Configure Azure Audit modular inputs for the Splunk Add-on for Microsoft Cloud Services¶
Configure your inputs on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You can configure inputs using Splunk Web, which is a best practice, or by using the configuration files.
Prerequisites¶
Before you enable inputs, complete the previous steps in the configuration process:
- Configure an application in Microsoft Entra ID for the Splunk Add-on for Microsoft Cloud Services
- Connect to your Azure App Account with Splunk Add-on for Microsoft Cloud Services
Configure inputs using Splunk Web¶
Configure your inputs using Splunk Web on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.
- In the Splunk Add-on for Microsoft Cloud Services, select Inputs.
- Select Create New Input and then select Azure Audit.
- Enter the Name, Azure Account, Subscription ID, Start Time, Interval and Index using the information in the Input parameters table.
Configure inputs using configuration files¶
Configure your inputs using the configuration files on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.
- Create a file named
mscs_azure_audit_inputs.confunder$SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/local. - Add the following stanza:
[<input_stanza_name>]
account = <value>
subscription_id = <value>
start_time = <value>
index = <value>
interval = <value>
- Save and restart the Splunk platform.
Note
Verify that the value listed for account matches the account entry in mscs_azure_accounts.conf.
Input parameters¶
Create Azure Audit input for each log category, for example, Microsoft Entra ID, Resource, and Activity.
| Attribute | Corresponding field in Splunk Web | Description |
|---|---|---|
input_stanza_name |
Name | A friendly name for your input. Name cannot contain any whitespace. |
account |
Azure Account | The Azure App account from which you want to gather data. Name cannot contain any whitespace. |
subscription_id |
Subscription ID | The instance queries the management events belong to this subscription. The subscription ID is the one you configured in Microsoft account requirements. |
start_time |
Start Time | The add-on starts collecting data with a date later than this time. The format is YYYY-MM-DDThh:mm:ssTZD and the default is 30 days before the configuration, e.g. 2016-07-15T09:00:00+08:00 stands for fetching data from 2016-07-15 09:00:00 in UTC+8 time zone. The maximum start time of Azure Audit inputs is 90 days before the configuration. |
interval |
Interval | The number of seconds to wait before the Splunk platform runs the command again. The default is 3600 seconds. |
index |
Index | The index in which to store Azure audit data. |