Getting Data In

what are the security use cases available for azure.

lksridhar
Explorer

Hi Folks,

we have on-boarded the activity logs, service status, operational messages, Azure audit, Azure resource data and Azure Storage Table and Blob data through Splunk Add-on for Microsoft Cloud Services. now we are planning to create security use case which it is related to azure logs but there is no app in splunk base to get the predefined use case which it is related to Azure.

Could you please anyone help me to get details about security use cases which it is related to Azure logs.

Tags (1)
0 Karma
1 Solution

adonio
Ultra Champion

Hello there,

I assume that when you are saying use cases you mean to pre-built views and dashboards which answer some general questions on your data. there are some prebuilt panels on couple of the ad-ons that are public on splunkbase
look for azure, download all the apps / TAs and look for either savedsearches.conf or navigate to the panels directory, look for files end with .xml and open them. you will find some searches.
take a look also in this link:
https://www.splunk.com/blog/2014/12/18/splunk-and-microsoft-azure-intro-and-resource-roundup.html
its a little dated, but you will find there many other links to items i hope you can find helpful.
lastly, (and its my opinion only) i think a better route to take will be to ask yourself or ask your managers / peers / business unit owners / security experts or even the Azure owner or a Microsoft experts, "what do you care about that exists in this data? what would you like to see on your security dashboard?". i believe that such questions will lead you toward better using the data at hand and develop the use cases that are important to you.
when you do develop those, please share with the community.

hope it helps

View solution in original post

0 Karma

adonio
Ultra Champion

Hello there,

I assume that when you are saying use cases you mean to pre-built views and dashboards which answer some general questions on your data. there are some prebuilt panels on couple of the ad-ons that are public on splunkbase
look for azure, download all the apps / TAs and look for either savedsearches.conf or navigate to the panels directory, look for files end with .xml and open them. you will find some searches.
take a look also in this link:
https://www.splunk.com/blog/2014/12/18/splunk-and-microsoft-azure-intro-and-resource-roundup.html
its a little dated, but you will find there many other links to items i hope you can find helpful.
lastly, (and its my opinion only) i think a better route to take will be to ask yourself or ask your managers / peers / business unit owners / security experts or even the Azure owner or a Microsoft experts, "what do you care about that exists in this data? what would you like to see on your security dashboard?". i believe that such questions will lead you toward better using the data at hand and develop the use cases that are important to you.
when you do develop those, please share with the community.

hope it helps

0 Karma

lksridhar
Explorer

Thanks adonio for your information, as i said we already on boarded the azure logs and we are planing to create the reports and alerts,.

I have installed the Microsoft Azure Active Directory Reporting Add-on for Splunk, Splunk Add-on for Microsoft Cloud Services, Microsoft Cloud App for Splunk and Splunk Template for Microsoft Azure but i couldn't able to find any reports on those app.

Could you please provide any doc or app which we can use to design the use cases for azure logs.

0 Karma

adonio
Ultra Champion

@iksridhar,
on your MSCS app: https://splunkbase.splunk.com/app/3110/
navigate to default\data\ui\panels and you will find some pre-built panels (use cases according to you)
there are 5 of then ready for you, here is an example:

<panel>
  <title>Microsoft Cloud Services - Failed Authentication by Source in Last 24H</title>
  <chart>
    <search>
      <query>sourcetype="ms:o365:management" tag=authentication src=* result=failed earliest=-24h | timechart count by src usenull=f useother=f</query>
    </search>
    <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
    <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
    <option name="charting.axisTitleX.visibility">visible</option>
    <option name="charting.axisTitleY.visibility">visible</option>
    <option name="charting.axisTitleY2.visibility">visible</option>
    <option name="charting.axisX.scale">linear</option>
    <option name="charting.axisY.scale">linear</option>
    <option name="charting.axisY2.enabled">0</option>
    <option name="charting.axisY2.scale">inherit</option>
    <option name="charting.chart">column</option>
    <option name="charting.chart.bubbleMaximumSize">50</option>
    <option name="charting.chart.bubbleMinimumSize">10</option>
    <option name="charting.chart.bubbleSizeBy">area</option>
    <option name="charting.chart.nullValueMode">gaps</option>
    <option name="charting.chart.showDataLabels">none</option>
    <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
    <option name="charting.chart.stackMode">default</option>
    <option name="charting.chart.style">shiny</option>
    <option name="charting.drilldown">none</option>
    <option name="charting.layout.splitSeries">0</option>
    <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
    <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
    <option name="charting.legend.placement">right</option>
  </chart>
</panel>

hope it points you in the right direction

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...