Solved: what are the security use cases available for azur...

lksridhar · ‎05-05-2018

Hi Folks,

we have on-boarded the activity logs, service status, operational messages, Azure audit, Azure resource data and Azure Storage Table and Blob data through Splunk Add-on for Microsoft Cloud Services. now we are planning to create security use case which it is related to azure logs but there is no app in splunk base to get the predefined use case which it is related to Azure.

Could you please anyone help me to get details about security use cases which it is related to Azure logs.

adonio · ‎05-05-2018

Hello there,

I assume that when you are saying use cases you mean to pre-built views and dashboards which answer some general questions on your data. there are some prebuilt panels on couple of the ad-ons that are public on splunkbase
look for azure, download all the apps / TAs and look for either savedsearches.conf or navigate to the panels directory, look for files end with .xml and open them. you will find some searches.
take a look also in this link:
https://www.splunk.com/blog/2014/12/18/splunk-and-microsoft-azure-intro-and-resource-roundup.html
its a little dated, but you will find there many other links to items i hope you can find helpful.
lastly, (and its my opinion only) i think a better route to take will be to ask yourself or ask your managers / peers / business unit owners / security experts or even the Azure owner or a Microsoft experts, "what do you care about that exists in this data? what would you like to see on your security dashboard?". i believe that such questions will lead you toward better using the data at hand and develop the use cases that are important to you.
when you do develop those, please share with the community.

hope it helps

View solution in original post

adonio · ‎05-05-2018

Hello there,

I assume that when you are saying use cases you mean to pre-built views and dashboards which answer some general questions on your data. there are some prebuilt panels on couple of the ad-ons that are public on splunkbase
look for azure, download all the apps / TAs and look for either savedsearches.conf or navigate to the panels directory, look for files end with .xml and open them. you will find some searches.
take a look also in this link:
https://www.splunk.com/blog/2014/12/18/splunk-and-microsoft-azure-intro-and-resource-roundup.html
its a little dated, but you will find there many other links to items i hope you can find helpful.
lastly, (and its my opinion only) i think a better route to take will be to ask yourself or ask your managers / peers / business unit owners / security experts or even the Azure owner or a Microsoft experts, "what do you care about that exists in this data? what would you like to see on your security dashboard?". i believe that such questions will lead you toward better using the data at hand and develop the use cases that are important to you.
when you do develop those, please share with the community.

hope it helps

lksridhar · ‎05-06-2018

Thanks adonio for your information, as i said we already on boarded the azure logs and we are planing to create the reports and alerts,.

I have installed the Microsoft Azure Active Directory Reporting Add-on for Splunk, Splunk Add-on for Microsoft Cloud Services, Microsoft Cloud App for Splunk and Splunk Template for Microsoft Azure but i couldn't able to find any reports on those app.

Could you please provide any doc or app which we can use to design the use cases for azure logs.

adonio · ‎05-07-2018

@iksridhar,
on your MSCS app: https://splunkbase.splunk.com/app/3110/
navigate to default\data\ui\panels and you will find some pre-built panels (use cases according to you)
there are 5 of then ready for you, here is an example:

<panel>
  <title>Microsoft Cloud Services - Failed Authentication by Source in Last 24H</title>
  <chart>
    <search>
      <query>sourcetype="ms:o365:management" tag=authentication src=* result=failed earliest=-24h | timechart count by src usenull=f useother=f</query>
    </search>
    <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
    <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
    <option name="charting.axisTitleX.visibility">visible</option>
    <option name="charting.axisTitleY.visibility">visible</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.axisX.scale">linear</option>
    <option name="charting.axisY.scale">linear</option>
    <option name="charting.axisY2.enabled">0</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart">column</option>
    <option name="charting.chart.bubbleMaximumSize">50</option>
    <option name="charting.chart.bubbleMinimumSize">10</option>
    <option name="charting.chart.bubbleSizeBy">area</option>
    <option name="charting.chart.nullValueMode">gaps</option>
    <option name="charting.chart.showDataLabels">none</option>
    <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
    <option name="charting.chart.stackMode">default</option>
    <option name="charting.chart.style">shiny</option>
    <option name="charting.drilldown">none</option>
    <option name="charting.layout.splitSeries">0</option>
    <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
    <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
    <option name="charting.legend.placement">right</option>
  </chart>
</panel>

hope it points you in the right direction

what are the security use cases available for azure.

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM