Splunk Add-ons for Microsoft Cloud Data Sources

O365 Email

O365 Email Groups

Add-on	Input/Action	API	Permissions	Role (IAM)	Default Sourcetype(s) / Sources
Splunk Add-on for Microsoft Cloud Services Splunkbase Documentation	Azure Storage Table Azure Storage Blob	N/A	Access key OR Shared Access Signature (SAS) Storage Account SAS Requirements Detail Required settings for Shared Access Signature Allowed services: `Blob, Table` Allowed resource types: `Service, Container, Object` Allowed permissions: `Read, List`	N/A	`mscs:storage:blob mscs:storage:blob:json mscs:storage:blob:xml mscs:storage:table`
	Azure Audit	N/A	N/A	(Subscription) Reader	`mscs:azure:audit`
	Azure Resource Disk Data Image Data Network Interface Card Public IP Address Resource Graph Resource Groups Security Groups Snapshot Data Subscriptions Topology Virtual Machine Virtual Network	N/A	N/A	(Subscription) Reader	`mscs:resource:disk mscs:resource:image mscs:resource:networkInterfaceCard mscs:resource:publicIPAddress mscs:resource:resourceGraph mscs:resource:resourceGroup mscs:resource:securityGroup mscs:resource:snapshot mscs:resource:subscriptions mscs:resource:topology mscs:resource:virtualMachine mscs:resource:virtualNetwork`
	Event Hub	N/A	No API permissions are needed, but the Azure AD app registration needs to be assigned to the "Azure Event Hubs Data receiver" role on the Event Hub namespace	(Event Hub) Azure Event Hubs Data receiver	`mscs:azure:eventhub azure:monitor:aad azure:monitor:activity azure:monitor:resource` Event Hub Sourcetype Detail The Splunk Add-on for Microsoft Cloud Servies includes pre-trained sourcetypes for certain data sources. `azure:monitor:aad` - used for Microsoft Entra ID (Azure Active Directory) events such as sign-in events and Azure AD audit events. `azure:monitor:resource` - used for Azure resources such as Cosmos DB and Azure Data Share. `mscs:azure:eventhub` - used for generic event hub events. This sourcetype does not have any CIM mappings out-of-the-box.
	Metrics	N/A		(Subscription) Reader	`mscs:metrics mscs:metrics:events`
	Azure KQL Log Analytics	Log Analytics API	(Application) Data.Read - Read Log Analytics data	N/A	`mscs:kql mscs:kql:stats`
	Azure Consumption (Billing)	N/A		(Subscription) Reader	`mscs:consumption:billing mscs:consumption:reservation:recommendation`

