Event Field: authenticationDetails{}.authenticationMethod

Sample Values: Previously satisfied, Password

properties.isInteractive

If properties.isInteractive is true then Interactive else nonInteractive

user Event Field: userPrincipalName (Authentication Event), displayName(User event) case(operationName IN ("Add service principal","Update service principal"),mvindex('properties.targetResources{}.displayName',mvfind('properties.targetResources{}.type',"^ServicePrincipal$")), \ operationName IN ("Provisioning activity"),'properties.provisioningSteps{}.details.dynamicProperties.userPrincipalName', \ operationName IN ("Redeem external user invite","Delete external user","Viral user creation"),UPN, \ like(operationName,"Add member to role in PIM%") OR like(operationName,"Add eligible member to role in PIM%") OR operationName IN ("Add member to role","Add member to group","Add owner to application","Update user","Invite external user","Reset user password","Restore user","Add member to role outside of PIM (permanent)","Change password (self-service)","Reset password (by admin)","Add eligible member to role","Remove eligible member from role","Remove member from group","Change user password"),'properties.targetResources{}.userPrincipalName',operationName IN ("Add device"),'properties.initiatedBy.app.displayName', \ true(),coalesce('properties.initiatedBy.user.userPrincipalName','properties.userPrincipalName','properties.servicePrincipalName'))
user_id Event Field: userPrincipalName (Authentication Event), displayName(User event) case(isnotnull('properties.servicePrincipalId') AND 'properties.servicePrincipalId' != "", 'properties.servicePrincipalId', \ true(), 'properties.userId')
Last modified on 20 July, 2022
PREVIOUS
Upgrade the Splunk Add-on for Microsoft Cloud Services
  NEXT
Configure an Active Directory Application in Azure AD for the Splunk Add-on for Microsoft Cloud Services

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters