Skip to content

Migrate inputs to the Splunk supported Add-ons

Use this guide for migrating inputs from Splunk Add-on for Microsoft Azure to the following add-ons:

  • Splunk Add-on for Microsoft Cloud Services
  • Splunk Add-on for Microsoft Office 365
  • Splunk Add-on for Microsoft Security

Inputs and destinations

Feature/input Migration destination Reference link
Microsoft Entra ID Interactive Sign-ins Eventhub + Splunk Add-on for Microsoft Cloud Services/Data Manager Details
Microsoft Entra ID Users Splunk Add-on for Microsoft Office 365 Details
Microsoft Entra ID Groups Splunk Add-on for Microsoft Office 365 Details
Microsoft Entra ID Applications Splunk Add-on for Microsoft Office 365 Details
Microsoft Entra ID Devices Splunk Add-on for Microsoft Office 365 Details
Microsoft Entra ID Audit Eventhub + Splunk Add-on for Microsoft Cloud Services/Data Manager Details
Microsoft Entra ID Risk Detection Eventhub + Splunk Add-on for Microsoft Cloud Services/Data Manager Details
Microsoft Graph Security API Splunk Add-on for Microsoft Security (Defender for Endpoint Alerts) Details
Metrics Splunk Add-on for Microsoft Cloud Services Details
Security Center (Defender for Cloud) Eventhub + Splunk Add-on for Microsoft Cloud Services/Data Manager Details
Subscriptions Splunk Add-on for Microsoft Cloud Services Details
Resource Groups Splunk Add-on for Microsoft Cloud Services Details
Virtual Networks Splunk Add-on for Microsoft Cloud Services Details
Compute Splunk Add-on for Microsoft Cloud Services Details
Azure KQL Log Analytics Splunk Add-on for Microsoft Cloud Services Details
Azure Billing and Consumption Splunk Add-on for Microsoft Cloud Services Details
Azure Reservation Recommendation Splunk Add-on for Microsoft Cloud Services Details
Azure Resource Graph Splunk Add-on for Microsoft Cloud Services Details
Azure Topology (automatic/manual) Splunk Add-on for Microsoft Cloud Services Details
Add member to Microsoft 365 Group (alert action) Splunk Add-on for Microsoft Office 365 Details
Stop Azure VM (alert action) Splunk Add-on for Microsoft Cloud Services Details
Dismiss Azure Alert (alert action) Splunk Add-on for Microsoft Security Details

Migration details

Microsoft Entra ID Interactive Sign-ins

Due to throttling limits, you must send Azure AD sign-in data to an Eventhub and use the Splunk Add-on for Microsoft Cloud Services or Splunk Data Manager (for Splunk Cloud Platform deployments only) to collect the data.

Microsoft Entra ID Users

This input is migrated to the supported Splunk Add-on for Microsoft Office 365.

  1. Disable the existing input in the Splunk Add-on for Microsoft Azure.
  2. In the Splunk Add-on for Microsoft Office 365, select Create New Inpu and select Microsoft Entra ID Metadata to create a new input.
  3. Select the Users option in the “Microsoft Entra ID Type” parameter.
  4. Save the input.

For more information, see Splunk Add-on for Microsoft Office 365 – Microsoft Entra ID Metadata input reference document: Configure Microsoft Entra ID Metadata Inputs.

Microsoft Entra ID Groups

This input is migrated to the supported Splunk Add-on for Microsoft Office 365.

  1. Disable the existing input in the Splunk Add-on for Microsoft Azure.
  2. In the Splunk Add-on for Microsoft Office 365, select Create New Input and select Microsoft Entra ID Metadata to create a new input.
  3. Select the Groups option in the “Microsoft Entra ID Type” parameter.
  4. Save the input.

For more information, see Splunk Add-on for Microsoft Office 365 – Microsoft Entra ID Metadata input reference document: Configure Microsoft Entra ID Metadata Inputs.

Microsoft Entra ID Applications

This input is migrated to the supported Splunk Add-on for Microsoft Office 365.

  1. Disable the existing input in the Splunk Add-on for Microsoft Azure.
  2. In the Splunk Add-on for Microsoft Office 365, select Create New Input and select Microsoft Entra ID Metadata to create a new input.
  3. Select the Applications option in the “Microsoft Entra ID Type” parameter.
  4. Save the input.

