Getting Data In

PCI Compliance: What app should I use to monitor Azure data logs?

amulay26
Path Finder

We are currently working on PCI Compliance project and need to monitor the Azure Data Logs. What app would you recommend to do this?
Would it be
1. Splunk add-on for Cloud Services - https://splunkbase.splunk.com/app/3110/
2. Azure monitor add-on- https://splunkbase.splunk.com/app/3534/

Thanks in advance for the help.

Best,
Akshay.

0 Karma
1 Solution

marycordova
SplunkTrust
SplunkTrust

@amulay26 I wouldn't recommend either of those solutions because of either a lack of support and/or reliability.

This is the method I use to ingest logs from Azure to Splunk:
https://answers.splunk.com/answers/678660/how-to-get-logs-from-azure-and-o365-into-splunk.html

This method will easily ingest all "Activity Log" events.

It does not perform monitoring, you would need to setup searches for whatever you want to monitor.

From my PCI experience, having the logs available was generally sufficient as you needed to demonstrate the ability to perform an investigation and not necessarily alerting on specific activities in real-time.

When you say "Azure Data Logs", what logs exactly do you mean by that? Anything beyond the "Activity Log" you will need to enable/define/configure individually within Azure.

@marycordova

View solution in original post

larmesto
Path Finder

This might be helpful for anyone visiting; I have started working on an addon for Azure Event Hubs for Splunk, feel free to use it!
https://splunkbase.splunk.com/app/4343/

regards,

0 Karma

marycordova
SplunkTrust
SplunkTrust

@amulay26 I wouldn't recommend either of those solutions because of either a lack of support and/or reliability.

This is the method I use to ingest logs from Azure to Splunk:
https://answers.splunk.com/answers/678660/how-to-get-logs-from-azure-and-o365-into-splunk.html

This method will easily ingest all "Activity Log" events.

It does not perform monitoring, you would need to setup searches for whatever you want to monitor.

From my PCI experience, having the logs available was generally sufficient as you needed to demonstrate the ability to perform an investigation and not necessarily alerting on specific activities in real-time.

When you say "Azure Data Logs", what logs exactly do you mean by that? Anything beyond the "Activity Log" you will need to enable/define/configure individually within Azure.

@marycordova

marycordova
SplunkTrust
SplunkTrust

sorry, one other thing...I forgot to point out that my solution is not supported officially by anyone either...but you build it entirely yourself within your own infrastructure so it should't be as big of an issue than the lack of support for more "blackbox" solutions like the others 🙂

@marycordova
0 Karma

amulay26
Path Finder

@marycordovacaa By Azure data logs I mean the Azure audit logs and the change logs.

0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

hi @amulay26 ,

Did the answer below solve your problem? If so, please resolve this post by approving it!

If your problem is still not solved, keep us updated so that someone else can help ya.

Thanks for posting!

0 Karma

marycordova
SplunkTrust
SplunkTrust

if you are referring to the "Activity Log" as the audit/change log, this method should suffice

@marycordova
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...