| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | AA | AB | AC | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | Add-on | Input/Action | API | Permissions | Role (IAM) | Default Sourcetype(s) / Sources | Notes | ||||||||||||||||||||||
2 | Splunk Add-on for Microsoft Cloud Services https://splunkbase.splunk.com/app/3110/ https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/About | Azure Storage Table Azure Storage Blob | N/A | Access key OR Shared Access Signature: - Allowed services: Blob, Table - Allowed resource types: Service, Container, Object - Allowed permissions: Read, List | N/A | mscs:storage:blob mscs:storage:blob:json mscs:storage:blob:xml mscs:storage:table | https://docs.microsoft.com/en-us/rest/api/storageservices/Constructing-an-Account-SAS | ||||||||||||||||||||||
3 | Azure Audit | N/A | N/A | (Subscription) Reader | mscs:azure:audit | ||||||||||||||||||||||||
4 | Azure Resource | N/A | N/A | (Subscription) Reader | mscs:resource:virtualMachine mscs:resource:networkInterfaceCard mscs:resource:publicIPAddress mscs:resource:virtualNetwork mscs:resource:disk mscs:resource:image mscs:resource:snapshot mscs:resource:resourceGroup mscs:resource:subscriptions mscs:resource:security Group | ||||||||||||||||||||||||
5 | Event Hub | N/A | No API permissions are needed, but the Azure AD app registration needs to be assigned to the "Azure Event Hubs Data receiver" role on the Event Hub namespace | (Event Hub) Azure Event Hubs Data receiver | mscs:azure:eventhub (generic event hub events) | https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Configureeventhubs | |||||||||||||||||||||||
6 | azure:monitor:aad | Azure Active Directory events - Azure AD sign-ins and Azure AD audit | |||||||||||||||||||||||||||
7 | azure:monitor:activity | Azure activity log events | |||||||||||||||||||||||||||
8 | azure:monitor:resource | Azure resources - examples: Cosmos DB, Azure Data Share | |||||||||||||||||||||||||||
9 | Metrics | N/A | (Subscription) Reader | mscs:metrics mscs:metrics:events | |||||||||||||||||||||||||
10 | Azure KQL Log Analytics | Log Analytics API | (Application) Data.Read - Read Log Analytics data | N/A | mscs:kql mscs:kql:stats | ||||||||||||||||||||||||
11 | Azure Consumption (Billing) | N/A | (Subscription) Reader | mscs:consumption:billing mscs:consumption:reservation:recommendation | https://docs.microsoft.com/en-us/rest/api/consumption/usagedetails/list | ||||||||||||||||||||||||
12 | |||||||||||||||||||||||||||||
13 | Splunk Add-on for Microsoft Azure https://splunkbase.splunk.com/app/3757/ https://github.com/splunk/splunk-add-on-microsoft-azure/wiki | Azure Active Directory Sign-ins The REST API this input uses is subject to throttling limits. Refer to the throttling guidance for more information. | Microsoft Graph | (Application) AuditLog.Read.All - Read all audit log data | N/A | azure:aad:signin | An Azure AD Premium P1 or P2 license is required to use this input. https://docs.microsoft.com/en-us/graph/api/resources/signin | ||||||||||||||||||||||
14 | (Application) Directory.Read.All | N/A | https://docs.microsoft.com/en-us/graph/known-issues#azure-ad-activity-reports-can-return-an-error | ||||||||||||||||||||||||||
15 | Due to throttling limits, it is recommended to send Azure AD sign-in data to an event hub and use the Splunk Add-on for Microsoft Cloud Services or Splunk Data Manager (cloud only) to collect the data. | ||||||||||||||||||||||||||||
16 | Azure Active Directory Users | Microsoft Graph | (Application) User.Read.All - Read all users' full profiles | N/A | azure:aad:user | ||||||||||||||||||||||||
17 | Azure Active Directory Groups | Microsoft Graph | (Application) Group.Read.All - Read all groups | N/A | azure:aad:group | ||||||||||||||||||||||||
18 | Azure Active Directory Audit The REST API this input uses is subject to throttling limits. Refer to the throttling guidance for more information. | Microsoft Graph | (Application) AuditLog.Read.All - Read all audit log data | N/A | azure:aad:audit | ||||||||||||||||||||||||
19 | (Application) Directory.Read.All | N/A | https://docs.microsoft.com/en-us/graph/known-issues#azure-ad-activity-reports-can-return-an-error | ||||||||||||||||||||||||||
20 | Due to throttling limits, it is recommended to send Azure AD audit data to an event hub and use the Splunk Add-on for Microsoft Cloud Services or Splunk Data Manager (cloud only) to collect the data. | ||||||||||||||||||||||||||||
21 | Azure Active Directory Risk Detection | Microsoft Graph | (Application) IdentityRiskEvent.Read.All - Read all identity risk event information (Application) IdentityRiskyUser.Read.All - Read all identity risk user information | N/A | azure:aad:identity_protection:risk_detection azure:aad:identity_protection:risky_user | ||||||||||||||||||||||||
