Getting Data In

PCI Compliance: What app should I use to monitor Azure data logs?

amulay26
Path Finder

We are currently working on PCI Compliance project and need to monitor the Azure Data Logs. What app would you recommend to do this?
Would it be
1. Splunk add-on for Cloud Services - https://splunkbase.splunk.com/app/3110/
2. Azure monitor add-on- https://splunkbase.splunk.com/app/3534/

Thanks in advance for the help.

Best,
Akshay.

0 Karma
1 Solution

marycordova
SplunkTrust
SplunkTrust

@amulay26 I wouldn't recommend either of those solutions because of either a lack of support and/or reliability.

This is the method I use to ingest logs from Azure to Splunk:
https://answers.splunk.com/answers/678660/how-to-get-logs-from-azure-and-o365-into-splunk.html

This method will easily ingest all "Activity Log" events.

It does not perform monitoring, you would need to setup searches for whatever you want to monitor.

From my PCI experience, having the logs available was generally sufficient as you needed to demonstrate the ability to perform an investigation and not necessarily alerting on specific activities in real-time.

When you say "Azure Data Logs", what logs exactly do you mean by that? Anything beyond the "Activity Log" you will need to enable/define/configure individually within Azure.

@marycordova

View solution in original post

larmesto
Path Finder

This might be helpful for anyone visiting; I have started working on an addon for Azure Event Hubs for Splunk, feel free to use it!
https://splunkbase.splunk.com/app/4343/

regards,

0 Karma

marycordova
SplunkTrust
SplunkTrust

@amulay26 I wouldn't recommend either of those solutions because of either a lack of support and/or reliability.

This is the method I use to ingest logs from Azure to Splunk:
https://answers.splunk.com/answers/678660/how-to-get-logs-from-azure-and-o365-into-splunk.html

This method will easily ingest all "Activity Log" events.

It does not perform monitoring, you would need to setup searches for whatever you want to monitor.

From my PCI experience, having the logs available was generally sufficient as you needed to demonstrate the ability to perform an investigation and not necessarily alerting on specific activities in real-time.

When you say "Azure Data Logs", what logs exactly do you mean by that? Anything beyond the "Activity Log" you will need to enable/define/configure individually within Azure.

@marycordova

marycordova
SplunkTrust
SplunkTrust

sorry, one other thing...I forgot to point out that my solution is not supported officially by anyone either...but you build it entirely yourself within your own infrastructure so it should't be as big of an issue than the lack of support for more "blackbox" solutions like the others 🙂

@marycordova
0 Karma

amulay26
Path Finder

@marycordovacaa By Azure data logs I mean the Azure audit logs and the change logs.

0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

hi @amulay26 ,

Did the answer below solve your problem? If so, please resolve this post by approving it!

If your problem is still not solved, keep us updated so that someone else can help ya.

Thanks for posting!

0 Karma

marycordova
SplunkTrust
SplunkTrust

if you are referring to the "Activity Log" as the audit/change log, this method should suffice

@marycordova
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...