All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Microsoft Defender Advanced Hunting Add-on for Splunk: Is it possible to use storage account instead of event hub?

MAHA
Explorer
‎12-27-2021 04:13 AM

Hi,

The Eventhub capacity limited therefore we ask if we can also use an storage account to ingest the data via this addon?

In the details of this addon is described that eventhub is used:

Microsoft Defender Advanced Hunting Add-on for Splunk | Splunkbase

 

Kind regards

Labels (1)
Labels
Reply

MAHA
Explorer
‎12-27-2021 07:36 AM

We do not follow them, because the eventhub is capacity limited therfore we try it with an storage account.

I thought I wrote that in the beginning already?

 

Therefore it make no sense to read an eventhub support site if we use an storage account. But on the end the same json are ingested so we wait until the app is onboarded. Then I connect back to you.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎12-27-2021 06:12 AM

Hi @MAHA ... this is kind of new app and i am not much sure, but, still trying to help you with some troubleshooting steps.. 


>> The Eventhub capacity limited therefore.

on the Azure you meant?

 

The app details suggests 2 ways to ingest data.. pls suggest how you are ingesting data.. 

Install and use one of these two Splunk add-ons to ingest the data:

  1. Splunk Add-on for Microsoft Cloud Services (https://splunkbase.splunk.com/app/3110/)

  2. Microsoft Azure Add on for Splunk (https://splunkbase.splunk.com/app/3757/)

0 Karma
Reply

MAHA
Explorer
‎12-27-2021 06:25 AM

Hi,

Yes on Azure the capacity is limited.

 

Sorry I forgot that we use Splunk Add-on for Microsoft Cloud Services. But in future we can also use Azure Add-on so on the end it is unimportant for us. But both are for eventhub. I am not sure if the format from Storage account to an eventhub is the same or not.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎12-27-2021 06:45 AM

Sure, got it, understood your situation bit more now.

1. the installation steps, the step 2 lists this page.. 

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/raw-data-export-event-hub?...

on this page, which steps you followed,.. 

2. i hope you use Splunk Cloud, if yes, you could contact Splunk Cloud Support team, they should be able to help you with this request. 

 

0 Karma
Reply

MAHA
Explorer
‎12-27-2021 07:16 AM

Hi,

No we do not use Splunk Cloud we use on-premise installation.

I do not understand your link.

How this helps me to check if your parsing work works also if the data come instead of an eventhub from an storage account?

 

Our problem is that retention from Eventhub is limited to capacity which means in our world that data will be deleted after 4h. So make it more resistant we want to use our own retention with an storage account.

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎12-27-2021 07:33 AM

I do not understand your link.

On the app's details at:
https://splunkbase.splunk.com/app/5518/#/details

it got the installation method, right (12 steps of installation procedure), in that, the 2nd step gives this link..
may i know if you followed the steps on this Microsoft page, was there any issues you faced, please suggest, thanks. 

 

 

0 Karma
Reply

MAHA
Explorer
‎01-10-2022 05:34 AM

I saw your link but this is not a microsoft thing.

It is a question for this addon. 🙂

From Microsoft side I didn't found any table about the format between event hub and storage account.

Therefore I ask here in the forum. 🙂

 

Thanks for your support.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...