Getting Data In

Service Principal configuration for Splunk Add-on for Microsoft Cloud Services

regarza
Engager

We are looking to configure the Splunk Add-on for Microsoft Cloud Services to use a Service Principal as opposed to a client key.  The documentation for the Add-On does not provide insight into how one would configure the Splunk Add-on for Microsoft Cloud Services to work with a Service Principal.  Does the Splunk Add-on for Microsoft Cloud Services service principals for authentication?  

Labels (1)
0 Karma

rishabhshah
Explorer
0 Karma

rishabhshah
Explorer

MSCS TA uses service principle for authentication. Please review below document to configure and connect with TA with the same - https://splunk.github.io/splunk-add-on-for-microsoft-cloud-services/ConfigureappinAzureAD/

0 Karma

regarza
Engager

When I attempted to configure the input to use the service principal, I started to get the following error message:  

<?xml version="1.0" encoding="utf-8"?><Error><Code>PublicAccessNotPermitted</Code><Message>Public access is not permitted on this storage account.
RequestId:3d827a38-b01e-003e-7d90-46bd5c000000
Time:2024-12-04T21:05:06.5396465Z</Message></Error>

Are there other items that I must reconfigure to get the service principal configured?  

0 Karma

nirajc_splunk
Splunk Employee
Splunk Employee

As per error logs it seems that public access for the storage account overrides the public access settings for all containers in that storage account, preventing anonymous access to blob data in that account. When public access is disallowed for the account, it is not possible to configure the public access setting for a container to permit anonymous access, and any future anonymous requests to that account will fail.

 

To set the AllowBlobPublicAccess property for the storage account, a user must have permissions to create and manage storage accounts. Azure role-based access control (Azure RBAC) roles that provide these permissions include the Microsoft.Storage/storageAccounts/write action. Built-in roles with this action include:

  1. The Azure Resource Manager Owner role
  2. The Azure Resource Manager Contributor role
  3. The Storage Account Contributor role

Once you have an account with such permissions, you can work your way through any of the following ways to enable the "Blob public access" setting on your Storage Account:



nirajc_splunk_0-1734438644206.png
After that you can also set the public access setting at the container and blob levels:

nirajc_splunk_1-1734438789808.png



This above information will help you to resolve this issue

 



0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...