Source types for the Splunk Add-on for Microsoft Cloud Services¶

The Splunk Add-on for Microsoft Cloud Services provides the index-time and search-time knowledge for Microsoft Cloud Services data in the following formats:

Note

The ms:o365:management source type is for backward compatibility. A similar source type, o365:management:activity, is in the Splunk Add-on for Microsoft Office 365.

Data source	Source type	Event type	API	CIM data models	ITSI data models	Notes
Azure Event Hubs	`mscs:azure:eventhub`	n/a	Microsoft Azure Event Hubs Client Library for Python	n/a	n/a
Azure Event Hubs	`mscs:azure:security:alert`	n/a	Microsoft Azure Event Hubs Client Library for Python	Alerts	n/a
Azure Event Hubs	`mscs:azure:security:recommendation`	n/a	Microsoft Azure Event Hubs Client Library for Python	Alerts	n/a
Azure Event Hubs	`azure:monitor:aad`	`mscs_audit_auth_account_management`, `mscs_audit_auth_all_changes`, `mscs_audit_auth_authentication`, `mscs_audit_auth_alerts`, `mscs_azure_aad_auditlogs`, `mscs_azure_aad_signinlogs`, `mscs_azure_aad_provisionlogs`, `mscs_azure_aad_userlogs`	Microsoft Azure Event Hubs Client Library for Python	Alerts, Authentication, Change	n/a
Azure Event Hubs	`azure:monitor:resource`	n/a	Microsoft Azure Event Hubs Client Library for Python	Change, Databases, DataAccess	n/a
Azure Event Hubs	`azure:monitor:activity`	`mscs_azure_activity_all_changes`, `mscs_azure_activity_instance_changes`, `mscs_azure_activity_administrative_logs`	Microsoft Azure Event Hubs Client Library for Python	Change	n/a
Azure Resource virtualMachine	`mscs:resource:virtualMachine`	`mscs_inventory_vm`	List, Get VM information	n/a	Inventory
Azure Resource network InterfaceCard	`mscs:resource:networkInterfaceCard`	`mscs_inventory_vm`	List network interface cards	n/a	Inventory
Azure Resource public IPAddress	`mscs:resource:publicIPAddress`	n/a	List public IP addresses	n/a	n/a
Resource virtualNetwork	`mscs:resource:virtualNetwork`	n/a	List virtual networks	n/a	n/a
Azure Resource Disk	`mscs:resource:disk`	`mscs_azure_resource_disk`	n/a	Inventory, Storage	n/a
Azure Resource Image	`mscs:resource:image`	`mscs_azure_resource_image`	n/a	Inventory, Virtual	n/a
Azure Resource Snapshot	`mscs:resource:snapshot`	`mscs_azure_resource_snapshot`	n/a	Inventory, Virtual, Snapshot	n/a
Azure Resource Group	`mscs:resource:resourceGroup`	`mscs_azure_resource_resourceGroup`	n/a	Inventory	n/a
Azure Resource Subscription	`mscs:resource:subscriptions`	`mscs_azure_resource_subscriptions`	n/a	Inventory	n/a
Azure Resource SecurityGroup	`mscs:resource:securityGroup`	`mscs_azure_resource_securityGroup`	n/a	Inventory	n/a
Azure Audit log	`mscs:azure:audit`	n/a	List events for an Azure subscription	Alerts, Change	n/a
Azure Storage Table	`mscs:storage:table`	n/a	Azure SDK for Python	n/a	n/a
Azure Storage Blob	`mscs:storage:blob`	n/a	Azure SDK for Python	n/a	n/a
Azure Storage Blob	`mscs:storage:blob:json`	n/a	Azure SDK for Python — Storage Table query_entities	n/a	n/a	When selected in the input, XML and JSON fields for the `mscs:storage:blob:xml` and `mscs:storage:blob:json` source types are automatically extracted. You can configure the settings for these in `props.conf`.
Azure Storage Blob	`mscs:storage:blob:xml`	n/a	Azure SDK for Python — Storage Table query_entities	n/a	n/a	When selected in the input, XML and JSON fields for the `mscs:storage:blob:xml` and `mscs:storage:blob:json` source types are automatically extracted. You can configure the settings for these in `props.conf`.
Virtual Machine Metrics	`mscs:vm:metrics`	`mscs_perf_vm_cpu`	Azure SDK for Python — Storage Table query_entities	n/a	Performance
Azure Metrics	`mscs:metrics`	n/a	n/a	n/a	n/a
Azure Metrics	`mscs:metrics:events`	n/a	n/a	n/a	n/a
Azure KQL Log Analytics	`mscs:kql`	n/a	n/a	n/a	n/a
Azure KQL Log Analytics	`mscs:kql:stats`	n/a	n/a	n/a	n/a
Azure Consumption (Billing)	`mscs:consumption:billing`	n/a	n/a	n/a	n/a
Azure Consumption (Billing)	`mscs:consumption:reservation:recommendation`	n/a	n/a	n/a	n/a

Note

The Splunk Add-on for Microsoft Cloud Services only supports native ingestion for specifically listed source types. Other formats, including VNet Flow Logs, require generic ingestion methods or engagement with OnDemand Services or Professional Services.

Data source	Source type	Event type	API	CIM data models	ITSI data models	Notes
Azure Event Hubs	`mscs:azure:eventhub`	n/a	Microsoft Azure Event Hubs Client Library for Python https://pypi.org/project/azure-eventhub/	n/a	n/a
Azure Event Hubs	`mscs:azure:security:alert`	n/a	Microsoft Azure Event Hubs Client Library for Python https://pypi.org/project/azure-eventhub/	Alerts	n/a
Azure Event Hubs	`mscs:azure:security:recommendation`	n/a	Microsoft Azure Event Hubs Client Library for Python https://pypi.org/project/azure-eventhub/	Alerts	n/a
Azure Event Hubs	`azure:monitor:aad`	`mscs_audit_auth_account_management`, `mscs_audit_auth_all_changes`, `mscs_audit_auth_authentication`, `mscs_audit_auth_alerts`, `mscs_azure_aad_auditlogs`, `mscs_azure_aad_signinlogs`, `mscs_azure_aad_provisionlogs`, `mscs_azure_aad_userlogs`	Microsoft Azure Event Hubs Client Library for Python https://pypi.org/project/azure-eventhub/	Alerts, Authentication, Change	n/a
Azure Event Hubs	`azure:monitor:resource`	n/a	Microsoft Azure Event Hubs Client Library for Python https://pypi.org/project/azure-eventhub/	Change, Databases DataAccess	n/a
Azure Event Hubs	`azure:monitor:activity`	`mscs_azure_activity_all_changes`, `mscs_azure_activity_instance_changes`, `mscs_azure_activity_administrative_logs`	Microsoft Azure Event Hubs Client Library for Python https://pypi.org/project/azure-eventhub/	Change	n/a
Azure Resource virtualMachine	`mscs:resource:virtualMachine`	`mscs_inventory_vm`	Azure Virtual Machines REST — List https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/list) Azure Virtual Machines REST — Get VM information https://msdn.microsoft.com/en-us/library/azure/mt163682.aspx	n/a	Inventory
Azure Resource network InterfaceCard	`mscs:resource:networkInterfaceCard`	`mscs_inventory_vm`	Azure Network REST — List network interface cards https://msdn.microsoft.com/en-us/library/azure/mt163627.aspx	n/a	Inventory
Azure Resource public IPAddress	`mscs:resource:publicIPAddress`	n/a	Azure Network REST — List public IP addresses https://msdn.microsoft.com/en-us/library/azure/mt163657.aspx	n/a	n/a
Resource virtualNetwork	`mscs:resource:virtualNetwork`	n/a	Azure Network REST — List virtual networks https://msdn.microsoft.com/en-us/library/azure/mt163587.aspx	n/a	n/a
Azure Resource Disk	`mscs:resource:disk`	`mscs_azure_resource_disk`	n/a	Inventory, Storage	n/a
Azure Resource Image	`mscs:resource:image`	`mscs_azure_resource_image`	n/a	Inventory, Virtual	n/a
Azure Resource Snapshot	`mscs:resource:snapshot`	`mscs_azure_resource_snapshot`	n/a	Inventory, Virtual, Snapshot	n/a
Azure Resource Group	`mscs:resource:resourceGroup`	`mscs_azure_resource_resourceGroup`	n/a	Inventory	n/a
Azure Resource Subscription	`mscs:resource:subscriptions`	`mscs_azure_resource_subscriptions`	n/a	Inventory	n/a
Azure Resource SecurityGroup	`mscs:resource:securityGroup`	`mscs_azure_resource_securityGroup`	n/a	Inventory	n/a
Azure Audit log	`mscs:azure:audit`	n/a	Azure Insights — List events for an Azure subscription https://msdn.microsoft.com/en-us/library/azure/dn931934.aspx	Alerts, Change	n/a
Azure Storage Table	`mscs:storage:table`	n/a	Azure SDK for Python https://azure.microsoft.com/en-us/documentation/articles/storage-python-how-to-use-table-storage/	n/a	n/a
Azure Storage Blob	`mscs:storage:blob`	n/a	Azure SDK for Python https://docs.microsoft.com/en-us/azure/storage/blobs/storage-quickstart-blobs-python	n/a	n/a
Azure Storage Blob	`mscs:storage:blob:json`	n/a	Azure SDK for Python — Storage Table query_ entities https://docs.microsoft.com/en-us/azure/storage/blobs/storage-quickstart-blobs-python	n/a	n/a	When selected in the input, XML and JSON fields for the `mscs:storage:blob:xml` and `mscs:storage:blob:json` source types are automatically extracted. You can configure the settings for these source types in their respective stanzas in your local props.conf file.
Azure Storage Blob	`mscs:storage:blob:xml`	n/a	Azure SDK for Python — Storage Table query_ entities https://docs.microsoft.com/en-us/azure/storage/blobs/storage-quickstart-blobs-python	n/a	n/a	When selected in the input, XML and JSON fields for the `mscs:storage:blob:xml` and `mscs:storage:blob:json` source types are automatically extracted. You can configure the settings for these source types in their respective stanzas in your local props.conf file.
Virtual Machine Metrics	`mscs:vm:metrics`	`mscs_perf_vm_cpu`	Azure SDK for Python — Storage Table query_ entities https://docs.microsoft.com/en-us/azure/storage/blobs/storage-quickstart-blobs-python	n/a	Performance
Azure Metrics	`mscs:metrics`	n/a	n/a	n/a	n/a
Azure Metrics	`mscs:metrics:events`	n/a	n/a	n/a	n/a
Azure KQL Log Analytics	`mscs:kql`	n/a	n/a	n/a	n/a
Azure KQL Log Analytics	`mscs:kql:stats`	n/a	n/a	n/a	n/a
Azure Consumption (Billing)	`mscs:consumption:billing`	n/a	n/a	n/a	n/a
Azure Consumption (Billing)	`mscs:consumption:reservation:recommendation`	n/a	n/a	n/a	n/a