Splunking Microsoft Azure Network Watcher Data


Microsoft has released a new service in Azure called Network Watcher.  Network Watcher is a network performance monitoring, diagnostic, and analytics service which enables you to monitor your network in Azure.  The data collected by Network Watcher is stored in one or more Azure Storage Containers.  The Splunk Add-on for Microsoft Cloud Services has inputs to collect data stored in Azure Storage Containers which provides valuable insights for operational intelligence regarding Azure network workloads.  In this blog post, we will explore how to get Azure Network Security Group (NSG) Flow Logs into Splunk and some possible use case scenarios for the data.

Getting Azure NSG Flow Log data into Splunk

NSG flow logs allow you to view information about …

» Continue reading

101 things the mainstream media doesn’t want you to know about PowerShell logging*


At .conf2016 Steve Brant and I presented on how to detect PowerShell maliciousness using Splunk [2]. The only problem is, if you didn’t attend the conference and only read the PowerPoint slides you might say something like “Your presentation is just big photos and SPL”. Which is true. Frankly, we like big fonts and we cannot lie. You other presenters may deny. That when a deck goes up with a big sans-serif font and a bright image in your eyes you get… distracted by where I am going with this paragraph. As such, we are going to create blog postings of our presentation for those of you who didn’t attend our talk in person. In this missive …

» Continue reading

Configuring Microsoft’s Active Directory Federation Services (ADFS) Security Assertion Markup Language (SAML) Single Sign On (SSO) with Splunk Cloud

samlThe title is definitely a mouth full…. It is easier to say “Configure ADFS SAML SSO with Splunk> Cloud“, that’s for sure, but we did get all of the definitions of acronyms down in one shot….

I’ve put together a couple of blog postings now on SAML configurations for Splunk> Cloud. One for Okta , one for Azure. ADFS is definitely a bit more involved than those other two Identity Providers (IdP), and can be a bit more tricky depending on your implementation, but with this following guide, you should be well on your way to integrating ADFS to your Splunk> Cloud instance!

I am a Cloud Services Advisory Engineer on the Customer Adoption and Success …

» Continue reading

#splunkconf16 preview: DevOps sessions you don’t want to miss

SCL-Splunk-conf2016-preview-BigDataIdeas_twtr1-440x220DevOps is hot and at our 7th Annual Splunk Users’ Conference .conf2016! in Orlando it will be sizzling! We have an entire sub-track dedicated just to DevOps. Our customers, technology partners, and Splunkers will be presenting a plethora of DevOps use cases suitable for newbies as well as DevOps ninjas. Below are some of the highlighted sessions.

Tuesday, September 27:

Building the Pipeline Presented by CSAA: Featuring DevOps and Splunk (12:40pm -1:25pm)
In this session, Doug Erkkila from CSAA Insurance Group and Domnick Eger, Splunk SE with prior developer experience will describe how CSAA uses Splunk software to manage their automated build pipeline. Spoiler alert! Star Wars fans will really love this session.

Splunk of War: Creating a Better

» Continue reading

Splunking a Microsoft Word document for metadata and content analysis

The Big Data ecosystem is nowadays often abbreviated with ‘V’s. The 3Vs of Big Data, or the 4Vs of Big Data, even the 5Vs of Big Data! However many ‘V’s are used, two are always dedicated to Volume and Variety.

Recent news provides particularly rich examples with one being the Panama Papers. As explained by Wikipedia:

The Panama Papers are a leaked set of 11.5 million confidential documents that provide detailed information about more than 214,000 offshore companies listed by the Panamanian corporate service provider Mossack Fonseca. The documents […] totaled 2.6 terabytes of data.

This leak illustrates the following pretty well:

  • The need to process huge volume of data (2.6 TB of data in that particular case)
  • The need to
» Continue reading

Splunking Microsoft Azure Audit Data

Azure We recently made available a community-supported Splunk Add-on for Microsoft Azure, which gives you insight into Azure IaaS and PaaS. I am happy to announce that this add-on now includes the ability to ingest Azure Audit data. The idea behind Splunking Azure Audit logs is to be able to tell who did what and when and what events might impact the health of your Azure resources.  In this blog post, I will detail what we are collecting, how to use the data, and what is coming next for the add-on.

What are we collecting?

This update adds a new modular input to your Splunk environment:



This modular input grabs data using the Azure Insights Events API.

How to

» Continue reading

Splunking Microsoft Azure Data

AzureThere are a lot of services in Microsoft Azure, and a lot of those services are producing machine data. Hal Rottenberg wrote a post covering several of these services and some ways to integrate Splunk with Microsoft Azure. We recently released a new cross-platform Azure add-on that consumes data for some IaaS and PaaS services. In this blog post, I will detail what we are collecting, how to use the data, and what is coming next for the add-on.

What are we collecting?

The add-on ships with three modular inputs:

  1. Azure Diagnostics – this input collects data from an Azure Storage account that contains virtual machine diagnostic information.
  2. Azure Website Diagnostics – this input collects server and application data for Azure
» Continue reading

Announcing Splunk Enterprise in Microsoft Azure Marketplace

AzureWe are pleased to announce the release of Splunk Enterprise in Microsoft Azure Marketplace!

Now Azure customers can deploy and purchase Azure-certified Splunk Enterprise clusters in minutes, with the entire point-and-click workflow contained within their Azure portal.

This Bring-Your-Own-License offering on Azure IaaS, provides Splunk customers another platform for self-managed Splunk deployments in addition to on-premise and other public cloud deployment options.


What can Splunk Enterprise in Azure Marketplace do for you?

Our mission at Splunk is to make machine data accessible, usable and valuable to everyone. We strive to turn machine data into valuable insights in as little time as possible to help businesses in their journey towards operational intelligence:

Time to value flowchart

Splunk Enterprise in Azure Marketplace enables and

» Continue reading

Splunk and Microsoft Azure – Intro and Resource Roundup

Update Mar 15th, 2016: Jason Conger has announced the beta of the Azure Add-On for Splunk!

Update Feb 18th, 2016: Roy Arsan has announced the launch of Splunk Enterprise in the Azure Marketplace!

Note: the below article was written back in Dec 2014, but still gets a ton of hits and questions. Be sure to check out the Azure tag here on Splunk Blogs for the latest news.

We are often asked by customers about how Splunk can integrate with, or run in Microsoft’s Azure cloud platform. There’s actually a fair bit of information about this broad topic on splunk.com and elsewhere, but it can be a bit hard to find. This post will serve as an introduction to a few Azure …

» Continue reading

Monitoring Network Traffic with Sysmon and Splunk

Every IT guy has a set of tools that they use every day. One of mine is sysinternals. It’s a set of Windows utilities made available by Microsoft that do a whole slew of things. You can install them with chocolatey (another in my toolset) or downloaded and unpacked from their website. If you use Windows and this toolset isn’t in your arsenal, maybe it’s time.

Back in August, I got a request from one of our engineers asking me if we had any plans to support the collection of Sysmon data. Sysmon is a Windows system service (yes, another agent) that logs system activity to the Windows Event Log. However, it places all the important stuff in the …

» Continue reading