Splunk Add-on for Microsoft Azure

The Splunk Add-on for Microsoft Azure collects data from Microsoft Azure including the following:

• Microsoft Entra ID (formerly Azure Active Directory) Data
  • Users - Microsoft Entra ID (formerly Azure AD) user data
  • Interactive Sign-ins - Microsoft Entra ID (fomrely Azure AD) sign-ins including conditional access policies and MFA
  • Directory audits - Microsoft Entra ID (formerly Azure AD) directory changes including old and new values
  • Devices - Registered devices in Microsoft Entra ID (formerly Azure AD)
  • Groups - Microsoft Entra IE (formerly Azure AD) group data
  • Risk Detections - Risky users and risk events
• Azure Log Analytics (KQL)
• Metrics
• Estimated billing and consumption
  • VM Reservation Recommendations
• Inventory metadata
  • Resource Groups - Resource group configuration
  • Virtual Machines - VM, Disk, Image, and Snapshot configurations
  • Virtual Networks - VNET, NSG, and Public IP configurations
  • Subscriptions - Subscription name, ID, and type
  • Topology - IaaS relationships
• Azure Security Center - Alerts and Tasks
• Azure Resource Graph

This add-on contains the following alert actions:

• Stop Azure VM - stops an Azure Virtual Machine.
• Add member to group - adds a user to a group. This can be useful if you need to enable additional policies like MFA based on search results.
• Dismiss Azure Alert - dismisses an Azure Security Center alert.

Note:

Version 3.0.0 and later of the Microsoft Azure Add-on for Splunk is compatible only with Splunk Enterprise version 8.0.0 and above.

Privacy

Use of this add-on is permitted subject to your obligations, including data privacy obligations, under your agreement with Splunk and Splunk's Privacy Policy.