Hi
I want to integrate Microsoft Cloud app security with Splunk, is there any add-on available?
Which fields are required to integrate with Splunk and how?
Thanks,
Hello,
MS Cloud App security does provide a syslog-based export method:
- as an MS Cloud App admin, you can generate required setup to install an on-premise agent (Java-based) that will periodically download Cloud App security events and then forward to the specified syslog server
- from there, you need to implement custom knowledge object to leverage syslog events... As far as I know, there is currently no TA you can leverage for that
Regards.
Since October 2020 there is add-on available for this matter:
This guidance is currently your best/easiest method for accomplishing what you have outlined (no current App or TA available):
https://docs.microsoft.com/en-us/cloud-app-security/siem
Hello,
MS Cloud App security does provide a syslog-based export method:
- as an MS Cloud App admin, you can generate required setup to install an on-premise agent (Java-based) that will periodically download Cloud App security events and then forward to the specified syslog server
- from there, you need to implement custom knowledge object to leverage syslog events... As far as I know, there is currently no TA you can leverage for that
Regards.
Thanks @sylbaea
Hi @sylbaea ,
How can I get data from Syslog server into splunk? Can you please help me ..
this is a very wide topic... you can either setup Splunk as a syslog server (not recommend if you do have a lot of traffic) either you can index the data of a dedicated syslog server. There is not universal solution, it depends on your needs and environment.
You can search here, it has already been discussed a lot:
https://answers.splunk.com/answers/75667/splunk-as-a-syslog-server.html
https://answers.splunk.com/answers/28680/universal-forwarder-vs-dedicated-rsyslog-syslog-ng-servers-...