© 2018 SPLUNK INC.

Gain End-to-End Visibility Into Your Azure

Cloud Environment using Splunk
A data journey through Azure

Jason Conger | Splunk

October 2018 | Version 1.0

 © 2018 SPLUNK INC.

Forward-Looking Statements
During the course of this presentation, we may make forward-looking statements regarding future events or
the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results could
differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC.

The forward-looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or accurate
information. We do not assume any obligation to update any forward-looking statements we may make. In
addition, any information about our roadmap outlines our general product direction and is subject to change
at any time without notice. It is for informational purposes only and shall not be incorporated into any contract
or other commitment. Splunk undertakes no obligation either to develop the features or functionality
described or to include any such feature or functionality in a future release.
Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in
the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2018 Splunk Inc. All rights reserved.
 © 2018 SPLUNK INC.

whoami

[email protected]
@JasonConger
http://www.linkedin.com/in/JasonConger
https://www.splunk.com/blog/author/jconger.html
Staff Solutions Architect
Global Strategic Alliances
6+ years at Splunk
Created or consulted on 25+ Splunkbase applications
 © 2018 SPLUNK INC.

2
There are 10 types of people in the world;
those that understand binary and those that do not.
 © 2018 SPLUNK INC.

How Azure Makes

Data Available
 © 2018 SPLUNK INC.

Different Planes for Data

Control & Data

Control Plane: System Configuration and Management

Data Plane: Provisioned Service and Diagnostic Data

 © 2018 SPLUNK INC.

Storage Account
Storage Accounts are the Least Common Denominator for Azure Services

Azure writes data to storage. Blob or Table

Raw JSON, log lines, CSV, etc.
 © 2018 SPLUNK INC.

Storage Account Blobs

Similar to a File system

Account Container Blob

pictures IMG01.PNG

My Storage
Account folder/IMG02
.PNG

movies
MOV1.MPG

Example: NSG Flow Logs

 © 2018 SPLUNK INC.

Storage Account Table

Similar to CSV or Database Table

Account Table Entity

customers Name = …
Email = …

My Storage
Account Name = …
Email = …

photos PhotoID = …
Date = …

Example: VM Performance Logs

 © 2018 SPLUNK INC.

REST APIs
Metadata, Topology, Consumption

{ REST }
 © 2018 SPLUNK INC.

Event Hubs
High Velocity and Scale

Azure Monitor
(moves data to Event Hubs)

The Azure Monitor Add-on for Splunk pulls data from Event Hubs
 © 2018 SPLUNK INC.

Azure Functions
Serverless Code

Serverless code can take

action on events in the hub.

Azure Function blueprints to push data to Splunk via HEC:

https://github.com/Microsoft/AzureFunctionforSplunkVS
 © 2018 SPLUNK INC.

Recap
Storage Accounts, REST, Event Hub

{ REST }
Storage API Event Hub
 © 2018 SPLUNK INC.

Azure Add-on Landscape

Tools for your Splunk + Azure Toolbox
 © 2018 SPLUNK INC.

Azure Add-on Landscape

Is there an add-on for that?

Splunk Add-on for Microsoft Cloud Azure Monitor Add-on for Splunk Azure Billing Add- Azure Inventory Add-on for Splunk DB
Services on for Splunk Splunk Connect

Audit Blob Input VM Resource Audit Input Diagnostics Metric Input Consumption and VM Input Storage Topology
Input Metrics Input input Billing input Input Input
Input

Audit Logs (via API) (via Event Hub)

Diagnostic Logs (via Storage) (via Event Hub)
Azure AD Sign-ins (via Event Hub)
Azure AD Audit (via Event Hub)
VM Metrics (via Table) (via API)
Metrics* (via API)
VM Metadata (via API) (via API)
Storage Metadata (via API)
Topology (via API)
NSG Flow Logs (via Storage)
Security Center (via Event Hub)
Consumption and Cost (via API)
SQL sys Tables (via SQL)
 © 2018 SPLUNK INC.

Where do Add-ons run?

Indexing, forwarding, egress, compression

Possible Data Egress (tiered costs)

Indexing
Inside Azure Outside Azure
VM Cost - OpEx CapEx
S2S compression = Uncompressed data =
lower egress usage more egress usage
Forwarder Filtering via Splunk Filtering on API level
Forwarder
Inside Azure? options prior to egress requires coding Outside Azure?
 © 2018 SPLUNK INC.

Azure Data Use Cases

I’ve got the data, now what?
 © 2018 SPLUNK INC.

Environment Overview
Multiple Subscriptions and Tenants in one place
 © 2018 SPLUNK INC.

Topology
Multiple Account and Subscription Topology Visualization
 © 2018 SPLUNK INC.

Billing and Consumption

Analyze Spend and Predict Costs
 © 2018 SPLUNK INC.

Demo
Exploring Azure data with Splunk
 © 2018 SPLUNK INC.

Additional Microsoft Cloud Sessions at .conf18

▶ SEC1297 - Down in the Weeds, Up in the Cloud: Splunking Your Azure and Office 365
• Tuesday, Oct 02, 2:15 p.m. - 3:00 p.m.

▶ SEC1355 - Hunting the Known Unknown: Microsoft Cloud

• Tuesday, Oct 02, 4:45 p.m. - 5:30 p.m.

