All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

What is the difference between Microsoft Azure Add on for Splunk and Add-on for Microsoft Cloud Services?

jwalzerpitt
Influencer
‎10-14-2019 12:56 PM

What are the differences between the Microsoft Azure Add on for Splunk and Add-on for Microsoft Cloud Services? Is there any overlap, or does each add-on pull from separate Azure event types (sourcetypes)?

It's very confusing to try and see and compare what each Microsoft cloud related add-on does what/pulls from what log source.

Thx

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jconger
Splunk Employee
Splunk Employee
‎10-14-2019 01:18 PM

It's mainly the inputs. The Splunk Add-on for Microsoft Cloud Services (MSCS) collects 5 main things:

  1. Activity (a.k.a. Audit) logs - meaning who did what and when. The MSCS add-on does this via a REST API.
  2. Generic data stored in an Azure Table
  3. Generic data stored in an Azure Blob
  4. Azure Resources (VMs and VNETs mainly)
  5. Azure Virtual Machine Metrics (Via an Azure Storage Table)

The Microsoft Azure Add-on for Splunk has 15 inputs. I won't list them all, but here are are a few:

  • Generic Event Hub reader - there can be some overlap here with the MSCS add-on since Activity Logs can be sent to an Event Hub
  • Azure AD collection - users, sign-ins, changes
  • Billing and consumption data
  • Azure Security Center alerts and tasks

A more detailed rundown of the add-ons can be found here -> http://bit.ly/Splunk_Azure_Add-ons

View solution in original post

Reply
Solved! Jump to solution

shwetas
Explorer
‎10-24-2019 09:19 PM

Same way can we have details on Azure add-on Monitor also ?

0 Karma
Reply
Solved! Jump to solution
Solution

jconger
Splunk Employee
Splunk Employee
‎10-14-2019 01:18 PM

It's mainly the inputs. The Splunk Add-on for Microsoft Cloud Services (MSCS) collects 5 main things:

  1. Activity (a.k.a. Audit) logs - meaning who did what and when. The MSCS add-on does this via a REST API.
  2. Generic data stored in an Azure Table
  3. Generic data stored in an Azure Blob
  4. Azure Resources (VMs and VNETs mainly)
  5. Azure Virtual Machine Metrics (Via an Azure Storage Table)

The Microsoft Azure Add-on for Splunk has 15 inputs. I won't list them all, but here are are a few:

  • Generic Event Hub reader - there can be some overlap here with the MSCS add-on since Activity Logs can be sent to an Event Hub
  • Azure AD collection - users, sign-ins, changes
  • Billing and consumption data
  • Azure Security Center alerts and tasks

A more detailed rundown of the add-ons can be found here -> http://bit.ly/Splunk_Azure_Add-ons

Reply
Solved! Jump to solution

jaxjohnny2000
Builder
‎01-22-2021 08:41 AM

Is the sourcetype [mscs:azure:security:recommendation] still part of Splunk Add-on for Microsoft Cloud Services?

I have enabled all the inputs, but this sourcetype does not show up.  The dashboard, Security Center Recommendations, in Splunk App Template for Microsoft Azure is blank. 

0 Karma
Reply
Solved! Jump to solution

dgiberson
Observer
‎06-09-2020 09:37 AM

With these add ons grabbing from the same general source, am I able to use the same App Registration for both? Or will there be conflicts for the Inputs?

Second part....these both go to an IDM correct?

0 Karma
Reply
Solved! Jump to solution

jwalzerpitt
Influencer
‎10-14-2019 01:36 PM

Thx a million for the reply and the link to the spreadsheet as that is a great matrix. Was worried that there would be overlap between the two add-ons as I already have the Microsoft Azure Add on for Splunk installed and was looking at how to pull the other Azure service events and it appears that MSCS will get me that info without duplicating what Azure add-on does.

Thx so much!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...