We recently made available a community-supported Splunk Add-on for Microsoft Azure, which gives you insight into Azure IaaS and PaaS. I am happy to announce that this add-on now includes the ability to ingest Azure Audit data. The idea behind Splunking Azure Audit logs is to be able to tell who did what and when and what events might impact the health of your Azure resources.  In this blog post, I will detail what we are collecting, how to use the data, and what is coming next for the add-on.

What are we collecting?

This update adds a new modular input to your Splunk environment:

This modular input grabs data using the Azure Insights Events API.

How to use the Azure Audit data

There are several new prebuilt panels included in the add-on to get you started:

Azure – Audit – Event Actions

Azure – Audit – Events by Caller

Azure – Audit – Events by Resource Group

Azure – Audit – Operation Levels by Geography

Azure – Audit – Top Events by Resource Type

Setting up the Azure Audit input

The Azure Insights Events API is a REST endpoint and requires a little bit of setup on the Azure side. An Azure Active Directory application must be set up and a few key pieces of information must be supplied to the modular input. Don’t worry though, there are step-by-step instructions provided in the docs folder in the add-on.

For a quick start, check out the video below:

What is coming next?

The next integration slated to roll into this add-on is Azure Network Security Group logs – meaning network flow, load balancers, and network security group activity. Stay tuned…