![]() ![]() So now that you know how Microsoft makes Azure data available and some different types of data available, how do you go about getting that data in Splunk? The simple answer is add-ons. The entire list of available metrics is available from Microsoft here. Metrics : Azure makes a plethora of metrics available.To give you an example of a security alert, Microsoft may send an alert that you only have one global admin. For example, if storage services were impacted in a region you use, that alert and relevant messages would be available. An example of a service alert may be a degradation of a service in a region. Alerts or : Both service and security alerts are available as part of the activity log.This data can also include VM reservation recommendations to save you money on your VM spend. Cost and consumption : This data source contains details on what services you are using and how much that usage costs.Web Application and App Insights : Web Application data includes web server data (hosted or shared) as well as your web application data.For more information on this topic, check out this blog post. NSG flow logs : This source is like a network trace including source and destination IP addresses, ports, protocols, etc.Authentication data or : This is pretty self-explanatory, but I will point out that you can get things like multi-factor authentication data, self-service password reset data, conditional access policy data, and a whole set of Azure Active Directory data.For example, Virtual Machines, storage accounts, public IP addresses, etc. If you think of the activity data as "something happened", think of the resource data as "something exists". Resource data : This data source covers what services you use. ![]() For example, if I log on to the Azure portal and create a new VM, the VM creation action is captured in an activity log. Activity data or : This is basically who did what and when.There is no way I could create a comprehensive static list of all the data sources, so I'll stick to some popular Splunk-centric sources. Now that you know the 3 main ways Microsoft makes Azure data available, let’s talk a bit about what data is available. You can use this information as entities in Splunk IT Service Intelligence (ITSI), Splunk Enterprise Security, or correlate it with other data sources in Splunk. The Microsoft Azure Add-on for Splunk (more about that add-on in a bit) uses the "List All" operation to, well, get a list of all the VMs you have in Azure. For example, here are all the operations for Azure VMs. In the context of Splunk, you're typically looking for the "List" operations. The third major way Microsoft makes Azure data available is REST APIs, and there are a lot of them. If not, forget that last sentence or just Google (or Bing) those terms if you want to dive a little deeper. Hint: if the terms Pub/Sub, Kafka, producer and consumer mean anything to you, think in those terms. Event Hubs can also scale up or down depending on the load necessary for receiving or delivering data. In fact, Event Hubs have a pretty short retention time for events (typically 24 hours to 7 days). However, data that goes onto an Event Hub is meant to be retrieved by something else. This is similar to the storage account methodology mentioned above. What I mean by this is Azure can dump data onto an Event Hub (via a service called Azure Monitor). I like to think of Event Hubs as a scalable, relatively short-term, message bus. Talking about standards, Event Hubs are the new standard for most Azure services. Just know that a source service could be configured to dump data into a separate storage account for retrieval. Storage accounts have their own security and retention mechanisms, but we won't get too much into the weeds here. Since storage accounts are a separate service than a VM, the data about the VM will live on even after you delete the VM. For example, if you want Virtual Machine event logs, Azure will dump those into a storage account you specify. Basically, Microsoft will dump data from a service into a separate storage location (called a storage account). This was the standard back in the day when Azure was introduced. There are 3 main ways Microsoft makes Azure data available. In this blog post, I'm going go over how Microsoft makes Azure data available, how to access the data, and out-of-the-box Splunk Add-Ons that can consume this data. With the growing list of Azure services and various data access methods, it can be a little cloudy (pun intended) on what data is available and how to get all that data into Splunk. If you're reading this, you're probably wondering how to get data from various Microsoft Azure services into Splunk. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |