All Apps and Add-ons

What is the difference between Microsoft Azure Add on for Splunk and Add-on for Microsoft Cloud Services?

Motivator

What are the differences between the Microsoft Azure Add on for Splunk and Add-on for Microsoft Cloud Services? Is there any overlap, or does each add-on pull from separate Azure event types (sourcetypes)?

It's very confusing to try and see and compare what each Microsoft cloud related add-on does what/pulls from what log source.

Thx

0 Karma
1 Solution

Splunk Employee
Splunk Employee

It's mainly the inputs. The Splunk Add-on for Microsoft Cloud Services (MSCS) collects 5 main things:

  1. Activity (a.k.a. Audit) logs - meaning who did what and when. The MSCS add-on does this via a REST API.
  2. Generic data stored in an Azure Table
  3. Generic data stored in an Azure Blob
  4. Azure Resources (VMs and VNETs mainly)
  5. Azure Virtual Machine Metrics (Via an Azure Storage Table)

The Microsoft Azure Add-on for Splunk has 15 inputs. I won't list them all, but here are are a few:

  • Generic Event Hub reader - there can be some overlap here with the MSCS add-on since Activity Logs can be sent to an Event Hub
  • Azure AD collection - users, sign-ins, changes
  • Billing and consumption data
  • Azure Security Center alerts and tasks

A more detailed rundown of the add-ons can be found here -> http://bit.ly/Splunk_Azure_Add-ons

View solution in original post

Explorer

Same way can we have details on Azure add-on Monitor also ?

0 Karma

Splunk Employee
Splunk Employee

It's mainly the inputs. The Splunk Add-on for Microsoft Cloud Services (MSCS) collects 5 main things:

  1. Activity (a.k.a. Audit) logs - meaning who did what and when. The MSCS add-on does this via a REST API.
  2. Generic data stored in an Azure Table
  3. Generic data stored in an Azure Blob
  4. Azure Resources (VMs and VNETs mainly)
  5. Azure Virtual Machine Metrics (Via an Azure Storage Table)

The Microsoft Azure Add-on for Splunk has 15 inputs. I won't list them all, but here are are a few:

  • Generic Event Hub reader - there can be some overlap here with the MSCS add-on since Activity Logs can be sent to an Event Hub
  • Azure AD collection - users, sign-ins, changes
  • Billing and consumption data
  • Azure Security Center alerts and tasks

A more detailed rundown of the add-ons can be found here -> http://bit.ly/Splunk_Azure_Add-ons

View solution in original post

New Member

With these add ons grabbing from the same general source, am I able to use the same App Registration for both? Or will there be conflicts for the Inputs?

Second part....these both go to an IDM correct?

0 Karma

Motivator

Thx a million for the reply and the link to the spreadsheet as that is a great matrix. Was worried that there would be overlap between the two add-ons as I already have the Microsoft Azure Add on for Splunk installed and was looking at how to pull the other Azure service events and it appears that MSCS will get me that info without duplicating what Azure add-on does.

Thx so much!

0 Karma