Skip to main content

 

Splunk Lantern

Microsoft: Azure with Data Manager

 

Ingesting various Microsoft Azure data sources into Splunk Cloud Platform can be accomplished with a standard Microsoft Azure add-on, but this can be time consuming and complex to configure.

Solution

Using the Data Manager with Azure data takes out the complexity and enables configuration in minutes instead of hours. The Data Manager is an app built for and installed in Splunk Cloud Platform and has built-in automation to simplify actions. Azure data in the Data Manager is managed from a single user interface, so you can create, manage, monitor, and troubleshoot your data configurations in a centralized place. It can be used to collect the data sources shown in the table below.

  Azure Active Directory Logs Azure Activity Logs
Scope Consists of historical sign-in activity and an audit trail of effective changes executed in Azure Active Directory. Provides insight into the operations on each Azure resource within the subscription from the outside (the management plane), in addition to updates on Service Health events.
Use Case Provides visibility into the sign-in patterns of the AD users. Audit system activities related to users, groups, and applications for compliance, which gives the organization the potential to respond. Provides visibility into subscription-level events, including changes to critical deployment resources, tracking security alerts, monitoring service health incidents, and auto-scaling events.

Organizations always need to see what is going on in their environment, from who is logging into Active Directory, whether they need to scale, and what billing for their costs centers look like. The following are some of the use cases that can be accomplished with Azure data in the Data Manager: 

  • Scalability
  • Infrastructure
  • Billing
  • Security
  • Observability

Getting data in (GDI)

For more detailed instructions than what is provided below, see Onboarding for Azure data in the Data Manager.

  1. Register an app in your Azure portal. This is necessary to establish trust between the Data Manager and your Azure Portal.
    Diagram

Description automatically generated
  2. Create a new client secret for the app you register.
  3. Ensure that in the Azure portal the onboarding user (Administrator) has permissions to Write/Read deploy an Azure Resource Manager (ARM) template with the Azure Data Manager configuration for deploying the data ingestion resources.
  4. In Splunk Cloud Platform, select Apps > Data Manager.
    Graphical user interface, application

Description automatically generated 
  5. Select the Microsoft Azure data source, and then the specific Azure source you want.
    Graphical user interface, application

Description automatically generatedclipboard_e310743bbaa744bb17a6d3fbdd3cee154.png

Next steps

These additional resources might help you understand and implement this guidance: