All Apps and Add-ons

Microsoft Defender Advanced Hunting Add-on for Splunk: Is it possible to use storage account instead of event hub?

MAHA
Explorer

Hi,

The Eventhub capacity limited therefore we ask if we can also use an storage account to ingest the data via this addon?

In the details of this addon is described that eventhub is used:

Microsoft Defender Advanced Hunting Add-on for Splunk | Splunkbase

 

Kind regards

Labels (1)

MAHA
Explorer

We do not follow them, because the eventhub is capacity limited therfore we try it with an storage account.

I thought I wrote that in the beginning already?

 

Therefore it make no sense to read an eventhub support site if we use an storage account. But on the end the same json are ingested so we wait until the app is onboarded. Then I connect back to you.

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @MAHA ... this is kind of new app and i am not much sure, but, still trying to help you with some troubleshooting steps.. 


>> The Eventhub capacity limited therefore.

on the Azure you meant?

 

The app details suggests 2 ways to ingest data.. pls suggest how you are ingesting data.. 

Install and use one of these two Splunk add-ons to ingest the data:

  1. Splunk Add-on for Microsoft Cloud Services (https://splunkbase.splunk.com/app/3110/)
  2. Microsoft Azure Add on for Splunk (https://splunkbase.splunk.com/app/3757/)

0 Karma

MAHA
Explorer

Hi,

Yes on Azure the capacity is limited.

 

Sorry I forgot that we use Splunk Add-on for Microsoft Cloud Services. But in future we can also use Azure Add-on so on the end it is unimportant for us. But both are for eventhub. I am not sure if the format from Storage account to an eventhub is the same or not.

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Sure, got it, understood your situation bit more now.

1. the installation steps, the step 2 lists this page.. 

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/raw-data-export-event-hub?...

on this page, which steps you followed,.. 

2. i hope you use Splunk Cloud, if yes, you could contact Splunk Cloud Support team, they should be able to help you with this request. 

 

0 Karma

MAHA
Explorer

Hi,

No we do not use Splunk Cloud we use on-premise installation.

I do not understand your link.

How this helps me to check if your parsing work works also if the data come instead of an eventhub from an storage account?

 

Our problem is that retention from Eventhub is limited to capacity which means in our world that data will be deleted after 4h. So make it more resistant we want to use our own retention with an storage account.

0 Karma

inventsekar
SplunkTrust
SplunkTrust

I do not understand your link.

On the app's details at:
https://splunkbase.splunk.com/app/5518/#/details

it got the installation method, right (12 steps of installation procedure), in that, the 2nd step gives this link..
may i know if you followed the steps on this Microsoft page, was there any issues you faced, please suggest, thanks. 

 

 

0 Karma

MAHA
Explorer

I saw your link but this is not a microsoft thing.

It is a question for this addon. 🙂

From Microsoft side I didn't found any table about the format between event hub and storage account.

Therefore I ask here in the forum. 🙂

 

Thanks for your support.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...