All Apps and Add-ons

What is the difference between Microsoft Azure Add on for Splunk and Add-on for Microsoft Cloud Services?

jwalzerpitt
Influencer

What are the differences between the Microsoft Azure Add on for Splunk and Add-on for Microsoft Cloud Services? Is there any overlap, or does each add-on pull from separate Azure event types (sourcetypes)?

It's very confusing to try and see and compare what each Microsoft cloud related add-on does what/pulls from what log source.

Thx

0 Karma
1 Solution

jconger
Splunk Employee
Splunk Employee

It's mainly the inputs. The Splunk Add-on for Microsoft Cloud Services (MSCS) collects 5 main things:

  1. Activity (a.k.a. Audit) logs - meaning who did what and when. The MSCS add-on does this via a REST API.
  2. Generic data stored in an Azure Table
  3. Generic data stored in an Azure Blob
  4. Azure Resources (VMs and VNETs mainly)
  5. Azure Virtual Machine Metrics (Via an Azure Storage Table)

The Microsoft Azure Add-on for Splunk has 15 inputs. I won't list them all, but here are are a few:

  • Generic Event Hub reader - there can be some overlap here with the MSCS add-on since Activity Logs can be sent to an Event Hub
  • Azure AD collection - users, sign-ins, changes
  • Billing and consumption data
  • Azure Security Center alerts and tasks

A more detailed rundown of the add-ons can be found here -> http://bit.ly/Splunk_Azure_Add-ons

View solution in original post

shwetas
Explorer

Same way can we have details on Azure add-on Monitor also ?

0 Karma

jconger
Splunk Employee
Splunk Employee

It's mainly the inputs. The Splunk Add-on for Microsoft Cloud Services (MSCS) collects 5 main things:

  1. Activity (a.k.a. Audit) logs - meaning who did what and when. The MSCS add-on does this via a REST API.
  2. Generic data stored in an Azure Table
  3. Generic data stored in an Azure Blob
  4. Azure Resources (VMs and VNETs mainly)
  5. Azure Virtual Machine Metrics (Via an Azure Storage Table)

The Microsoft Azure Add-on for Splunk has 15 inputs. I won't list them all, but here are are a few:

  • Generic Event Hub reader - there can be some overlap here with the MSCS add-on since Activity Logs can be sent to an Event Hub
  • Azure AD collection - users, sign-ins, changes
  • Billing and consumption data
  • Azure Security Center alerts and tasks

A more detailed rundown of the add-ons can be found here -> http://bit.ly/Splunk_Azure_Add-ons

jaxjohnny2000
Builder

Is the sourcetype [mscs:azure:security:recommendation] still part of Splunk Add-on for Microsoft Cloud Services?

I have enabled all the inputs, but this sourcetype does not show up.  The dashboard, Security Center Recommendations, in Splunk App Template for Microsoft Azure is blank. 

0 Karma

dgiberson
Observer

With these add ons grabbing from the same general source, am I able to use the same App Registration for both? Or will there be conflicts for the Inputs?

Second part....these both go to an IDM correct?

0 Karma

jwalzerpitt
Influencer

Thx a million for the reply and the link to the spreadsheet as that is a great matrix. Was worried that there would be overlap between the two add-ons as I already have the Microsoft Azure Add on for Splunk installed and was looking at how to pull the other Azure service events and it appears that MSCS will get me that info without duplicating what Azure add-on does.

Thx so much!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...