▶ IT1452 - Reaching Cloud Nirvana in a Multi-Cloud World

• Wednesday, Oct 03, 11:30 a.m. - 12:15 p.m.

▶ SEC1097 - Office 365 in Nearly That Many Days: Splunking Microsoft Cloud Data, Then and
Now
• Wednesday, Oct 03, 4:30 p.m. - 5:15 p.m.
 © 2018 SPLUNK INC.

Splunk + Azure + BYOL

Running Splunk in Azure
 © 2018 SPLUNK INC.

Additional Resources
▶ Splunk Blogs
• https://www.splunk.com/blog/search.html?query=azure
▶ Splunk Security Essentials
• https://splunkbase.splunk.com/app/3435/
▶ Azure Storage Explorer
• https://azure.microsoft.com/en-us/features/storage-explorer/
▶ Azure Metrics List
• https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-supported-
metrics
▶ Diagnostic Log List
• https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-diagnostic-
logs-schema
 © 2018 SPLUNK INC.

Thank You
Don't forget to rate this session
in the .conf18 mobile app
 © 2018 SPLUNK INC.

Concepts
Tenants and Subscriptions
AAD Applications
Service Principals
Log Profiles
 © 2018 SPLUNK INC.

Azure Organization, Tenants, Subscriptions

Organization (Enterprise Account)

AD Domain / Accounts Billing Unit

Resources

Tenant (splunk.com) Subscription (prod)

Resources
Subscription (dev)

Resources
Tenant (phantom.us) Subscription (prod)
 © 2018 SPLUNK INC.

Metrics Available from Azure Monitor

https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-supported-metrics

▶ Microsoft.AnalysisServices/servers ▶ Microsoft.ContainerService/managedClusters
▶ Microsoft.ApiManagement/service ▶ Microsoft.CustomerInsights/hubs
▶ Microsoft.Automation/automationAccounts ▶ Microsoft.DataFactory/datafactories
▶ Microsoft.Batch/batchAccounts ▶ Microsoft.DataFactory/factories
▶ Microsoft.Cache/redis ▶ Microsoft.DataLakeAnalytics/accounts
▶ Microsoft.ClassicCompute/virtualMachines ▶ Microsoft.DataLakeStore/accounts
▶ Microsoft.ClassicCompute/domainNames/slots/roles ▶ Microsoft.DBforMySQL/servers
▶ Microsoft.CognitiveServices/accounts ▶ Microsoft.DBforPostgreSQL/servers
▶ Microsoft.Compute/virtualMachines ▶ Microsoft.Devices/IotHubs
▶ Microsoft.Compute/virtualMachineScaleSets ▶ Microsoft.Devices/provisioningServices
▶ Microsoft.Compute/virtualMachineScaleSets/virtualMa ▶ Microsoft.DocumentDB/databaseAccounts
chines
▶ Microsoft.EventHub/namespaces
▶ Microsoft.ContainerInstance/containerGroups
▶ Microsoft.HDInsight/clusters
 © 2018 SPLUNK INC.

Metrics Available from Azure Monitor

https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-supported-metrics

▶ Microsoft.Insights/AutoscaleSettings ▶ Microsoft.Relay/namespaces
▶ Microsoft.KeyVault/vaults ▶ Microsoft.Search/searchServices
▶ Microsoft.LocationBasedServices/accounts ▶ Microsoft.ServiceBus/namespaces
▶ Microsoft.Logic/workflows ▶ Microsoft.SignalRService/SignalR
▶ Microsoft.Network/loadBalancers ▶ Microsoft.Sql/servers/databases
▶ Microsoft.Network/dnszones ▶ Microsoft.Sql/servers/elasticPools
▶ Microsoft.Network/publicIPAddresses ▶ Microsoft.Sql/servers
▶ Microsoft.Network/applicationGateways ▶ Microsoft.Storage/storageAccounts
▶ Microsoft.Network/virtualNetworkGateways ▶ Microsoft.Storage/storageAccounts/blobServices
▶ Microsoft.Network/expressRouteCircuits ▶ Microsoft.Storage/storageAccounts/tableServices
▶ Microsoft.Network/trafficManagerProfiles ▶ Microsoft.Storage/storageAccounts/queueServices
▶ Microsoft.Network/networkWatchers/connectionMonitors ▶ Microsoft.Storage/storageAccounts/fileServices
 © 2018 SPLUNK INC.

Metrics Available from Azure Monitor

https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-supported-metrics

▶ Microsoft.StreamAnalytics/streamingjobs
▶ Microsoft.TimeSeriesInsights/environments
▶ Microsoft.TimeSeriesInsights/environments/eventsource
s
▶ Microsoft.Web/serverfarms
▶ Microsoft.Web/sites (excluding functions)
▶ Microsoft.Web/sites (functions)
▶ Microsoft.Web/sites/slots
▶ Microsoft.Web/hostingEnvironments/multiRolePools
▶ Microsoft.Web/hostingEnvironments/workerPools
 © 2018 SPLUNK INC.

Terms and Aliases

▶ Tenant ID = Directory ID
▶ Application ID = Client ID
▶ Key = Client Secret
▶ Service Principal
• When creating an Azure AD application, the Service Principal is the representation of that
application in the tenant(s).
▶ Log Profile
• Defines where logs go. Note: logs can go to more than one place at the same time.