Solved: Re: Why Splunk MS cloud add-on eventhub lost some ...

aasabatini · ‎03-25-2022

Hi All,

I configured the MS add-on from a eventhub to gettin in splunk all security alert from Defender for cloud.

seems splunk can't collect some alerts I don't understand why.

The eventhub is properly configured because I see all the logs from the eventhub also I see some security alerts but not all.

the only thing give me a suspition is the eventhub have 3 consumergroup and the input is configured only one consumer group

any helps?

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

aasabatini · ‎04-29-2022

Hi All,

I found the solution by myself, seems the the ms add-on doesn't lost the events but received the logs from the eventhub very late.

I removed the defender for clouds logs from the eventhub and I used the MS graph api add-on.

now I can collect data near real time.

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

aasabatini · ‎04-29-2022

Hi All,

I found the solution by myself, seems the the ms add-on doesn't lost the events but received the logs from the eventhub very late.

I removed the defender for clouds logs from the eventhub and I used the MS graph api add-on.

now I can collect data near real time.

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

Why Splunk MS cloud add-on eventhub lost some security events from Defender for Cloud?