Splunk Add-on for Microsoft Azure The inputs in this add-on have migrated to other Splunk-supported add-ons. More information can be found here. Splunkbase Documentation	Microsoft Entra ID ^[1] Sign-ins	Microsoft Graph	(Application) AuditLog.Read.All - Read all audit log data (Application) Directory.Read.All	N/A	`azure:aad:signin`
	Microsoft Entra ID ^[1] Audit	Microsoft Graph	(Application) AuditLog.Read.All - Read all audit log data (Application) Directory.Read.All	N/A	`azure:aad:audit`
	Microsoft Entra ID ^[1] Users This input has been migrated to the supported Splunk Add-on for Microsoft Office 365.	Microsoft Graph	(Application) User.Read.All - Read all users' full profiles	N/A	`azure:aad:user`
	Microsoft Entra ID ^[1] Groups This input has been migrated to the supported Splunk Add-on for Microsoft Office 365.	Microsoft Graph	(Application) Group.Read.All - Read all groups	N/A	`azure:aad:group`
	Microsoft Entra ID ^[1] Applications This input has been migrated to the supported Splunk Add-on for Microsoft Office 365.	Microsoft Graph	(Application) Application.Read.All - Read all applications	N/A	`azure:aad:application`
	Microsoft Entra ID ^[1] Devices This input has been migrated to the supported Splunk Add-on for Microsoft Office 365.	Microsoft Graph	(Application) Device.Read.All - Read all devices	N/A	`azure:aad:device`
	Microsoft Entra ID ^[1] Risk Detection	Microsoft Graph	(Application) IdentityRiskEvent.Read.All - Read all identity risk event information (Application) IdentityRiskyUser.Read.All - Read all identity risk user information	N/A	`azure:aad:identity_protection:risk_detection azure:aad:identity_protection:risky_user`
	Microsoft Graph Security API This input has been migrated to the supported Splunk Add-on for Microsoft Security.	Microsoft Graph	(Application) SecurityEvents.Read.All	N/A	`ms:graph:security:alerts`
	Azure Security Center ^[2] Alerts & Tasks	N/A		(Subscription) Reader	`azure:securityCenter:alert azure:securityCenter:task`
	Azure Resource Graph This input has been migrated to the supported Splunk Add-on for Microsoft Cloud Services as part of the "Azure Resource" input.	N/A		(Subscription) Reader	`azure:resourcegraph`
	Azure Topology (automatic) This input has been migrated to the supported Splunk Add-on for Microsoft Cloud Services as part of the "Azure Resource" input.	N/A		(Subscription) Reader	`azure:topology`
	Azure Topology (manual) This input has been migrated to the supported Splunk Add-on for Microsoft Cloud Services as part of the "Azure Resource" input.	N/A		(Subscription) Reader	`azure:topology`
	Add member to Microsoft 365 Group (alert action) This input has been migrated to the supported Splunk Add-on for Microsoft Office 365.	Microsoft Graph	(Application) GroupMember.ReadWrite.All - Read and write all group memberships	N/A
	Stop Azure VM (alert action) This input has been migrated to the supported Splunk Add-on for Microsoft Cloud Services.	N/A		(Subscription) Virtual Machine Contributor
	Dismiss Azure Alert (alert action) This input has been migrated to the supported Splunk Add-on for Microsoft Security.	N/A		(Subscription) Contributor

Splunk Add-on for Microsoft Office 365 Splunkbase Documentation	Management Activity: Audit.Azure Active Directory Audit.Exchange Audit.Share Point Audit.General DLP.All	Office 365 Management APIs	(Application) ActivityFeed.Read (Application) ActivityFeed.ReadDlp (if collecting DLP data) (Delegated) ActivityFeed.Read (Delegated) ActivityFeed.ReadDlp (if collecting DLP data)	N/A	`o365:management:activity`
	Service Health & Communications Service Health Service Update Messages	Microsoft Graph	(Application) ServiceHealth.Read.All (Application) ServiceMessage.Read.All	N/A	`o365:service:healthIssue o365:service:updateMessage`
	Mailbox Mailbox Usage Detail Mailbox Usage Mailbox Counts	Microsoft Graph	(Application) Reports.Read.All	N/A	`sourcetype=o365:graph:api source=MailboxUsageMailboxCounts source=MailboxUsageDetail`
	Office 365 Office 365 Groups Activity Detail Office 365 Services User Counts	Microsoft Graph	(Application) Reports.Read.All	N/A	`sourctype=o365:graph:api source=Office365GroupsActivityDetail source=Office365ServicesUserCounts`
	OneDrive One Drive Activity User Counts One Drive Usage Account Detail One Drive Usage Storage	Microsoft Graph	(Application) Reports.Read.All	N/A	`sourcetype=o365:graph:api source=OneDriveActivityUserCounts source=OneDriveUsageAccountDetail source=OneDriveUsageStorage`
	SharePoint SharePoint Site Usage Detail SharePoint Site Usage File Counts	Microsoft Graph	(Application) Reports.Read.All	N/A	`sourcetype=o365:graph:api source=SharePointSiteUsageDetail source=SharePointSiteUsageFileCounts`
	Teams Teams User Activity Counts Teams User Activity User Detail	Microsoft Graph	(Application) Reports.Read.All	N/A	`sourcetype=o365:graph:api source=TeamsUserActivityCounts source=TeamsUserActivityUserDetail`
	Yammer Yammer Groups Activity Detail Yammer Groups Activity Group Counts	Microsoft Graph	(Application) Reports.Read.All	N/A	`sourcetype=o365:graph:api source=YammerGroupsActivityDetail source=YammerGroupsActivityGroupCounts`
	Audit Logs Audit Logs.Sign Ins	Microsoft Graph	(Application) AuditLog.Read.All (Application) Directory.Read.All	N/A	`sourcetype=o365:graph:api source=AuditLogs.SignIns`
	Cloud Application Security ^[3] Policies Alerts Cloud Discovery Entities Files Cloud Application Security is now Microsoft Defender for Cloud Apps				`o365:cas:api`
	Message Trace	Office 365 Exchange Online	(Application) ReportingWebService.Read.All	Global Reader or Security Reader	`o365:reporting:messagetrace`
	Microsoft Entra ID Metadata Users Groups Applications Devices	Microsoft Graph	(Application) User.Read.All - Read all users' full profiles (Application) Group.Read.All - Read all groups (Application) Application.Read.All (Application) Device.Read.All - Read all devices	N/A	`o365:metadata`

