Splunk Add-ons for Microsoft Cloud Data Sources

- O365 Email
- O365 Email Groups
- Microsoft Graph Security

Add-on	Input/Action	API	Permissions	Role (IAM)	Default Sourcetype(s) / Sources
Splunk Add-on for Microsoft Cloud Services Splunkbase Documentation	Azure Storage Table Azure Storage Blob	N/A	Access key OR Shared Access Signature (SAS) Storage Account SAS Requirements Detail Required settings for Shared Access Signature Allowed services: `Blob, Table` Allowed resource types: `Service, Container, Object` Allowed permissions: `Read, List`	N/A	`mscs:storage:blob mscs:storage:blob:json mscs:storage:blob:xml mscs:storage:table`
	Azure Audit	N/A	N/A	(Subscription) Reader	`mscs:azure:audit`
	Azure Resource	N/A	N/A	(Subscription) Reader	`mscs:resource:disk mscs:resource:image mscs:resource:networkInterfaceCard mscs:resource:publicIPAddress mscs:resource:resourceGraph mscs:resource:resourceGroup mscs:resource:securityGroup mscs:resource:snapshot mscs:resource:subscriptions mscs:resource:topology mscs:resource:virtualMachine mscs:resource:virtualNetwork`
	Event Hub	N/A	N/A	(Event Hub) Azure Event Hubs Data receiver	`mscs:azure:eventhub azure:monitor:aad azure:monitor:activity azure:monitor:resource` Event Hub Sourcetype Detail The Splunk Add-on for Microsoft Cloud Servies includes pre-trained sourcetypes for certain data sources. `azure:monitor:aad` - used for Microsoft Entra ID (Azure Active Directory) events such as sign-in events and Azure AD audit events. `azure:monitor:resource` - used for Azure resources such as Cosmos DB and Azure Data Share. `mscs:azure:eventhub` - used for generic event hub events. This sourcetype does not have any CIM mappings out-of-the-box.
	Metrics	N/A		(Subscription) Reader	`mscs:metrics mscs:metrics:events`
	Azure KQL Log Analytics	Log Analytics API	(Application) Data.Read - Read Log Analytics data	N/A	`mscs:kql mscs:kql:stats`
	Azure Consumption (Billing)	N/A		(Subscription) Reader	`mscs:consumption:billing mscs:consumption:reservation:recommendation`

Splunk Add-on for Microsoft Azure Splunkbase Documentation	Microsoft Entra ID ^[1] Sign-ins	Microsoft Graph	(Application) AuditLog.Read.All - Read all audit log data (Application) Directory.Read.All	N/A	`azure:aad:signin`
	Microsoft Entra ID ^[1] Audit	Microsoft Graph	(Application) AuditLog.Read.All - Read all audit log data (Application) Directory.Read.All	N/A	`azure:aad:audit`
	Microsoft Entra ID ^[1] Users	Microsoft Graph	(Application) User.Read.All - Read all users' full profiles	N/A	`azure:aad:user`
	Microsoft Entra ID ^[1] Groups	Microsoft Graph	(Application) Group.Read.All - Read all groups	N/A	`azure:aad:group`
	Microsoft Entra ID ^[1] Applications	Microsoft Graph	(Application) Application.Read.All - Read all applications	N/A	`azure:aad:application`
	Microsoft Entra ID ^[1] Devices	Microsoft Graph	(Application) Device.Read.All - Read all devices	N/A	`azure:aad:device`
	Microsoft Entra ID ^[1] Risk Detection	Microsoft Graph	(Application) IdentityRiskEvent.Read.All - Read all identity risk event information (Application) IdentityRiskyUser.Read.All - Read all identity risk user information	N/A	`azure:aad:identity_protection:risk_detection azure:aad:identity_protection:risky_user`
	Microsoft Graph Security API	Microsoft Graph	(Application) SecurityEvents.Read.All	N/A	`ms:graph:security:alerts`
	Azure Security Center ^[2] Alerts & Tasks	N/A		(Subscription) Reader	`azure:securityCenter:alert azure:securityCenter:task`
	Azure Resource Graph	N/A		(Subscription) Reader	`azure:resourcegraph`
	Azure Topology (automatic)	N/A		(Subscription) Reader	`azure:topology`
	Azure Topology (manual)	N/A		(Subscription) Reader	`azure:topology`
	Add member to Microsoft 365 Group (alert action)	Microsoft Graph	(Application) GroupMember.ReadWrite.All - Read and write all group memberships	N/A
Stop Azure VM (alert action)	N/A		(Subscription) Virtual Machine Contributor
Dismiss Azure Alert (alert action)	N/A		(Subscription) Contributor

