All Apps and Add-ons

How to integrate Microsoft Cloud App security with Splunk

ips_mandar
Builder

Hi
I want to integrate Microsoft Cloud app security with Splunk, is there any add-on available?
Which fields are required to integrate with Splunk and how?
Thanks,

1 Solution

sylbaea
Communicator

Hello,

MS Cloud App security does provide a syslog-based export method:
- as an MS Cloud App admin, you can generate required setup to install an on-premise agent (Java-based) that will periodically download Cloud App security events and then forward to the specified syslog server
- from there, you need to implement custom knowledge object to leverage syslog events... As far as I know, there is currently no TA you can leverage for that

Regards.

View solution in original post

0 Karma

MaverickT
Communicator

Since October 2020 there is add-on available for this matter:

Microsoft Cloud App Security Add-on for Splunk

s207307
New Member

This guidance is currently your best/easiest method for accomplishing what you have outlined (no current App or TA available):
https://docs.microsoft.com/en-us/cloud-app-security/siem

0 Karma

sylbaea
Communicator

Hello,

MS Cloud App security does provide a syslog-based export method:
- as an MS Cloud App admin, you can generate required setup to install an on-premise agent (Java-based) that will periodically download Cloud App security events and then forward to the specified syslog server
- from there, you need to implement custom knowledge object to leverage syslog events... As far as I know, there is currently no TA you can leverage for that

Regards.

View solution in original post

0 Karma

ips_mandar
Builder

Thanks @sylbaea

0 Karma

ips_mandar
Builder

Hi @sylbaea ,
How can I get data from Syslog server into splunk? Can you please help me ..

0 Karma

sylbaea
Communicator

this is a very wide topic... you can either setup Splunk as a syslog server (not recommend if you do have a lot of traffic) either you can index the data of a dedicated syslog server. There is not universal solution, it depends on your needs and environment.

You can search here, it has already been discussed a lot:
https://answers.splunk.com/answers/75667/splunk-as-a-syslog-server.html
https://answers.splunk.com/answers/28680/universal-forwarder-vs-dedicated-rsyslog-syslog-ng-servers-...

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!