For more information, see Splunk Add-on for Microsoft Office 365 – Microsoft Entra ID Metadata input reference document: Configure Microsoft Entra ID Metadata Inputs.

Microsoft Entra ID Devices

This input is migrated to the supported Splunk Add-on for Microsoft Office 365.

  1. Disable the existing input in the Splunk Add-on for Microsoft Azure.
  2. In the Splunk Add-on for Microsoft Office 365, select Create New Input and select Microsoft Entra ID Metadata to create a new input.
  3. Select the Devices option in the “Microsoft Entra ID Type” parameter.
  4. Save the input.

For more information, see Splunk Add-on for Microsoft Office 365 – Microsoft Entra ID Metadata input reference document: Configure Microsoft Entra ID Metadata Inputs.

Microsoft Entra ID Audit

Due to throttling limits, you must send Azure AD audit data to an Eventhub and use the Splunk Add-on for Microsoft Cloud Services or Splunk Data Manager (for Splunk Cloud Platform deployments only) to collect the data.

Microsoft Entra ID Risk Detection

You must send Risk Detection logs to an Eventhub and use the Splunk Add-on for Microsoft Cloud Services – Eventhub input or Splunk Data Manager (for Splunk Cloud Platform deployments only) to collect the data.

Microsoft Graph Security API

This input uses the legacy endpoints and will be removed by Microsoft by April 2026. The alternative input is available in the Splunk Add-on for Microsoft Security’s “Microsoft Defender for Endpoint Alerts” with Microsoft recommended API usage.

  1. Disable the existing input Microsoft Graph Security API in the Splunk Add-on for Microsoft Azure.
  2. In the Splunk Add-on for Microsoft Security, select Create New Input and select Microsoft Defender for Endpoint Alerts to create a new input.
  3. Save the input.

For more information, see Splunk Add-on for Microsoft Security – input reference document: Configure.

Metrics

This input is migrated to the supported Splunk Add-on for Microsoft Cloud Services.

  1. Disable the existing input in the Splunk Add-on for Microsoft Azure.
  2. In the Splunk Add-on for Microsoft Cloud Services, select Create New Input and select Azure Metrics to create a new input.
  3. Save the input.

For more information, see Splunk Add-on for Microsoft Cloud Services – Azure Metrics input reference document: Azure Metrics.

Security Center (now called Microsoft Defender for Cloud)

Security Center has been renamed to Microsoft Defender for Cloud. It is now possible to export these data sources to an Eventhub and use the Splunk Add-on for Microsoft Cloud Services – Eventhub input or Splunk Data Manager (for Splunk Cloud Platform deployments only) to collect the data.

Subscriptions

This input is migrated to the supported Splunk Add-on for Microsoft Cloud Services.

  1. Disable the existing input in the Splunk Add-on for Microsoft Azure.
  2. In the Splunk Add-on for Microsoft Cloud Services, select Create New Input and select **Azure Resource” to create a new input.
  3. Select the Subscriptions option in the “Resource Type” parameter.
  4. Save the input.

For more information, see Splunk Add-on for Microsoft Cloud Services – Azure Resource input reference document: Azure Resource.

Resource Groups

This input is migrated to the supported Splunk Add-on for Microsoft Cloud Services.

  1. Disable the existing input in the Splunk Add-on for Microsoft Azure.
  2. In the Splunk Add-on for Microsoft Cloud Services, select Create New Input and select Azure Resource to create a new input.
  3. Select the Resource Groups option in the “Resource Type” parameter.
  4. Save the input.

For more information, see Splunk Add-on for Microsoft Cloud Services – Azure Resource input reference document: Azure Resource.

Virtual Networks

This input is migrated to the supported Splunk Add-on for Microsoft Cloud Services.

  1. Disable the existing input in the Splunk Add-on for Microsoft Azure.
  2. In the Splunk Add-on for Microsoft Cloud Services, select Create New Input and select Azure Resource to create a new input.
  3. Select the Virtual Network option in the “Resource Type” parameter.
  4. Save the input.

For more information, see Splunk Add-on for Microsoft Cloud Services – Azure Resource input reference document: Azure Resource.

Compute

This input is migrated to the supported Splunk Add-on for Microsoft Cloud Services.

