Configure Azure audit modular inputs for the Splunk Add-on for Microsoft Cloud Services

Configure your inputs on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You can configure inputs using Splunk Web, which is a best practice, or by using the configuration files.

Prerequisites

Before you enable inputs, complete the previous steps in the configuration process:

• Configure an Active Directory Application in Azure AD for the Splunk Add-on for Microsoft Cloud Services
• Connect to your Azure App Account with Splunk Add-on for Microsoft Cloud Services

Configure inputs using Splunk Web

Configure your inputs using Splunk Web on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

1. In the Splunk Add-on for Microsoft Cloud Services, select Inputs.
2. Select Create New Input and then select Azure Audit.
3. Enter the Name, Azure Account, Subscription ID, Start Time, Interval and Index using the information in the Input parameters table.

Configure inputs using configuration files

Configure your inputs using the configuration files on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

1. Create a file named mscs_azure_audit_inputs.conf under $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/local.
2. Add the following stanza:

   [<input_stanza_name>]
   account = <value>
   subscription_id = <value>
   start_time = <value>
   index = <value>
   interval = <value>
   

3. Save and restart the Splunk platform.

Verify that the value listed for account matches the account entry in mscs_azure_accounts.conf.

Input parameters

Create Azure Eventhub input for each log category e.g.: Azure Active Directory(AAD), Resource, and Activity.

Attribute	Corresponding field in Splunk Web	Description
input_stanza_name	Name	A friendly name for your input. Name cannot contain any whitespace.
account	Azure Account	The Azure App account from which you want to gather data. Name cannot contain any whitespace.
subscription_id	Subscription ID	The instance queries the management events belong to this subscription. The subscription ID is the one you configured in Microsoft account requirements.
start_time	Start Time	The add-on starts collecting data with a date later than this time. The format is YYYY-MM-DDThh:mm:ssTZD and the default is 30 days before the configuration, e.g. 2016-07-15T09:00:00+08:00 stands for fetching data from 2016-07-15 09:00:00 in UTC+8 time zone. The maximum start time of Azure Audit inputs is 90 days before the configuration.
interval	Interval	The number of seconds to wait before the Splunk platform runs the command again. The default is 3600 seconds.
index	Index	The index in which to store Azure audit data.