All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the difference between Microsoft Azure Add on for Splunk and Add-on for Microsoft Cloud Services?

jwalzerpitt
Influencer
‎10-14-2019 12:56 PM

What are the differences between the Microsoft Azure Add on for Splunk and Add-on for Microsoft Cloud Services? Is there any overlap, or does each add-on pull from separate Azure event types (sourcetypes)?

It's very confusing to try and see and compare what each Microsoft cloud related add-on does what/pulls from what log source.

Thx

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jconger
Splunk Employee
Splunk Employee
‎10-14-2019 01:18 PM

It's mainly the inputs. The Splunk Add-on for Microsoft Cloud Services (MSCS) collects 5 main things:

  1. Activity (a.k.a. Audit) logs - meaning who did what and when. The MSCS add-on does this via a REST API.
  2. Generic data stored in an Azure Table
  3. Generic data stored in an Azure Blob
  4. Azure Resources (VMs and VNETs mainly)
  5. Azure Virtual Machine Metrics (Via an Azure Storage Table)

The Microsoft Azure Add-on for Splunk has 15 inputs. I won't list them all, but here are are a few:

  • Generic Event Hub reader - there can be some overlap here with the MSCS add-on since Activity Logs can be sent to an Event Hub
  • Azure AD collection - users, sign-ins, changes
  • Billing and consumption data
  • Azure Security Center alerts and tasks

A more detailed rundown of the add-ons can be found here -> http://bit.ly/Splunk_Azure_Add-ons

View solution in original post

Reply
Solved! Jump to solution

shwetas
Explorer
‎10-24-2019 09:19 PM

Same way can we have details on Azure add-on Monitor also ?

0 Karma
Reply
Solved! Jump to solution
Solution

jconger
Splunk Employee
Splunk Employee
‎10-14-2019 01:18 PM

It's mainly the inputs. The Splunk Add-on for Microsoft Cloud Services (MSCS) collects 5 main things:

  1. Activity (a.k.a. Audit) logs - meaning who did what and when. The MSCS add-on does this via a REST API.
  2. Generic data stored in an Azure Table
  3. Generic data stored in an Azure Blob
  4. Azure Resources (VMs and VNETs mainly)
  5. Azure Virtual Machine Metrics (Via an Azure Storage Table)

The Microsoft Azure Add-on for Splunk has 15 inputs. I won't list them all, but here are are a few:

  • Generic Event Hub reader - there can be some overlap here with the MSCS add-on since Activity Logs can be sent to an Event Hub
  • Azure AD collection - users, sign-ins, changes
  • Billing and consumption data
  • Azure Security Center alerts and tasks

A more detailed rundown of the add-ons can be found here -> http://bit.ly/Splunk_Azure_Add-ons

Reply
Solved! Jump to solution

jaxjohnny2000
Builder
‎01-22-2021 08:41 AM

Is the sourcetype [mscs:azure:security:recommendation] still part of Splunk Add-on for Microsoft Cloud Services?

I have enabled all the inputs, but this sourcetype does not show up.  The dashboard, Security Center Recommendations, in Splunk App Template for Microsoft Azure is blank. 

0 Karma
Reply
Solved! Jump to solution

dgiberson
Observer
‎06-09-2020 09:37 AM

With these add ons grabbing from the same general source, am I able to use the same App Registration for both? Or will there be conflicts for the Inputs?

Second part....these both go to an IDM correct?

0 Karma
Reply
Solved! Jump to solution

jwalzerpitt
Influencer
‎10-14-2019 01:36 PM

Thx a million for the reply and the link to the spreadsheet as that is a great matrix. Was worried that there would be overlap between the two add-ons as I already have the Microsoft Azure Add on for Splunk installed and was looking at how to pull the other Azure service events and it appears that MSCS will get me that info without duplicating what Azure add-on does.

Thx so much!

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...