Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Add-ons for microsoft products

Amire22
Explorer
‎07-20-2025 01:30 AM

I would appreciate help from anyone who has encountered a similar problem:

We are using Microsoft's E5 licensing with the following products:

  • Intune
  • Entra ID
  • Defender for endpoint
  • office 365
  • teams

All events from Microsoft are streamed to EventHub and from there to our Splunk ES

We are very confused and don't know which Add-Ons we should install.

I would love to hear from anyone who uses these technologies.

Splunk Enterprise Security

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kiran_panchavat
Champion
‎07-20-2025 05:57 AM

@Amire22 

Hello, you can install the Splunk Add-on for Microsoft Cloud Services add-on to onboard the logs to Splunk.  https://splunkbase.splunk.com/app/3110 

https://lantern.splunk.com/Data_Descriptors/Microsoft/Getting_started_with_Microsoft_Azure_Event_Hub... 

https://splunk.github.io/splunk-add-on-for-microsoft-cloud-services/ 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

Amire22
Explorer
‎07-20-2025 06:12 AM

thank you

it will include logs from all my products above?

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎07-20-2025 11:00 AM

Not necessarily.

There are separate addons for specific services (separate one for Teams, another for Security (Defender and Defender for endpoint) and so on). This one will cover getting data from Event Hub but you might need another addon to parse your data properly and map fields to CIM.

I'm not sure though if the fact that you're pushing the data through Event Hub won't mangle the events since some of those addons expect the inputs to run differently (Graph API?).

You need to go to Splunkbase, type in "microsoft" and check it out

0 Karma
Reply
Solved! Jump to solution
Solution

kiran_panchavat
Champion
‎07-20-2025 05:57 AM

@Amire22 

Hello, you can install the Splunk Add-on for Microsoft Cloud Services add-on to onboard the logs to Splunk.  https://splunkbase.splunk.com/app/3110 

https://lantern.splunk.com/Data_Descriptors/Microsoft/Getting_started_with_Microsoft_Azure_Event_Hub... 

https://splunk.github.io/splunk-add-on-for-microsoft-cloud-services/ 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...