Splunking Microsoft Azure Audit Data
We recently made available a community-supported Splunk Add-on for Microsoft Azure, which gives you insight into Azure IaaS and PaaS. I am happy to announce that this add-on now includes the ability to ingest Azure Audit data. The idea behind Splunking Azure Audit logs is to be able to tell who did what and when and what events might impact the health of your Azure resources. In this blog post, I will detail what we are collecting, how to use the data, and what is coming next for the add-on.
What are we collecting?
This update adds a new modular input to your Splunk environment:
This modular input grabs data using the Azure Insights Events API.
How to use the Azure Audit data
There are several new prebuilt panels included in the add-on to get you started:
Azure – Audit – Event Actions
Azure – Audit – Events by Caller
Azure – Audit – Events by Resource Group
Azure – Audit – Operation Levels by Geography
Azure – Audit – Top Events by Resource Type
Setting up the Azure Audit input
The Azure Insights Events API is a REST endpoint and requires a little bit of setup on the Azure side. An Azure Active Directory application must be set up and a few key pieces of information must be supplied to the modular input. Don’t worry though, there are step-by-step instructions provided in the docs folder in the add-on.
For a quick start, check out the video below:
What is coming next?
The next integration slated to roll into this add-on is Azure Network Security Group logs – meaning network flow, load balancers, and network security group activity. Stay tuned…