Microsoft O365 Email Add-on for Splunk Splunkbase Documentation	O365 Email	Microsoft Graph	(Application) Mail.ReadWrite	N/A	`ms:o365:email`
	O365 Email Groups	Microsoft Graph	(Application) Group.Read.All (Application) GroupMember.Read.All (Application) Directory.Read.All	N/A	`ms:o365:groups`

Microsoft Teams Add-on for Splunk Splunkbase Video Walkthrough Documentation	Teams Call Record (New)	Microsoft Graph	(Application) CallRecords.Read.All	N/A	`m365:teams:callRecord`
	Teams User Report	Microsoft Graph	(Application) Reports.Read.All (Delegated) Reports.Read.All	N/A	`m365:teams:user:report`
	Teams Subscription (Deprecated)	Microsoft Graph	(Delegated) Subscriptions.Read.All	N/A	`m365:subscription`
	Teams Call Record (Deprecated)	Microsoft Graph	(Application) CallRecords.Read.All	N/A	`m365:teams:callRecord`
	Teams Webhook (Deprecated)	N/A	N/A	N/A	`m365:webhook`

Splunk Add-on for Microsoft Security Splunkbase Documentation	Microsoft 365 Defender Incidents	Microsoft Threat Protection	(Application) Incident.Read.All	N/A	`m365:defender:incident m365:defender:incident:alerts`
	Defender Advanced Hunting (action)	Microsoft Threat Protection	(Application) AdvancedHunting.Read.All	N/A	`m365:defender:incident:advanced_hunting`
	Defender Update Incident (action)	Microsoft Threat Protection	(Application) Incident.ReadWrite.All	N/A	N/A
	Microsoft Defender for Endpoint Alerts	WindowsDefenderATP	(Application) Alert.Read.All	N/A	`ms:defender:atp:alerts`
	Microsoft Defender Simulations	Microsoft Graph	(Application) AttackSimulation.Read.All	N/A	`ms:defender:simulations`
	Microsoft Defender Event Hub	N/A	Microsoft Entra ID account with Role "Azure Event Hubs Data Receiver"	N/A	`ms:defender:eventhub`
	Microsoft Defender Threat Intelligence Datasets	Microsoft Graph	(Application) ThreatIntelligence.Read.All	N/A	`ms:defender:ti:articles ms:defender:ti:article_indicators ms:defender:ti:certificates ms:defender:ti:components ms:defender:ti:cookies ms:defender:ti:hostpairs ms:defender:ti:passivedns ms:defender:ti:subdomains ms:defender:ti:trackers ms:defender:ti:whois`
	Microsoft Defender Machines			N/A

[1] Azure Active Directory is now Microsoft Entra ID

[2] Azure Security Center is now Microsoft Defender for Cloud

[3] Cloud Application Security is now Microsoft Defender for Cloud Apps

Explore →

Citrix XenApp (21) Resouce Manager (14) Web Interface (9) General (7) Access Gateway (1) MFCOM (7) VDI (1) PowerShell (8) Citrix (15) Mobility (3) Splunk (18) Splunk Blog (16) IoT (1)