- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Azure Logs to Splunk Clolud - best way
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi folks,
i know the ways to ingest azure data to splunk.
1 way: Microsoft Graph Security Api Add-On for Splunk.
->You can work with the alerts what you get from the platform right?
2 way: MS Azure Add on for Splunk
-> I get Azrue Ad Data, User Sign ins, Directory Audits and so on from the platform.
3 way: Splunk Add-on for Microsoft Cloud Services
-> Also a way, simial to the 2. way
What did you reccomend to create custom use cases / corelation rules with focus on Azure AD / Identiy? I think 2 or way 3..
Thx a lot and best regards,
Philipp
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Concerning the Azure addon and the MS Cloud addon, essentially it's just different ways to collect the logs. There is some overlap as well as some that are exclusive to each addon. This blog post covers it:
https://www.splunk.com/en_us/blog/tips-and-tricks/getting-microsoft-azure-data-into-splunk.html
Either way will get the roughly the same logs with few exceptions, so choose whichever one makes you happy.
Concerning use cases, the easiest way to build those out would be to use Splunk Security Essentials and adapt the searches to fit your Azure AD logs. The Splunk community has also released an app to help with Azure-specific security data:
Blue Team App for O365/Azure:
https://splunkbase.splunk.com/app/4667/
That should get you started on things to look out for. The Microsoft 365 App will also look at your Azure AD logs and give you dashboards on Geolocation access, suspected scanning, etc.
Hope that helped!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Concerning the Azure addon and the MS Cloud addon, essentially it's just different ways to collect the logs. There is some overlap as well as some that are exclusive to each addon. This blog post covers it:
https://www.splunk.com/en_us/blog/tips-and-tricks/getting-microsoft-azure-data-into-splunk.html
Either way will get the roughly the same logs with few exceptions, so choose whichever one makes you happy.
Concerning use cases, the easiest way to build those out would be to use Splunk Security Essentials and adapt the searches to fit your Azure AD logs. The Splunk community has also released an app to help with Azure-specific security data:
Blue Team App for O365/Azure:
https://splunkbase.splunk.com/app/4667/
That should get you started on things to look out for. The Microsoft 365 App will also look at your Azure AD logs and give you dashboards on Geolocation access, suspected scanning, etc.
Hope that helped!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much 🙂
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
