Ingesting various Microsoft Azure data sources into Splunk Cloud Platform can be accomplished with a standard Microsoft Azure add-on, but this can be time consuming and complex to configure.
Using the Data Manager with Azure data takes out the complexity and enables configuration in minutes instead of hours. The Data Manager is an app built for and installed in Splunk Cloud Platform and has built-in automation to simplify actions. Azure data in the Data Manager is managed from a single user interface, so you can create, manage, monitor, and troubleshoot your data configurations in a centralized place. It can be used to collect the data sources shown in the table below.
|Azure Active Directory Logs||Azure Activity Logs|
|Scope||Consists of historical sign-in activity and an audit trail of effective changes executed in Azure Active Directory.||Provides insight into the operations on each Azure resource within the subscription from the outside (the management plane), in addition to updates on Service Health events.|
|Use Case||Provides visibility into the sign-in patterns of the AD users. Audit system activities related to users, groups, and applications for compliance, which gives the organization the potential to respond.||Provides visibility into subscription-level events, including changes to critical deployment resources, tracking security alerts, monitoring service health incidents, and auto-scaling events.|
Organizations always need to see what is going on in their environment, from who is logging into Active Directory, whether they need to scale, and what billing for their costs centers look like. The following are some of the use cases that can be accomplished with Azure data in the Data Manager:
Getting data in (GDI)
For more detailed instructions than what is provided below, see Onboarding for Azure data in the Data Manager.
- Register an app in your Azure portal. This is necessary to establish trust between the Data Manager and your Azure Portal.
- Create a new client secret for the app you register.
- Ensure that in the Azure portal the onboarding user (Administrator) has permissions to Write/Read deploy an Azure Resource Manager (ARM) template with the Azure Data Manager configuration for deploying the data ingestion resources.
- In Splunk Cloud Platform, select Apps > Data Manager.
- Select the Microsoft Azure data source, and then the specific Azure source you want.
These additional resources might help you understand and implement this guidance: