Release history for the Splunk Add-on for Microsoft Cloud Services¶

The latest version of the Splunk Add-on for Microsoft Cloud Services is version 5.3.1. See Release notes for the Splunk Add-on for Microsoft Cloud Services for the release notes of this latest version.

Version 5.3.0¶

Version 5.3.0 of the Splunk Add-on for Microsoft Cloud Services was released on April 12, 2024.

Compatibility¶

Version 5.3.0 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	8.2.x, 9.0.x, 9.1.x
CIM version	5.1.0
Supported OS for data collection	Platform independent (MacOS is not supported)
Vendor products	Azure Active Directory, Azure Event Hubs, Azure Storage Table, Azure Storage Blob, Azure Audit, Azure Resource Group, and other cloud services.

New Features¶

Version 5.3.0 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

Added support for compressed log sets for Storage Blobs
Added support for Unicode/ASCII in EventHub collector event raw view
Removed limitation of 64 partition for EventHub inputs

Fixed issues¶

Version 5.3.0 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues. If no issue appear, then there are no bug fixes reported:

Known issues¶

Version 5.3.0 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear, no issues have yet been reported:

Third-party software attributions¶

Version 5.3.0 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Third-party software attributions for the Splunk Add-on for Microsoft Cloud Services

Version 5.2.2¶

Version 5.2.2 of the Splunk Add-on for Microsoft Cloud Services was released on February 5, 2024.

Compatibility¶

Version 5.2.2 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	8.2.x, 9.0.x, 9.1.x
CIM version	5.1.0
Supported OS for data collection	Platform independent (MacOS is not supported)
Vendor products	Azure Active Directory, Azure Event Hubs, Azure Storage Table, Azure Storage Blob, Azure Audit, Azure Resource Group, and other cloud services.

New Features¶

Version 5.2.2 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

Bug fixes.

Fixed issues¶

Version 5.2.2 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues. If no issue appear, then there are no bug fixes reported:

Known issues¶

Version 5.2.2 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear, no issues have yet been reported:

Third-party software attributions¶

Version 5.2.2 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Third-party software attributions for the Splunk Add-on for Microsoft Cloud Services

Version 5.2.1¶

Version 5.2.1 of the Splunk Add-on for Microsoft Cloud Services was released on October 6, 2023.

Versions 5.1.0 and 5.2.0 are dependent on version 5.0 for upgrade. Upgrade to version 5.0 first before upgrading these versions. Please note that this dependency has been eliminated in versions 5.1.2 and 5.2.1. See the release notes topic for more details.

Check the release notes for version 5.0.0 of the Splunk Add-on for Microsoft Cloud Services before upgrading to the latest version as breaking changes were introduced in the Storage Blob input.

Compatibility¶

Version 5.2.1 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	8.2.x, 9.0.x, 9.1.x
CIM version	5.1.0
Supported OS for data collection	Platform independent
Vendor products	Azure Active Directory, Azure Event Hubs, Azure Storage Table, Azure Storage Blob, Azure Audit, Azure Resource Group, and other cloud services.

New Features¶

Version 5.2.1 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

Removed the dependency of version 5.0.0 during upgrade for Storage Blob input.

Fixed issues¶

Version 5.2.1 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues. If no issue appear, then there are no bug fixes reported:

Known issues¶

Version 5.2.1 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear, no issues have yet been reported:

Third-party software attributions¶

Version 5.2.1 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Third-party software attributions for the Splunk Add-on for Microsoft Cloud Services

Version 5.2.0¶

Version 5.2.0 of the Splunk Add-on for Microsoft Cloud Services was released on September 17, 2023.

After upgrading to version 5.0.0 or later of this add-on, you might observe a rise in the usage of memory and CPU resources within your deployment.

Check the release notes for version 5.0.0 of the Splunk Add-on for Microsoft Cloud Services before upgrading to the latest version as breaking changes were introduced in the Storage Blob input.

Compatibility¶

Version 5.2.0 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	8.2.x, 9.0.x, 9.1.x
CIM version	5.1.0
Supported OS for data collection	Platform independent
Vendor products	Azure Active Directory, Azure Event Hubs, Azure Storage Table, Azure Storage Blob, Azure Audit, Azure Resource Group, and other cloud services.

New Features¶

Version 5.2.0 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

Updated Azure Resource, Azure Consumption APIs and the Azure Storage Blob SDK to their latest versions.
Fixed security related issues.
Updated the read_timeout parameter’s default value for the Azure Storage Blob input to 60 seconds.
Automatic deletion of obsolete Storage Blob file checkpoints after successful migration to KV store.

Fixed issues¶

Version 5.2.0 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues. If no issue appear, then there are no bug fixes reported:

Known issues¶

Version 5.2.0 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear, no issues have yet been reported:

Third-party software attributions¶

Version 5.2.0 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Third-party software attributions for the Splunk Add-on for Microsoft Cloud Services

Version 5.1.2¶

Version 5.1.2 of the Splunk Add-on for Microsoft Cloud Services was released on October 3, 2023.

See the release notes for version 5.0.0 of the Splunk Add-on for Microsoft Cloud Services before upgrading to the latest version as breaking changes were introduced in the Storage Blob input.

Compatibility¶

Version 5.1.2 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	8.1.x, 8.2.x, 9.0.x
CIM version	5.1.0
Supported OS for data collection	Platform independent
Vendor products	Azure Active Directory, Azure Event Hubs, Azure Storage Table, Azure Storage Blob, Azure Audit, Azure Resource Group, and other cloud services.

New Features¶

Version 5.1.2 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

Removed Dependency for Storage Blob Input in v5.0.0 Step Upgrade

Fixed issues¶

Version 5.1.2 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues. If no issue appear, then there are no bug fixes reported:

Known issues¶

Version 5.1.2 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear, no issues have yet been reported:

Third-party software attributions¶

Version 5.1.2 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Third-party software attributions for the Splunk Add-on for Microsoft Cloud Services

Version 5.1.1¶

Version 5.1.1 of the Splunk Add-on for Microsoft Cloud Services was released on May 2, 2023.

See the release notes for version 5.0.0 of the Splunk Add-on for Microsoft Cloud Services before upgrading to the latest version as breaking changes were introduced in the Storage Blob input.

Compatibility¶

Version 5.1.1 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	8.1.x, 8.2.x, 9.0.x
CIM version	5.1.0
Supported OS for data collection	Platform independent
Vendor products	Azure Active Directory, Azure Event Hubs, Azure Storage Table, Azure Storage Blob, Azure Audit, Azure Resource Group, and other cloud services.

New Features¶

Version 5.1.1 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

Improved CPU utilization for eventhub inputs.
Improved logging mechanism for eventhub inputs.
Added a warning message to the Azure App account update, proxy, and logging pages, informing users that they will be required to re-enable EventHub inputs upon account, proxy, and log level changes.

Fixed issues¶

Version 5.1.1 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues. If no issue appear, then there are no bug fixes reported:

Known issues¶

Version 5.1.1 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear, no issues have yet been reported:

Third-party software attributions¶

Version 5.1.1 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Third-party software attributions for the Splunk Add-on for Microsoft Cloud Services

Version 5.1.0¶

Version 5.1.0 of the Splunk Add-on for Microsoft Cloud Services was released on May 2, 2023.

Please also check the release notes for Splunk Add-on for Microsoft Cloud Services v5.0.0 before upgrading to the latest version as breaking changes were introduced in the Storage Blob input.

Compatibility¶

Version 5.1.0 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	8.1.x, 8.2.x, 9.0.x
CIM version	5.1.0
Supported OS for data collection	Platform independent
Vendor products	Azure Active Directory, Azure Event Hubs, Azure Storage Table, Azure Storage Blob, Azure Audit, Azure Resource Group, and other cloud services.

New Features¶

Version 5.1.0 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

The following inputs were migrated from Splunk Add on for Microsoft Azure to Splunk Add-on for Microsoft Cloud Services. If these inputs are configured in Splunk Add-on for Microsoft Cloud Services, then they will be treated as new inputs. It is recommended to disable those inputs in the Splunk Add-on for Microsoft Azure:
- Introduced the Azure Metrics input
- Introduced the Azure KQL Log Analytics input
- Introduced the Azure Consumption(Billing) input
- Introduced new Resource Types (Disk Data, Image Data, Snapshot Data, Resource Groups, Security Groups and Subscriptions) in the Azure Resource input
Security related issue have been fixed
Introduced the Read Timeout parameter to the Storage Blob input, which can be used to resolve the data ingestion stuck issue. See the Storage Blob input configuration manual for more information.
Added UI support to the Blob Mode parameter.

Provided CIM 5.1.0 support for the following:

Sourcetype	Category
mscs:resource:securityGroup	Azure Resource
mscs:resource:disk	Azure Resource
mscs:resource:image	Azure Resource
mscs:resource:snapshot	Azure Resource
mscs:resource:subscriptions	Azure Resource
mscs:resource:resourceGroup	Azure Resource

Fixed issues¶

Version 5.1.0 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues. If no issue appear, then there are no bug fixes reported:

Known issues¶

Version 5.1.0 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear, no issues have yet been reported:

Third-party software attributions¶

Version 5.1.0 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Third-party software attributions for the Splunk Add-on for Microsoft Cloud Services

Version 5.0.0¶

Version 5.0.0 of the Splunk Add-on for Microsoft Cloud Services was released on March 21, 2023.

Compatibility¶

Version 5.0.0 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	8.1.x, 8.2.x, 9.0.x
CIM version	5.0.2
Supported OS for data collection	Platform independent
Vendor Products	Azure Active Directory, Azure Event Hubs, Azure Storage Table, Azure Storage Blob, Azure Audit, Azure Resource Group, and other cloud services.

New Features¶

Version 5.0.0 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

The following enhancements were made on the Eventhub Input. See Input Parameters for more details:
1. Resolved the memory leak issue for the input.
2. Introduced load balancing support across multiple instances. See Horizontal Scaling Across Multiple Splunk Environment section in the Eventhub input manual. See Horizontal Scaling for more information.
3. Introduced debug loggers to the input execution. See Input Parameters for more details.
Enhancements were made on the Storage Blob Input. The Storage Blob checkpoint will be migrated from the File checkpoint mechanism to the KV Store mechanism.

If inputs are interrupted during the checkpoint migration in the first interval after upgrading the add-on to Version 5.0.0, it may lead to data duplication.
1. The checkpoint mechanism was migrated to the Splunk KV Store.
2. Introduced Horizontal Scaling that would allow parallel data ingestion via multiple inputs on a common KV Store architecture. See Horizontal Scaling for more information.
3. Introduced a new field called Prefix to optimize the execution time of the input.
4. Introduced an Advanced Tab in the Configuration Tab to control the File Based Checkpoint deletion for Storage Blob. See Configure Advanced settings in Splunk Add-on for Microsoft Cloud Services for more information.

Provided CIM 5.0.2 support for the following:

Sourcetype	Category
azure:monitor:aad	AzureActiveDirectory
azure:monitor:activity	Administrative

See the following table for the CIM fields removed for 5.0.0:

Source-type	operationName	Fields removed	Reason for removed fields
`azure:monitor:aad`	Add a deletion-marked app role assignment grant to user as part of link removal	object	The event is not mapped to any Datamodel
`azure:monitor:aad`	Add blocked user	object_id	There is no ID for the target user present in the raw event.
`azure:monitor:aad`	Clear block on user	object_id	There is no ID for the target user present in the raw event.
`azure:monitor:aad`	POST Tenant.RemoveBlockedUser, POST Tenant.CreateBlockedUser, Update StsRefreshTokenValidFrom Timestamp, Process role update request, User started security info registration	object	The event is not mapped to any datamodel.
`azure:monitor:aad`	Sign-in activity, Validate user authentication, Risky user, User Risk Detection	object	The object field is not part of the datamodels mapped to the events.
`['azure:monitor:aad']`	Start applying group based license to users	object	The event is not mapped to any datamodel.

See the following table for a list of CIM fields modified for 5.0.0:

Source-type	CIM Field	operationName	Comment
`['azure:monitor:aad']`	object	Access review ended, Add app role assignment grant to user, Add blocked user, Add conditional access policy, Add label, Add owner to group, Add owner to service principal, Add role definition, Add role from template, Add user, Clear block on user, Consent to application, Create access package catalog, Create business flow, Create connected organization, Delete access package catalog, Delete application, Delete business flow, Delete conditional access policy, Delete group, Delete policy, Delete role definition, Delete user, Disable account, Enable account, Finish applying group based license to users, Get resource properties of a tenant, Get tenant details, Hard Delete application, Hard Delete group, Hard Delete user, Hard delete service principal, Initialize tenant, POST Tenant.CreateTenant, Remove app role assignment from user, Remove eligible member from role in PIM completed (permanent), Remove eligible member from role in PIM completed (timebound), Remove member from role, Remove member from role in PIM completed (permanent), Remove member from role in PIM completed (timebound), Remove member from role in PIM requested (permanent), Remove member from role in PIM requested (timebound), Remove owner from application, Remove owner from group, Remove service principal, Restore application, Set Company Information, Set directory feature on tenant, Set group license, Set user manager, Update access package catalog, Update application, Update authorization policy, Update business flow, Update conditional access policy, User registered all required security info, User registered security info	The `object` field is changed, the extraction is now more accurate, i.e. having more specific values, e.g. the object was the generic Azure AD, and now it has more specific and meaningful value.
`['azure:monitor:aad']`	object_attrs	Add app role assignment grant to user, Add label, Add owner to group, Add owner to service principal, Add role from template, Add user, Create connected organization, Delete user, Disable account, Enable account, Hard Delete user, Hard delete service principal, POST Tenant.CreateTenant, Remove app role assignment from user, Remove eligible member from role in PIM completed (permanent), Remove eligible member from role in PIM completed (timebound), Remove member from role, Remove member from role in PIM completed (permanent), Remove member from role in PIM completed (timebound), Remove member from role in PIM requested (permanent), Remove member from role in PIM requested (timebound), Remove owner from application, Remove owner from group, Remove service principal, Update access package catalog, Update business flow, Verify domain	The `object_attrs` field got now more meaningful (and sometime more concise) value than before.
`['azure:monitor:aad']`	user	Add blocked user, Clear block on user, Disable account, Enable account, Hard Delete user, Remove eligible member from role in PIM completed (permanent), Remove eligible member from role in PIM completed (timebound), Remove member from role in PIM completed (permanent), Remove member from role in PIM completed (timebound), Remove member from role in PIM requested (permanent), Remove member from role in PIM requested (timebound), Set user manager, User registered all required security info, User registered security info	The `user` field value is now corrected and extracted properly reflecting the CIM definitions of this field in the Change Datamodel (All_changes and Account_management Datasets).

Fixed issues¶

Version 5.0.0 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues. If no issue appear below, then there are no bug fixes reported:

Known issues¶

Version 5.0.0 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions¶

Version 5.0.0 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Third-party software attributions for the Splunk Add-on for Microsoft Cloud Services

Version 4.5.2¶

Version 4.5.2 of the Splunk Add-on for Microsoft Cloud Services was released on February 15, 2023.

Compatibility¶

Version 4.5.2 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	8.1.x, 8.2.x, 9.0.x
CIM version	5.0.1
Supported OS for data collection	Platform independent
Vendor Products	Azure Active Directory, Azure Event Hubs, Azure Storage Table, Azure Storage Blob, Azure Audit, Azure Resource Group, and other cloud services.

New features¶

Version 4.5.2 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

Security related issue have been fixed, No new features added.

Fixed issues¶

Version 4.5.2 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues. If no issue appear below, then there are no bug fixes reported:

Known issues¶

Version 4.5.2 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions¶

Version 4.5.2 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Third-party software attributions for the Splunk Add-on for Microsoft Cloud Services

Version 4.5.1¶

Version 4.5.1 of the Splunk Add-on for Microsoft Cloud Services was released in November 15, 2022.

Compatibility¶

Version 4.5.1 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	8.1.x, 8.2.x, 9.0.0
CIM version	5.0.1
Supported OS for data collection	Platform independent
Vendor Products	Azure Active Directory, Azure Event Hubs, Azure Storage Table, Azure Storage Blob, Azure Audit, Azure Resource Group, and other cloud services.

Fixed issues¶

Eventhub input does not support “Transport Type” as “AMQP” in Splunk Cloud.

Version 4.5.1 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues. If no issue appear below, then there are no bug fixes reported:

Known issues¶

Version 4.5.1 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions¶

Version 4.5.1 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Version 4.5.0¶

Version 4.5.0 of the Splunk Add-on for Microsoft Cloud Services was released on July 31, 2022.

Compatibility¶

Version 4.5.0 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms:


Splunk platform versions	8.0.x, 8.1.x, 8.2.x, 9.0.0
CIM version	5.0.1
Supported OS for data collection	Platform independent
Vendor Products	Azure Active Directory, Azure Event Hubs, Azure Storage Table, Azure Storage Blob, Azure Audit, Azure Resource Group, and other cloud services.

New Features¶

Version 4.5.0 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

Provided CIM support for Azure Data Share events
Updated Azure Audit API, Azure Storage Blob, and Storage Table client SDK to the latest version

Note: A high-level overview of differences between Audit API version 2015-04-01 and the old 2014-04-01 version:

The key name was changed for the following fields of the audit events, but the value remains the same:
- eventSource → category
- resourceUri → resourceId

The following fields were added in response to the latest Audit API version::
- "resourceType":{"value": "<value>", "localizedValue": "<localizedValue>"}
- "tenantId": "<tenant_id>"

Fixed issues¶

Version 4.5.0 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues. If no issue appear below, then there are no bug fixes reported:

Known issues¶

Version 4.5.0 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions¶

Version 4.5.0 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Third-party software attributions for the Splunk Add-on for Microsoft Cloud Services

Version 4.3.3¶

Version 4.3.3 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

The Microsoft Azure Event Hubs input in the previous version of the Splunk Add-on for Microsoft Cloud Services had an additional level of nesting for ingested events that had a records key. The additional nesting has been removed to provide a simpler and faster query experience. Previous versions of the Splunk Add-on for Microsoft Cloud Services:
```
{
"body":
   {
      "records": {
         "field1": value1
       }
   }
}
```
Current version of the Splunk Add-on for Microsoft Cloud Services:
```
{
"body":
   "field1": value1
}
```
- Bug fixes.
- Fixed a memory leak issue that was affecting the performance of the Event Hub input.

In this release, the existing lookups are updated for the Self Service App Install (SSAI) upgrade. Lookups do not update with the latest values automatically. To fix this issue, upgrade the Splunk Add-on for Microsoft Cloud Services, then manually update the lookup files using the latest version of this add-on.

Fixed issues¶

Version 4.3.3 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues. If no issue appear below, then there are no bug fixes reported:

Known issues¶

Version 4.3.3 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear below, no issues have yet been reported:

Version 4.2.0¶

Version 4.2.0 of the Splunk Add-on for Microsoft Cloud Services was released on September 13, 2021.

Compatibility¶

Version 4.2.0 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms.


Splunk platform versions	8.0.x, 8.1.x, 8.2.x
CIM version	4.20
Supported OS for data collection	Platform independent
Vendor Products	Azure Active Directory, Azure Storage Table, Azure Storage Blob, Azure Audit, and other cloud services

New Features¶

Version 4.2.0 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

UI component upgrades for compatibility with future versions of the Splunk software (jQuery upgrade).
Bug fixes.
Common Information Model (CIM) Release Notes:
- Compatibility with CIM version 4.20.
- The following CIM mapping enhancements:
  - Added support for Alert and Change data models in the mscs:azure:audit sourcetype.
  - Added support for Inventory_Network data model in the mscs:azure:networkInterfaceCard sourcetype.
  - Fixed existing field mapping issue for image_name and severity fields in mscs:resource:virtualMachine and mscs:azure:security:recommendation sourcetypes respectively.
  - The following mscs:azure:audit sourcetype enhancements:
    - Added an extra field event_description to retain the existing description values from the event and updated the description field values as per the Alert CIM data model recommendations.
    - Added new lookup mscs_audit_change_cim_fields_with_status_code.csv for populating CIM fields.
  - Updated the values in the lookup mscs_security_alert_object_category.csv for the mscs:azure:security:alert sourcetype.

In this release, the existing lookups are updated for the Self Service App Install (SSAI) upgrade. Lookups do not update with the latest values automatically. To fix this issue, upgrade the Splunk Add-on for Microsoft Cloud Services, then manually update the lookup files using the latest version of this add-on.

Fixed issues¶

Version 4.2.0 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues. If no issue appear below, then there are no bug fixes reported:

Known issues¶

Version 4.2.0 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions¶

Version 4.2.0 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Version 4.1.5¶

Fixed issues¶

Version 4.1.5 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues. If no issue appear below, then there are no bug fixes reported:

Known issues¶

Version 4.1.5 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions¶

Version 4.1.5 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Version 4.1.4¶

Version 4.1.4 of the Splunk Add-on for Microsoft Cloud Services was released on July 28, 2021.

Compatibility¶

Version 4.1.4 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms.


Splunk platform versions	8.0.x
CIM version	4.18
Supported OS for data collection	Platform independent
Vendor Products	Azure Active Directory, Azure Storage Table, Azure Storage Blob, Azure Audit, and other cloud services

New Features¶

Version 4.1.4 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

Bug fixes

Fixed issues¶

Version 4.1.4 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues. If no issue appear below, then there are no bug fixes reported:

Known issues¶

Version 4.1.4 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions¶

Version 4.1.4 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Version 4.1.3¶

Version 4.1.3 of the Splunk Add-on for Microsoft Cloud Services was released on May 14, 2021.

Compatibility¶

Version 4.1.3 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms.


Splunk platform versions	8.0.x
CIM version	4.15
Supported OS for data collection	Platform independent
Vendor Products	Azure Active Directory, Azure Storage Table, Azure Storage Blob, Azure Audit, and other cloud services

New Features¶

Version 4.1.3 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

When event hub data is ingested by the Splunk software, different events are generated in the Splunk platform for each record.
Each record from event hub data is now split into separate Splunk events.
Fixed an event hub input bug where event hub data isn’t ingested due to the following client secret error:

AADSTS7000215: Invalid client secret is provided.

The upper limit for max_batch_size is increased to be 10000.

Fixed issues¶

Version 4.1.3 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues. If no issue appear below, then there are no bug fixes reported:

Known issues¶

Version 4.1.3 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions¶

Version 4.1.3 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Version 4.1.2¶

Version 4.1.2 of the Splunk Add-on for Microsoft Cloud Services was released on April 20, 2021.

Compatibility¶

Version 4.1.2 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms.


Splunk platform versions	8.0.x
CIM version	4.15
Supported OS for data collection	Platform independent
Vendor Products	Azure Active Directory, Azure Storage Table, Azure Storage Blob, Azure Audit, and other cloud services

New Features¶

Version 4.1.2 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

Changes to the Blob Storage input to address a data duplication issue with Append Blobs.

Fixed issues¶

Version 4.1.2 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues. If no issue appear below, then there are no bug fixes reported:

Known issues¶

Version 4.1.2 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear below, no issues have yet been reported:

Version 4.1.2 of the Splunk Add-on for Microsoft Cloud Services introduced a blob storage duplication solution that conflicts with the event hub input, leading to the following error:

AADSTS7000215: Invalid client secret is provided.

If you do not need the blob storage duplication fix, the best practice is to continue using version 4.1.1 of this add-on instead of upgrading to version 4.1.2.

Third-party software attributions¶

Version 4.1.2 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Version 4.1.1¶

Version 4.1.1 of the Splunk Add-on for Microsoft Cloud Services was released on February 12, 2021.

Compatibility¶

Version 4.1.1 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms.


Splunk platform versions	8.0.x
CIM version	4.15
Supported OS for data collection	Platform independent
Vendor Products	Azure Active Directory, Azure Storage Table, Azure Storage Blob, Azure Audit, and other cloud services

New Features¶

Version 4.1.1 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

The 4.1.0 release of MSCS included a new SDK and libraries to support EventHubs. Due to some underlying Splunk Python behavior some customers who had other Microsoft TAs installed noted that the GUI configuration was failing for MSCS, This release solves this library clash issue.
Improvements to proxy configuration enforcing an integer value.
Fix for an exception UnicodeDecodeError that some customers where seeing for the Event Hubs Modular Input

Fixed issues¶

Version 4.1.1 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues:

Known issues¶

Version 4.1.1 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions¶

Version 4.1.1 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Version 4.1.0¶

It is a best practice to use either version 4.1.1 and later or versions 4.0.2 and earlier of this add-on.

Version 4.1.0 of the Splunk Add-on for Microsoft Cloud Services was released on January 9, 2020.

Compatibility¶

Version 4.1.0 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms.


Splunk platform versions	8.0.x
CIM version	4.15
Supported OS for data collection	Platform independent
Vendor Products	Azure Active Directory, Azure Storage Table, Azure Storage Blob, Azure Audit, and other cloud services

Version 4.1.0 of the Splunk Add-on for Microsoft Cloud Services cannot be installed on the same Splunk platform instance as one that has the Microsoft Azure Add-on for Splunk installed.

New Features¶

Version 4.1.0 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

Support for the Microsoft Azure Event Hubs input type.

Fixed issues¶

Version 4.1.0 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues:

Known issues¶

Version 4.1.0 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions¶

Version 4.1.0 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Version 4.0.2¶

Version 4.0.2 of the Splunk Add-on for Microsoft Cloud Services was released on August 31, 2020.

Compatibility¶

Version 4.0.2 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms.


Splunk platform versions	8.0.x
CIM version	4.15
Supported OS for data collection	Platform independent
Vendor Products	Azure Active Directory, Azure Storage Table, Azure Storage Blob, Azure Audit, and other cloud services

New Features¶

Version 4.0.2 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

Improved support for the Splunk Enterprise Security Assets & Identities Framework interface.
Additional storage blob input capability and security compatibility.
Federal Information Processing Standard (FIPS) compliance.
Additional Python3 library support.

For more information on migrating your deployment to a Python 3 deployment, see Upgrade using the Python 3 runtime and dual-compatible Python syntax in custom scripts in the Splunk Enterprise Installation manual.

Fixed issues¶

Version 4.0.2 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues:

Known issues¶

Version 4.0.2 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear below, no issues have yet been reported:

The Splunk Add-on for Microsoft Cloud Services version 4.0.2 is incompatible with Splunk Enterprise versions 7.x.x and earlier.

Third-party software attributions¶

Version 4.0.2 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Version 4.0.1¶

Version 4.0.1 of the Splunk Add-on for Microsoft Cloud Services was released on August 31, 2020.

Compatibility¶

Version 4.0.1 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms.


Splunk platform versions	7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM version	4.12
Supported OS for data collection	Platform independent
Vendor Products	Azure Active Directory, Azure Storage Table, Azure Storage Blob, Azure Audit, and other cloud services

Upgrade¶

The following migration guide is supported for upgrading from version 3.0.0 to version 4.0.0 or later. Upgrading from any version older than 3.0.0 requires a fresh installation of version 3.0.0.

A best practice for upgrading the Splunk Add-on for Microsoft Cloud Services is to remove your older version before re-installing version 3.0.0 of the Splunk Add-on for Microsoft Cloud Services.

Disable all your inputs before you upgrade the add-on. Otherwise you may see errors in the log files which may results data loss against your already configured inputs.
Install the Splunk Add-on for Microsoft Cloud Services version 3.1.0 and up from the Splunk Web UI (make sure Upgrade App checkbox is selected).
Restart the Splunk platform.
Navigate to the input page of the Splunk Add-on for Microsoft Cloud Service. Alerts will appear, indicating incomplete account authorization.
Edit each required input by clicking the click here link to navigate to the account configuration page or by directly navigating to the account configuration page.
Complete the authorization of your account by adding your account secret key/account token.
Repeat above steps for all inputs which have alert sign against them.
Enable each desired input to start data collection.

In previous versions, settings including proxy, logging, and performance were stored in splunk_ta_o365_client_setting.conf and splunk_ta_o365_server_setting.conf. In version 3.0.0 and above of the Splunk Add-on for Microsoft Cloud Services, all setting and performance tuning configurations are in splunk_ta_mscs_setting.conf. The default log level is INFO.

Versions 3.0.0 and above of the Splunk Add-on for Microsoft Cloud Services removes the Microsoft Office 365 module. See the Splunk Add-on for Microsoft 0ffice 365.

New Features¶

Version 4.0.1 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

Default support for Python 3

For more information on migrating your deployment to a Python 3 deployment, see Choose your Splunk Enterprise upgrade path for the Python 3 migration in the Splunk Enterprise Installation manual.

Fixed issues¶

Version 4.0.1 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues:

Known issues¶

Version 4.0.1 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions¶

Version 4.0.1 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Version 4.0.0¶

Version 4.0.0 of the Splunk Add-on for Microsoft Cloud Services was released on October 21, 2019.

Compatibility¶

Version 4.0.0 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms.


Splunk platform versions	7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM version	4.12
Supported OS for data collection	Platform independent
Vendor Products	Azure Active Directory, Azure Storage Table, Azure Storage Blob, Azure Audit, and other cloud services

Upgrade¶

The following migration guide is supported for upgrading from version 3.0.0 to version 4.0.0. Upgrading from any version older than 3.0.0 requires a fresh installation of version 3.0.0.

A best practice for upgrading the Splunk Add-on for Microsoft Cloud Services is to remove your older version before re-installing version 3.0.0 of the Splunk Add-on for Microsoft Cloud Services.

Disable all your inputs before you upgrade the add-on. Otherwise you may see errors in the log files which may results data loss against your already configured inputs.
Install the Splunk Add-on for Microsoft Cloud Services version 3.1.0 from the Splunk Web UI (make sure Upgrade App checkbox is selected).
Restart the Splunk platform.
Navigate to the input page of the Splunk Add-on for Microsoft Cloud Service. Alerts will appear, indicating incomplete account authorization.
Edit each required input by clicking the click here link to navigate to the account configuration page or by directly navigating to the account configuration page.
Complete the authorization of your account by adding your account secret key/account token.
Repeat above steps for all inputs which have alert sign against them.
Enable each desired input to start data collection.

In previous versions, settings including proxy, logging, and performance were stored in splunk_ta_o365_client_setting.conf and splunk_ta_o365_server_setting.conf. In version 3.0.0 and above of the Splunk Add-on for Microsoft Cloud Services, all setting and performance tuning configurations are in splunk_ta_mscs_setting.conf. The default log level is INFO.

Versions 3.0.0 and above of the Splunk Add-on for Microsoft Cloud Services removes the Microsoft Office 365 module. See the Splunk Add-on for Microsoft 0ffice 365.

New Features¶

Version 4.0.0 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

Support for Python 3

For more information on migrating your deployment to a Python 3 deployment, see Choose your Splunk Enterprise upgrade path for the Python 3 migration in the Splunk Enterprise Installation manual.

Fixed issues¶

Version 4.0.0 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues:

Known issues¶

Version 4.0.0 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions¶

Version 4.0.0 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Version 3.1.0¶

Version 3.1.0 of the Splunk Add-on for Microsoft Cloud Services was released on April 8, 2019.

Compatibility¶

Version 3.1.0 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms.


Splunk platform versions	6.6,x, 7.0.x, 7.1.x, 7.2.x, 7.3.x
CIM version	4.12
Supported OS for data collection	Platform independent
Vendor Products	Azure Active Directory, Azure Storage Table, Azure Storage Blob, Azure Audit, and other cloud services

Upgrade¶

The following migration guide is supported for upgrading from version 3.0.0 to version 3.1.0. Upgrading from any version older than 3.0.0 requires a fresh installation of version 3.0.0.

A best practice for upgrading the Splunk Add-on for Microsoft Cloud Services is to remove your older version before re-installing version 3.0.0 of the Splunk Add-on for Microsoft Cloud Services.

Disable all your inputs before you upgrade the add-on. Otherwise you may see errors in the log files which may results data loss against your already configured inputs.
Install the Splunk Add-on for Microsoft Cloud Services version 3.1.0 from the Splunk Web UI (make sure Upgrade App checkbox is selected).
Restart the Splunk platform.
Navigate to the input page of the Splunk Add-on for Microsoft Cloud Service. Alerts will appear, indicating incomplete account authorization.
Edit each required input by clicking the click here link to navigate to the account configuration page or by directly navigating to the account configuration page.
Complete the authorization of your account by adding your account secret key/account token.
Repeat above steps for all inputs which have alert sign against them.
Enable each desired input to start data collection.

In previous versions, settings including proxy, logging, and performance were stored in splunk_ta_o365_client_setting.conf and splunk_ta_o365_server_setting.conf. In version 3.0.0 and above of the Splunk Add-on for Microsoft Cloud Services, all setting and performance tuning configurations are in splunk_ta_mscs_setting.conf. The default log level is INFO.

Versions 3.0.0 and above of the Splunk Add-on for Microsoft Cloud Services removes the Microsoft 0ffice 365 module. See the Splunk Add-on for Microsoft 0ffice 365.

New Features¶

Version 3.1.0 of the Splunk Add-on for Microsoft Cloud Services has the following new features:

Credential validation of Account Name and Account secret key on Account configuration page.

Fixed issues¶

Version 3.1.0 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues:

Known issues¶

Version 3.1.0 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions¶

Version 3.1.0 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Version 3.0.0¶

Version 3.0.0 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms.


Splunk platform versions	6.6,x, 7.0.x, 7.1.x, 7.2.x
CIM version	4.12
Supported OS for data collection	Platform independent
Vendor Products	Azure Active Directory, Azure Storage Table, Azure Storage Blob, Azure Audit, and other cloud services

Upgrade¶

A best practice for upgrading the Splunk Add-on for Microsoft Cloud Services is to remove your older version before re-installing version 3.0.0 of the Splunk Add-on for Microsoft Cloud Services.

Version 3.0.0 of the Splunk Add-on for Microsoft Cloud Services removes the Microsoft Office 365 module. See the Splunk Add-on for Microsoft Office 365.

In previous versions, settings including proxy, logging, and performance were stored in splunk_ta_o365_client_setting.conf and splunk_ta_o365_server_setting.conf. In version 3.0.0 of the Splunk Add-on for Microsoft Cloud Services, all setting and performance tuning configurations are in splunk_ta_mscs_setting.conf. The default log level is INFO.

After you install version 3.0.0, you must clear the cache on the host of your Splunk platform instance or force refresh the input and configuration page the first time you use Version 3.0.0 of the Splunk Add-on for Microsoft Cloud Services.

New Features¶

Version 3.0.0 of the Splunk Add-on for Microsoft Cloud Services has the following new feature:

Support for XML and JSON field extractions via the mscs:storage:blob:xml and mscs:storage:blob:json sourcetypes.

Fixed issues¶

Version 3.0.0 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues:

Known issues¶

Version 3.0.0 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues. If no issues appear below, no issues have yet been reported:

Third-party software attributions¶

Version 3.0.0 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Version 2.1.0¶

Version 2.1.0 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms.


Splunk platform versions	6.5.x, 6.6,x, 7.0.x, 7.1.x, 7.2.x
CIM	4.11
Platforms	Platform independent
Vendor Products	Microsoft Office 365, Azure Active Directory, Sharepoint Online, Exchange Online, Azure Storage Table, Azure Storage Blob, Azure Audit, and Azure Resource Group.

New Features¶

Version 2.1.0 of the Splunk Add-on for Microsoft Cloud Service has the following new features and enhancements.

Support for Office365 Government Cloud
Support for Azure Government Cloud
Support for the Audit General class of Office365 events

Fixed issues¶

Version 2.1.0 of the Splunk Add-on for Microsoft Cloud Services fixes the following issues.

Known issues¶

Version 2.1.0 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues.

Third-party software attributions¶

Version 2.1.0 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Version 2.0.3¶

Version 2.0.3 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms.


Splunk platform versions	6.4 and later
CIM	4.4 and later
Platforms	Platform independent
Vendor Products	Microsoft Office 365, Azure Active Directory, Sharepoint Online, Exchange Online, Azure Storage Table, Azure Storage Blob, Azure Audit, and Azure Resource Group.

New Features¶

Version 2.0.3 of the Splunk Add-on for Microsoft Cloud Service has the following new features and enhancements.

Enhanced stability and performance in data collection through the O365 Management APIs
Updates to pagination handling for the O365 Management Activity APIs
Added proxy support for Audit and Resource data inputs
Optimized performance for the Diagnostics and websitesapplogs tables

Fixed issues¶

Version 2.0.3 of the Splunk Add-on for Microsoft Cloud Service fixes the following issues.

Known issues¶

Version 2.0.3 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues.

Third-party software attributions¶

Version 2.0.3 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Version 2.0.2¶

Version 2.0.2 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms.


Splunk platform versions	6.4 and 6.5
CIM	4.4 or later
Platforms	Platform independent
Vendor Products	Microsoft Office 365, Azure Active Directory, Sharepoint Online, Exchange Online, Azure Storage Table, Azure Storage Blob, Azure Audit, and Azure Resource Group.

Fixed issues¶

Version 2.0.2 of the Splunk Add-on for Microsoft Cloud Service fixes the following issues.

Publication Date	Issue number	Description
2017/02/20	ADDON-12556	Cannot use proxy without Authentication in Storage channel.
2017/02/20	ADDON-12665	The length of the checkpoint file name exceeds the limitation of the operating system.
2017/02/20	ADDON-12666	Cannot parse SAS token which is not start with ‘?’.

Known issues¶

Version 2.0.2 of the Splunk Add-on for Microsoft Cloud Services contains the following new known issues.

Date	Issue number	Description
2017/06/02	ADDON-14969	Truncated Key/value pairs in Splunk Add-on for Microsoft Cloud Services.
2017/02/07	ADDON-13487	The proxy value you configured in this add-on cannot be used for the Azure resource and Azure audit input channel. Workaround: Configure the proxy on the local system for Azure resource and Azure audit input channel.
2017/02/06	ADDON-13476	Error occurs during upgrading Splunk add-on for Microsoft cloud service on Windows platform. Workaround: If you want to upgrade this add-on on Windows platform, disable the add-on first, then enable it after upgrading.

For the known issues in the previous release, see release history of the Splunk add-on for Microsoft cloud service.

Third-party software attributions¶

Version 2.0.2 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Version 2.0.1¶

Version 2.0.1 of the Splunk Add-on for Microsoft Cloud Services is compatible with the same software, CIM versions and platforms as Version 2.0.2.

Fixed issues¶

Version 2.0.1 of the Splunk Add-on for Microsoft Cloud Service fixes the following issues.

Resolved Date	Issue number	Description
2016/10/14	ADDON-10454	Only the first 30 inputs (in the alphabet order) of Azure Storage Table (including Virtual Machine Metrics) can work. Only the first 30 Azure Storage Blob inputs (in the alphabet order) can work.

Known issues¶

Version 2.0.1 of the Splunk Add-on for Microsoft Cloud Services contains the following known issues.

Date	Issue number	Description
2016-10-13	ADDON-11638	This add-on does not check the input name stanza at the frontend.
2016-10-12	ADDON-11609	This add-on fails to configure the certificate in the latest Firefox browser.
2016-09-24	ADDON-11423	This add-on can only get data when blob name in Microsoft Cloud Service only contains ASCII code. It cannot get data if the blob name contains multibyte character set, such as Latin characters, Japanese characters.
2016-09-20	ADDON-11419	If the names of the Azure storage blob inputs under the same account are the same except the case, such as INPUTS and inputs, the checkpoint conflicts to each other on Windows platform. This issue also exists in other modular inputs.
2016-09-20	ADDON-11409	The changes in the `inputs.conf` won't take effect until restarting Splunk platform.
2016-09-20	ADDON-11400	If you set the log level to ERROR for Azure Audit and Azure Blob input, there are still some INFO level logs recorded in the log file.
2016-09-19	ADDON-11349	The error message `error_message=The range specified is invalid for the current size of the resource` exists in the log file if the blob input has been collected and revised later to a smaller size. The error message can be ignored.
2016-09-19	ADDON-11316	There will be some errors, such as Failed to load endpoint, Refresh token failed, Failed to init ServerInfo or Failed to send rest request in the log file when you restart Splunk platform. But it does not effect data collection.
2016-09-15	ADDON-11298	There will be some data loss if the Splunk platform restart or shutdown accidently. Workaround: If you need to restart Splunk platform, you have to disable the inputs beforehand to prevent the data loss.
2016-09-09	ADDON-11178	You can only add the Office365 account via Splunk web, you can not add it using the configuration file.
2016-09-05	ADDON-11164	The Proxy Type and DNS Resolution settings do not work for Azure Storage Table and Azure Storage Blob input.
2016-08-23	ADDON-10984	This add-on cannot get Virtual Machine (classic) metadata.
2016/03/30	ADDON-8505	Splunk searches sometimes display duplicate events. This is a known issue with the Microsoft Office 365 Management API.
2016/03/30	ADDON-8504	Splunk searches sometimes display events out of order. This is a known issue with the Microsoft Office 365 Management API.
2016/03/29	ADDON-8432	Stanza "o365_certificate_setting" in splunk_ta_ms_o365_server_ucc_system_setting.conf.spec has incorrect default values.
2016/03/29	ADDON-8424	Certificate status messages "* but invalid" should not appear until a longer time has passed.
2016/03/08	ADDON-8221	If you configure an X.509 certificate and private key and upload the keyCredentials JSON for any integration account configured in the add-on, you also need to be uploaded it for all other accounts configured in the add-on, or any accounts not using the certificate cannot collect data.
2016/01/31	ADDON-7653	Management log reports rest request error during Splunk platform stop/restart immediately after a configuration change. This error can be ignored.
2016/01/26	ADDON-7597	Input will stop when the proxy_url exists but is invalid as a proxy. Workaround: Change your proxy URL to a valid proxy value.

Third-party software attributions¶

Version 2.0.1 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Version 2.0.0¶

Version 2.0.0 of the Splunk Add-on for Microsoft Cloud Services is compatible with the same software, CIM versions and platforms as Version 2.0.1.

New features¶

Version 2.0.0 of the Splunk Add-on for Microsoft Cloud Services has the following new features.

Date	Issue number	Description
2016/09/20	ADDON-10883	Mapping to `Cloud` of ITSI data model.
2016/09/20	ADDON-10728	Add modular input for Azure Storage Blob data.
2016/09/20	ADDON-10727	Add modular input for Azure Storage Table data.
2016/09/20	ADDON-10129	Add modular input for Azure Audit data.
2016/09/20	ADDON-10696	Add modular input for Azure Resource data.
2016/09/20	ADDON-10222	Add modular input for Azure Virtual Machine Metrics data.

