Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

PCI Compliance: What app should I use to monitor Azure data logs?

amulay26
Path Finder
‎09-10-2018 09:42 AM

We are currently working on PCI Compliance project and need to monitor the Azure Data Logs. What app would you recommend to do this?
Would it be
1. Splunk add-on for Cloud Services - https://splunkbase.splunk.com/app/3110/
2. Azure monitor add-on- https://splunkbase.splunk.com/app/3534/

Thanks in advance for the help.

Best,
Akshay.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

marycordova
SplunkTrust
SplunkTrust
‎09-10-2018 11:59 AM

@amulay26 I wouldn't recommend either of those solutions because of either a lack of support and/or reliability.

This is the method I use to ingest logs from Azure to Splunk:
https://answers.splunk.com/answers/678660/how-to-get-logs-from-azure-and-o365-into-splunk.html

This method will easily ingest all "Activity Log" events.

It does not perform monitoring, you would need to setup searches for whatever you want to monitor.

From my PCI experience, having the logs available was generally sufficient as you needed to demonstrate the ability to perform an investigation and not necessarily alerting on specific activities in real-time.

When you say "Azure Data Logs", what logs exactly do you mean by that? Anything beyond the "Activity Log" you will need to enable/define/configure individually within Azure.

@marycordova

View solution in original post

Reply
Solved! Jump to solution

larmesto
Path Finder
‎01-07-2019 09:53 AM

This might be helpful for anyone visiting; I have started working on an addon for Azure Event Hubs for Splunk, feel free to use it!
https://splunkbase.splunk.com/app/4343/

regards,

0 Karma
Reply
Solved! Jump to solution
Solution

marycordova
SplunkTrust
SplunkTrust
‎09-10-2018 11:59 AM

@amulay26 I wouldn't recommend either of those solutions because of either a lack of support and/or reliability.

This is the method I use to ingest logs from Azure to Splunk:
https://answers.splunk.com/answers/678660/how-to-get-logs-from-azure-and-o365-into-splunk.html

This method will easily ingest all "Activity Log" events.

It does not perform monitoring, you would need to setup searches for whatever you want to monitor.

From my PCI experience, having the logs available was generally sufficient as you needed to demonstrate the ability to perform an investigation and not necessarily alerting on specific activities in real-time.

When you say "Azure Data Logs", what logs exactly do you mean by that? Anything beyond the "Activity Log" you will need to enable/define/configure individually within Azure.

@marycordova
Reply
Solved! Jump to solution

marycordova
SplunkTrust
SplunkTrust
‎09-11-2018 04:32 PM

sorry, one other thing...I forgot to point out that my solution is not supported officially by anyone either...but you build it entirely yourself within your own infrastructure so it should't be as big of an issue than the lack of support for more "blackbox" solutions like the others 🙂

@marycordova
0 Karma
Reply
Solved! Jump to solution

amulay26
Path Finder
‎09-10-2018 12:05 PM

@marycordovacaa By Azure data logs I mean the Azure audit logs and the change logs.

0 Karma
Reply
Solved! Jump to solution

mstjohn_splunk
Splunk Employee
Splunk Employee
‎09-11-2018 12:04 PM

hi @amulay26 ,

Did the answer below solve your problem? If so, please resolve this post by approving it!

If your problem is still not solved, keep us updated so that someone else can help ya.

Thanks for posting!

0 Karma
Reply
Solved! Jump to solution

marycordova
SplunkTrust
SplunkTrust
‎09-10-2018 12:06 PM

if you are referring to the "Activity Log" as the audit/change log, this method should suffice

@marycordova
0 Karma
Reply
Get Updates on the Splunk Community!

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...