Splunk Add-on for Microsoft Office 365 Splunkbase Documentation	Management Activity: Audit.Azure Active Directory Audit.Exchange Audit.Share Point Audit.General DLP.All	Office 365 Management APIs	(Application) ActivityFeed.Read (Application) ActivityFeed.ReadDlp (if collecting DLP data) (Delegated) ActivityFeed.Read (Delegated) ActivityFeed.ReadDlp (if collecting DLP data)	N/A	`o365:management:activity`
	Service Health & Communications Service Health Service Update Messages	Microsoft Graph	(Application) ServiceHealth.Read.All (Application) ServiceMessage.Read.All	N/A	`o365:service:healthIssue o365:service:updateMessage`
	Mailbox Mailbox Usage Detail Mailbox Usage Mailbox Counts	Microsoft Graph	(Application) Reports.Read.All	N/A	`sourcetype=o365:graph:api source=MailboxUsageMailboxCounts source=MailboxUsageDetail`
	Office 365 Office 365 Groups Activity Detail Office 365 Services User Counts	Microsoft Graph	(Application) Reports.Read.All	N/A	`sourctype=o365:graph:api source=Office365GroupsActivityDetail source=Office365ServicesUserCounts`
	OneDrive One Drive Activity User Counts One Drive Usage Account Detail One Drive Usage Storage	Microsoft Graph	(Application) Reports.Read.All	N/A	`sourcetype=o365:graph:api source=OneDriveActivityUserCounts source=OneDriveUsageAccountDetail source=OneDriveUsageStorage`
	SharePoint SharePoint Site Usage Detail SharePoint Site Usage File Counts	Microsoft Graph	(Application) Reports.Read.All	N/A	`sourcetype=o365:graph:api source=SharePointSiteUsageDetail source=SharePointSiteUsageFileCounts`
	Teams Teams User Activity Counts Teams User Activity User Detail	Microsoft Graph	(Application) Reports.Read.All	N/A	`sourcetype=o365:graph:api source=TeamsUserActivityCounts source=TeamsUserActivityUserDetail`
	Yammer Yammer Groups Activity Detail Yammer Groups Activity Group Counts	Microsoft Graph	(Application) Reports.Read.All	N/A	`sourcetype=o365:graph:api source=YammerGroupsActivityDetail source=YammerGroupsActivityGroupCounts`
	Audit Logs Audit Logs.Sign Ins	Microsoft Graph	(Application) AuditLog.Read.All (Application) Directory.Read.All	N/A	`sourcetype=o365:graph:api source=AuditLogs.SignIns`
	Cloud Application Security ^[3] Policies Alerts Cloud Discovery Entities Files Cloud Application Security is now Microsoft Defender for Cloud Apps				`o365:cas:api`
	Message Trace	Office 365 Exchange Online	(Application) ReportingWebService.Read.All	Global Reader	`o365:reporting:messagetrace`

Microsoft O365 Email Add-on for Splunk Splunkbase Documentation	O365 Email	Microsoft Graph	(Application) Mail.ReadWrite	N/A	`ms:o365:email`
	O365 Email Groups	Microsoft Graph	(Application) Group.Read.All (Application) GroupMember.Read.All (Application) Directory.Read.All	N/A	`ms:o365:groups`

Microsoft Teams Add-on for Splunk Splunkbase Video Walkthrough Documentation	Teams Call Record (New)	Microsoft Graph	(Application) CallRecords.Read.All	N/A	`m365:teams:callRecord`
	Teams User Report	Microsoft Graph	(Application) Reports.Read.All (Delegated) Reports.Read.All	N/A	`m365:teams:user:report`
	Teams Subscription (Deprecated)	Microsoft Graph	(Delegated) Subscriptions.Read.All	N/A	`m365:subscription`
	Teams Call Record (Deprecated)	Microsoft Graph	(Application) CallRecords.Read.All	N/A	`m365:teams:callRecord`
	Teams Webhook (Deprecated)	N/A	N/A	N/A	`m365:webhook`

Splunk Add-on for Microsoft Security Splunkbase Documentation	Microsoft 365 Defender Incidents	Microsoft Threat Protection	(Application) Incident.Read.All	N/A	`m365:defender:incident m365:defender:incident:alerts`
	Defender Advanced Hunting (action)	Microsoft Threat Protection	(Application) AdvancedHunting.Read.All	N/A	`m365:defender:incident:advanced_hunting`
	Defender Update Incident (action)	Microsoft Threat Protection	(Application) Incident.ReadWrite.All	N/A	N/A
	Microsoft Defender for Endpoint Alerts	WindowsDefenderATP	(Application) Alert.Read.All	N/A	`ms:defender:atp:alerts`

Microsoft Graph Security API Add-on for Splunk Archived - use the Splunk Add-on for Microsoft Azure "Microsoft Graph Security API" input Splunkbase Documentation	Microsoft Graph Security	Microsoft Graph	(Application) SecurityEvents.Read.All	N/A	`GraphSecurityAlert`

[1] Azure Active Directory is now Microsoft Entra ID

[2] Azure Security Center is now Microsoft Defender for Cloud

[3] Cloud Application Security is now Microsoft Defender for Cloud Apps

Explore →

Citrix XenApp (21) Resouce Manager (14) Web Interface (9) General (7) Access Gateway (1) MFCOM (7) VDI (1) PowerShell (8) Citrix (15) Mobility (3) Splunk (18) Splunk Blog (16) IoT (1)