Migrate from the Splunk Add-on for Microsoft Azure¶
To collect Azure Active Directory data using an Azure Event Hub, migrate from the Splunk Add-on for Microsoft Azure to the Splunk Add-on for Microsoft Cloud Services. See the following steps:
- Install the latest version of Splunk Add-on for Microsoft Cloud Services.
- Configure an Active Directory Application in Azure AD for the Splunk Add-on for Microsoft Cloud Services.
- Configure a Storage Account in Microsoft Cloud Services.
- Connect to your Azure App Account with Splunk Add-on for Microsoft Cloud Services.
- Configure Azure Event Hub inputs for the Splunk Add-on for Microsoft Cloud Services.
- Run the following search to verify data collection:
index=* sourcetype="azure:monitor:*".
Source type changes¶
See the following source type changes from the Splunk Add-on for Microsoft Azure to the Splunk Add-on for Microsoft Cloud Services:
| Azure source type | MSCS event type | MSCS source type |
|---|---|---|
| azure:aad:user | mscs_azure_aad_userlogs | azure:monitor:aad |
| azure:aad:signin | mscs_azure_aad_signinlogs | azure:monitor:aad |
| azure:aad:audit | mscs_azure_aad_auditlogs | azure:monitor:aad |
CIM field changes¶
See the following CIM Field Changes from the Splunk Add-on for Microsoft Azure to the Splunk Add-on for Microsoft Cloud Services:
| CIM field | The Splunk Add-on for Microsoft Azure Extraction | The Splunk Add-on for MSCS Extraction |
|---|---|---|
| Vendor Product | Microsoft Azure Active Directory | Azure AD |
| src | Event field: ipAddress Instead of ipAddress, properties.ipAddress was found. So assume the current add-on field is not getting extracted. |
Event field: callerIpAddress |
| src_ip | Event field: ipAddress Instead of ipAddress, properties.ipAddress was found. So assume the current add-on field is not getting extracted. |
Event field: callerIpAddress |
| user_agent | Event field: UserAgent Instead of UserAgent, properties.userAgent was found. So assuming in the current add-on field is not getting extracted. |
Event field: properties.userAgent |
| app | Event field: appDisplayName Instead of appDisplayName we found properties.appDisplayName. So assuming in the current TA field is not getting extracted. |
Event field: properties.appDisplayName |
| dest | Event field: resourceDisplayName | Event field: tenantId |
| enabled | Event field: accountEnabled Instead of accountEnabled we found provisioningSteps.details.dynamicProperties.accountEnabled. So assume the current TA field is not getting extracted. | Event field: provisioningSteps.details.dynamicProperties.accountEnabled |
| authentication_method | Event field: authenticationDetails{}.authenticationMethod Sample values: Previously satisfied, Password |
Event field: properties.isInteractive If properties.isInteractive is true, then it is Interactive. Otherwise, it is nonInteractive. |
| user | Event Field: userPrincipalName (Authentication Event), displayName(User event) | case(operationName IN ("Add service principal","Update service principal"),mvindex('properties.targetResources{}.displayName',mvfind('properties.targetResources{}.type',"^ServicePrincipal$")), \ operationName IN ("Provisioning activity"),'properties.provisioningSteps{}.details.dynamicProperties.userPrincipalName', \ operationName IN ("Redeem external user invite","Delete external user","Viral user creation"),UPN, \ like(operationName,"Add member to role in PIM%") OR like(operationName,"Add eligible member to role in PIM%") OR operationName IN ("Add member to role","Add member to group","Add owner to application","Update user","Invite external user","Reset user password","Restore user","Add member to role outside of PIM (permanent)","Change password (self-service)","Reset password (by admin)","Add eligible member to role","Remove eligible member from role","Remove member from group","Change user password"),'properties.targetResources{}.userPrincipalName',operationName IN ("Add device"),'properties.initiatedBy.app.displayName', \ true(),coalesce('properties.initiatedBy.user.userPrincipalName','properties.userPrincipalName','properties.servicePrincipalName')) |
| user_id | Event Field: userPrincipalName (Authentication Event), displayName(User event) | case(isnotnull('properties.servicePrincipalId') AND 'properties.servicePrincipalId' != "", 'properties.servicePrincipalId', \ true(), 'properties.userId') |