22 | Azure Active Directory Devices | Microsoft Graph | (Application) Device.Read.All - Read all devices | N/A | azure:aad:device | ||||||||||||||||||||||||
23 | Metrics This input has been migrated to the supported Splunk Add-on for Microsoft Cloud Services. | N/A | (Subscription) Reader | azure:metrics | |||||||||||||||||||||||||
24 | Security Center (now called Microsoft Defender for Cloud) | N/A | (Subscription) Reader | azure:securityCenter:alert azure:securityCenter:task | Security Center has been renamed to Microsoft Defender for Cloud. It is now possible to export these data source to an Event Hub https://learn.microsoft.com/en-us/azure/defender-for-cloud/continuous-export?tabs=azure-portal | ||||||||||||||||||||||||
25 | Subscriptions This input has been migrated to the supported Splunk Add-on for Microsoft Cloud Services as part of the "Azure Resource" input. | N/A | (Subscription) Reader | azure:subscriptions | |||||||||||||||||||||||||
26 | Resource Groups This input has been migrated to the supported Splunk Add-on for Microsoft Cloud Services as part of the "Azure Resource" input. | N/A | (Subscription) Reader | azure:resource:group | |||||||||||||||||||||||||
27 | Virtual Networks This input has been migrated to the supported Splunk Add-on for Microsoft Cloud Services as part of the "Azure Resource" input. | N/A | (Subscription) Reader | azure:vnet azure:vnet:nic azure:vnet:nsg azure:vnet:ip:public | |||||||||||||||||||||||||
28 | Compute This input has been migrated to the supported Splunk Add-on for Microsoft Cloud Services as part of the "Azure Resource" input. | N/A | (Subscription) Reader | azure:compute:vm azure:compute:disk azure:compute:image azure:compute:snapshot | |||||||||||||||||||||||||
29 | Azure KQL Log Analytics This input has been migrated to the supported Splunk Add-on for Microsoft Cloud Services. | Log Analytics API | (Application) Data.Read - Read Log Analytics data | N/A | azure:kql azure:kql:stats | ||||||||||||||||||||||||
30 | Azure Billing and Consumption This input has been migrated to the supported Splunk Add-on for Microsoft Cloud Services. | N/A | (Subscription) Reader | azure:billing | https://docs.microsoft.com/en-us/rest/api/consumption/usagedetails/list | ||||||||||||||||||||||||
31 | Azure Reservation Recommendation This input has been migrated to the supported Splunk Add-on for Microsoft Cloud Services as part of the "Azure Consumption(Billing)" input. | N/A | (Subscription) Reader | azure:reservation:recommendation | |||||||||||||||||||||||||
32 | Azure Resource Graph | N/A | (Subscription) Reader | azure:resourcegraph | |||||||||||||||||||||||||
33 | Azure Topology (automatic) | N/A | (Subscription) Reader | azure:topology | |||||||||||||||||||||||||
34 | Azure Topology (manual) | N/A | (Subscription) Reader | azure:topology | |||||||||||||||||||||||||
35 | Add member to Microsoft 365 Group (alert action) | Microsoft Graph | (Application) GroupMember.ReadWrite.All - Read and write all group memberships | N/A | Adds a member to a group. This can be useful if you need to enable additional policies like MFA based on search results. | ||||||||||||||||||||||||
36 | Stop Azure VM (alert action) | N/A | (Subscription) Virtual Machine Contributor | Stops an Azure Virtual Machine | |||||||||||||||||||||||||
37 | Dismiss Azure Alert (alert action) | N/A | (Subscription) Contributor | https://docs.microsoft.com/en-us/azure/defender-for-cloud/permissions | |||||||||||||||||||||||||
38 | |||||||||||||||||||||||||||||
39 | Splunk Add-on for Microsoft Office 365 https://splunkbase.splunk.com/app/4055/ https://docs.splunk.com/Documentation/AddOns/released/MSO365/About | Management Activity Audit.Azure Active Directory Audit.Exchange Audit.Share Point Audit.General DLP.All | Office 365 Management APIs | (Application) ActivityFeed.Read (Application) ActivityFeed.ReadDlp (if collecting DLP data) (Delegated) ActivityFeed.Read (Delegated) ActivityFeed.ReadDlp (if collecting DLP data) | N/A | o365:management:activity | Click the "Grant permissions" button after creating/updating permissions. DLP is only necessary when using the DLP.All content type found in the Management Activity input. https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema | ||||||||||||||||||||||
40 | Service Health & Communications Service Health Service Update Messages | Microsoft Graph | (Application) ServiceHealth.Read.All (Application) ServiceMessage.Read.All | o365:service:healthIssue o365:service:updateMessage | https://learn.microsoft.com/graph/api/serviceannouncement-list-issues https://learn.microsoft.com/graph/api/serviceannouncement-list-messages | ||||||||||||||||||||||||
