All Apps and Add-ons

What is the difference between Microsoft Azure Add on for Splunk and Add-on for Microsoft Cloud Services?

jwalzerpitt
Influencer

What are the differences between the Microsoft Azure Add on for Splunk and Add-on for Microsoft Cloud Services? Is there any overlap, or does each add-on pull from separate Azure event types (sourcetypes)?

It's very confusing to try and see and compare what each Microsoft cloud related add-on does what/pulls from what log source.

Thx

0 Karma
1 Solution

jconger
Splunk Employee
Splunk Employee

It's mainly the inputs. The Splunk Add-on for Microsoft Cloud Services (MSCS) collects 5 main things:

  1. Activity (a.k.a. Audit) logs - meaning who did what and when. The MSCS add-on does this via a REST API.
  2. Generic data stored in an Azure Table
  3. Generic data stored in an Azure Blob
  4. Azure Resources (VMs and VNETs mainly)
  5. Azure Virtual Machine Metrics (Via an Azure Storage Table)

The Microsoft Azure Add-on for Splunk has 15 inputs. I won't list them all, but here are are a few:

  • Generic Event Hub reader - there can be some overlap here with the MSCS add-on since Activity Logs can be sent to an Event Hub
  • Azure AD collection - users, sign-ins, changes
  • Billing and consumption data
  • Azure Security Center alerts and tasks

A more detailed rundown of the add-ons can be found here -> http://bit.ly/Splunk_Azure_Add-ons

View solution in original post

shwetas
Explorer

Same way can we have details on Azure add-on Monitor also ?

0 Karma

jconger
Splunk Employee
Splunk Employee

It's mainly the inputs. The Splunk Add-on for Microsoft Cloud Services (MSCS) collects 5 main things:

  1. Activity (a.k.a. Audit) logs - meaning who did what and when. The MSCS add-on does this via a REST API.
  2. Generic data stored in an Azure Table
  3. Generic data stored in an Azure Blob
  4. Azure Resources (VMs and VNETs mainly)
  5. Azure Virtual Machine Metrics (Via an Azure Storage Table)

The Microsoft Azure Add-on for Splunk has 15 inputs. I won't list them all, but here are are a few:

  • Generic Event Hub reader - there can be some overlap here with the MSCS add-on since Activity Logs can be sent to an Event Hub
  • Azure AD collection - users, sign-ins, changes
  • Billing and consumption data
  • Azure Security Center alerts and tasks

A more detailed rundown of the add-ons can be found here -> http://bit.ly/Splunk_Azure_Add-ons

jaxjohnny2000
Builder

Is the sourcetype [mscs:azure:security:recommendation] still part of Splunk Add-on for Microsoft Cloud Services?

I have enabled all the inputs, but this sourcetype does not show up.  The dashboard, Security Center Recommendations, in Splunk App Template for Microsoft Azure is blank. 

0 Karma

dgiberson
Observer

With these add ons grabbing from the same general source, am I able to use the same App Registration for both? Or will there be conflicts for the Inputs?

Second part....these both go to an IDM correct?

0 Karma

jwalzerpitt
Influencer

Thx a million for the reply and the link to the spreadsheet as that is a great matrix. Was worried that there would be overlap between the two add-ons as I already have the Microsoft Azure Add on for Splunk installed and was looking at how to pull the other Azure service events and it appears that MSCS will get me that info without duplicating what Azure add-on does.

Thx so much!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...