Fixed issues¶

Version 2.0.0 of the Splunk Add-on for Microsoft Cloud Service fixes the following issues.

Resolved Date	Issue number	Description
2016-09-05	ADDON-11033	If there is space in the name of inputs or account, this add-on will fail to ingest data.
2016-07-19	ADDON-9329	This add-on does not work if you install the add-on under `/etc/apps/SPLUNK_HOME/ect/apps` folder
2016-08-30	ADDON-8735	If the global proxy is enabled in `splunk-launch.conf`, the add-on cannot display the Account or Proxy tab under Configuration.

Known issues¶

Version 2.0.0 of the Splunk Add-on for Microsoft Cloud Services contains the following known issues.

Date	Issue number	Description
2016-09-27	ADDON-10454	Only the first 30 inputs (in the alphabet order) of Azure Storage Table (including Virtual Machine Metrics) can work. Only the first 30 Azure Storage Blob inputs (in the alphabet order) can work. Workaround: You can reduce the number of inputs by using wildcard or regex expression in the Blob list.
2016-09-24	ADDON-11423	This add-on can only get data when blob name in Microsoft Cloud Service only contains ASCII code. It cannot get data if the blob name contains multibyte character set, such as Latin characters, Japanese characters.
2016-09-20	ADDON-11419	If the names of the Azure storage blob inputs under the same account are the same except the case, such as INPUTS and inputs, the checkpoint conflicts to each other on Windows platform. This issue also exists in other modular inputs.
2016-09-20	ADDON-11409	The changes in the `inputs.conf` won't take effect until restarting Splunk platform.
2016-09-20	ADDON-11400	If you set the log level to ERROR for Azure Audit and Azure Blob input, there are still some INFO level logs recorded in the log file.
2016-09-19	ADDON-11349	The error message `error_message=The range specified is invalid for the current size of the resource` exists in the log file if the blob input has been collected and revised later to a smaller size. The error message can be ignored.
2016-09-19	ADDON-11316	There will be some errors, such as Failed to load endpoint, Refresh token failed, Failed to init ServerInfo or Failed to send rest request in the log file when you restart Splunk platform. But it does not effect data collection.
2016-09-15	ADDON-11298	There will be some data loss if the Splunk platform restart or shutdown accidently. Workaround: If you need to restart Splunk platform, you have to disable the inputs beforehand to prevent the data loss.
2016-09-09	ADDON-11178	You can only add the Office365 account via Splunk web, you can not add it using the configuration file.
2016-09-05	ADDON-11164	The Proxy Type and DNS Resolution settings do not work for Azure Storage Table and Azure Storage Blob input.
2016-08-23	ADDON-10984	This add-on cannot get Virtual Machine (classic) metadata.
2016/03/30	ADDON-8505	Splunk searches sometimes display duplicate events. This is a known issue with the Microsoft Office 365 Management API.
2016/03/30	ADDON-8504	Splunk searches sometimes display events out of order. This is a known issue with the Microsoft Office 365 Management API.
2016/03/29	ADDON-8432	Stanza "o365_certificate_setting" in splunk_ta_ms_o365_server_ucc_system_setting.conf.spec has incorrect default values.
2016/03/29	ADDON-8424	Certificate status messages "* but invalid" should not appear until a longer time has passed.
2016/03/08	ADDON-8221	If you configure an X.509 certificate and private key and upload the keyCredentials JSON for any integration account configured in the add-on, you also need to be uploaded it for all other accounts configured in the add-on, or any accounts not using the certificate cannot collect data.
2016/01/31	ADDON-7653	Management log reports rest request error during Splunk platform stop/restart immediately after a configuration change. This error can be ignored.
2016/01/26	ADDON-7597	Input will stop when the proxy_url exists but is invalid as a proxy. Workaround: Change your proxy URL to a valid proxy value.

Third-party software attributions¶

Version 2.0.0 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.

Version 1.0.0¶

Version 1.0.0 of the Splunk Add-on for Microsoft Cloud Services was released on April 1, 2016. Version 1.0.0 of the Splunk Add-on for Microsoft Cloud Services is compatible with the following software, CIM versions, and platforms.


Splunk platform versions	6.3.X or later
CIM	4.4 or later
Platforms	Platform independent
Vendor Products	Microsoft Office 365, Azure Active Directory, Sharepoint Online, Exchange Online, and other cloud services.

New features¶

Version 1.0.0 of the Splunk Add-on for Microsoft Cloud Services has the following new features.

Date	Issue number	Description
2016/03/10	ADDON-3941	Create a new add-on for Microsoft cloud services.

Known issues¶

Version 1.0.0 of the Splunk Add-on for Microsoft Cloud Services contains the following known issues.

Date	Issue number	Description
2016/03/30	ADDON-8505	Splunk searches sometimes display duplicate events. This is a known issue with the Microsoft Office 365 Management API.
2016/03/30	ADDON-8504	Splunk searches sometimes display events out of order. This is a known issue with the Microsoft Office 365 Management API.
2016/03/29	ADDON-8432	Stanza “o365_certificate_setting” in splunk_ta_ms_o365_server_ucc_system_setting.conf.spec has incorrect default values.
2016/03/29	ADDON-8424	Certificate status messages “* but invalid” should not appear until a longer time has passed.
2016/03/15	ADDON-8280	Add-on throws “Failed to send rest request” errors during restart after initial installation unless the user waits for about one minute after installing the add-on and before restarting the Splunk platform. Workaround: Restart the Splunk platform a second time.
2016/03/08	ADDON-8221	If you configure an X.509 certificate and private key and upload the keyCredentials JSON for any integration account configured in the add-on, you also need to be upload it for all other accounts configured in the add-on, or any accounts not using the certificate cannot collect data.
2016/01/31	ADDON-7653	Management log reports rest request error during Splunk platform stop/restart immediately after a configuration change. This error can be ignored.
2016/01/26	ADDON-7597	Input will stop when the proxy_url exists but is invalid as a proxy. Workaround: Change your proxy URL to a valid proxy value.

Third-party software attributions¶

Version 1.0.0 of the Splunk Add-on for Microsoft Cloud Services incorporates the following third-party software or libraries.