  1. Disable the existing input in the Splunk Add-on for Microsoft Azure.
  2. In the Splunk Add-on for Microsoft Cloud Services, select Create New Input and select Azure Resource to create a new input.
  3. From the “Resource Type” parameter, select Virtual Machine, Disk Data, Image Data, or Snapshot Data. If required, then create multiple inputs for each resource type.
  4. Save the input.

For more information, see Splunk Add-on for Microsoft Cloud Services – Azure Resource input reference document: Azure Resource.

Azure KQL Log Analytics

This input is migrated to the supported Splunk Add-on for Microsoft Cloud Services.

  1. Disable the existing input in the Splunk Add-on for Microsoft Azure.
  2. In the Splunk Add-on for Microsoft Cloud Services, select Create New Input and select Azure KQL Log Analytics to create a new input.
  3. Save the input.

For more information, see Splunk Add-on for Microsoft Cloud Services – Azure KQL Log Analytics input reference document: Azure KQL Log Analytics.

Azure Billing and Consumption

This input is migrated to the supported Splunk Add-on for Microsoft Cloud Services.

  1. Disable the existing input in the Splunk Add-on for Microsoft Azure.
  2. In the Splunk Add-on for Microsoft Cloud Services, select Create New Input and select Azure Consumption (Billing) to create a new input.
  3. Select the Usage Details option in the “Data Type” parameter.
  4. Save the input.

For more information, see Splunk Add-on for Microsoft Cloud Services – Azure Consumption (Billing) input reference document: Billing.

Azure Reservation Recommendation

This input is migrated to the supported Splunk Add-on for Microsoft Cloud Services.

  1. Disable the existing input in the Splunk Add-on for Microsoft Azure.
  2. In the Splunk Add-on for Microsoft Cloud Services, select Create New Input and select Azure Consumption (Billing) to create a new input.
  3. Select the Reservation Recommendation option in the “Data Type” parameter.
  4. Save the input.

For more information, see Splunk Add-on for Microsoft Cloud Services – Azure Consumption (Billing) input reference document: Billing.

Azure Resource Graph

This input is migrated to the supported Splunk Add-on for Microsoft Cloud Services.

  1. Disable the existing input in the Splunk Add-on for Microsoft Azure.
  2. In the Splunk Add-on for Microsoft Cloud Services, select Create New Input and select Azure Resource to create a new input.
  3. Select the Subscriptions option in the “Resource Type” parameter.
  4. Save the input.

For more information, see Splunk Add-on for Microsoft Cloud Services – Azure Resource input reference document: Azure Resource.

Azure Topology (automatic) and Azure Topology (manual)

These inputs have been migrated to the supported Splunk Add-on for Microsoft Cloud Services.

  1. Disable the existing input in the Splunk Add-on for Microsoft Azure.
  2. In the Splunk Add-on for Microsoft Cloud Services, select Create New Input and select Azure Resource to create a new input.
  3. Select the Topology option in the “Resource Type” parameter.
  4. Save the input.

For more information, see Splunk Add-on for Microsoft Cloud Services – Azure Resource input reference document: Azure Resource.

Add member to Microsoft 365 Group (alert action)

This alert action has been migrated to Splunk Add-on for Microsoft Office 365.

  1. Disable the existing alert action in the Splunk Add-on for Microsoft Azure.
  2. Create an alert in Search & Reporting app, select Add Member to Microsoft 365 Group Alert as the trigger action

For more information, see Splunk Add-on for Microsoft Office 365 – Add member to group alert reference document: Add Member to Microsoft 365 Group alert

Stop Azure VM (alert action)

This alert action has been migrated to Splunk Add-on for Microsoft Cloud Services.

  1. Disable the existing alert action in the Splunk Add-on for Microsoft Azure.
  2. Create an alert in Search & Reporting app, select Stop Azure VM Alert as the trigger action

For more information, see Splunk Add-on for Microsoft Cloud Services – Stop Azure VM alert reference document: Stop Azure VM alert

Dismiss Azure Alert (alert action)

This alert action has been migrated to Splunk Add-on for Microsoft Security.

  1. Disable the existing alert action in the Splunk Add-on for Microsoft Azure.
  2. Create an alert in Search & Reporting app, select Dismiss Azure Alert as the trigger action

For more information, see Splunk Add-on for Microsoft Security – Configure Alert Actions reference document: Alert actions