41 | Mailbox Mailbox Usage Detail Mailbox Usage Mailbox Counts | Microsoft Graph | (Application) Reports.Read.All | sourcetype=o365:graph:api source=MailboxUsageMailboxCounts source=MailboxUsageDetail | https://learn.microsoft.com/graph/api/reportroot-getmailboxusagemailboxcounts https://learn.microsoft.com/graph/api/reportroot-getmailboxusagedetail | ||||||||||||||||||||||||
42 | Office 365 Office 365 Groups Activity Detail Office 365 Services User Counts | Microsoft Graph | (Application) Reports.Read.All | sourctype=o365:graph:api source=Office365GroupsActivityDetail source=Office365ServicesUserCounts | https://learn.microsoft.com/graph/api/reportroot-getoffice365groupsactivitydetail https://learn.microsoft.com/graph/api/reportroot-getoffice365servicesusercounts | ||||||||||||||||||||||||
43 | One Drive One Drive Activity User Counts One Drive Usage Account Detail One Drive Usage Storage | Microsoft Graph | (Application) Reports.Read.All | sourcetype=o365:graph:api source=OneDriveActivityUserCounts source=OneDriveUsageAccountDetail source=OneDriveUsageStorage | https://learn.microsoft.com/graph/api/reportroot-getonedriveactivityusercounts https://learn.microsoft.com/graph/api/reportroot-getonedriveactivityuserdetail https://learn.microsoft.com/graph/api/reportroot-getonedriveusagestorage | ||||||||||||||||||||||||
44 | Share Point Share Point Site Usage Detail Share Point Site Usage File Counts | Microsoft Graph | (Application) Reports.Read.All | sourcetype=o365:graph:api source=SharePointSiteUsageDetail source=SharePointSiteUsageFileCounts | https://learn.microsoft.com/graph/api/reportroot-getsharepointsiteusagedetail https://learn.microsoft.com/graph/api/reportroot-getsharepointsiteusagefilecounts | ||||||||||||||||||||||||
45 | Teams Teams User Activity Counts Teams User Activity User Detail | Microsoft Graph | (Application) Reports.Read.All | sourcetype=o365:graph:api source=TeamsUserActivityCounts source=TeamsUserActivityUserDetail | https://learn.microsoft.com/graph/api/reportroot-getteamsuseractivitycounts https://learn.microsoft.com/graph/api/reportroot-getteamsuseractivityuserdetail | ||||||||||||||||||||||||
46 | Yammer Yammer Groups Activity Detail Yammer Groups Activity Group Counts | Microsoft Graph | (Application) Reports.Read.All | sourcetype=o365:graph:api source=YammerGroupsActivityDetail source=YammerGroupsActivityGroupCounts | https://learn.microsoft.com/graph/api/reportroot-getyammergroupsactivitydetail | ||||||||||||||||||||||||
47 | Audit Logs Audit Logs.Sign Ins The REST API this input uses is subject to throttling limits. Refer to the throttling guidance for more information. | Microsoft Graph | (Application) AuditLog.Read.All (Application) Directory.Read.All | sourcetype=o365:graph:api source=AuditLogs.SignIns | An Azure AD Premium P1 or P2 license is required to use this input. https://docs.microsoft.com/en-us/graph/api/resources/signin Due to throttling limits, it is recommended to send Azure AD sign-in data to an event hub and use the Splunk Add-on for Microsoft Cloud Services or Splunk Data Manager (cloud only) to collect the data. | ||||||||||||||||||||||||
48 | Cloud Application Security Policies Alerts Cloud Discovery Entities Files | o365:cas:api | O365 Cloud Application Security uses a token generated from the portal. https://portal.cloudappsecurity.com/ Once logged in, go to Settings > Security extensions > Add token https://learn.microsoft.com/defender-cloud-apps/api-introduction#what-actions-are-supported | ||||||||||||||||||||||||||
49 | Message Trace | APIs my organization uses => Office 365 Exchange Online | (Application) ReportingWebService.Read.All | Global Reader | o365:reporting:messagetrace | Updated Microsoft documentation: https://docs.microsoft.com/en-us/previous-versions/office/developer/o365-enterprise-developers/jj984325(v=office.15) | |||||||||||||||||||||||
50 | |||||||||||||||||||||||||||||
51 | Microsoft O365 Email Add-on for Splunk https://splunkbase.splunk.com/app/5365/ | O365 Email | Microsoft Graph | (Application) Mail.ReadWrite | N/A | ms:o365:email | Click the "Grant permissions" button after creating/updating permissions. | ||||||||||||||||||||||
52 | O365 Email Groups | Microsoft Graph | (Application) Group.Read.All (Application) GroupMember.Read.All (Application) Directory.Read.All | ms:o365:groups | |||||||||||||||||||||||||
53 | |||||||||||||||||||||||||||||
54 | Microsoft Teams Add-on for Splunk https://splunkbase.splunk.com/app/4994/ | Teams User Report | Microsoft Graph | (Application) Reports.Read.All (Delegated) Reports.Read.All | N/A | m365:teams:user:report | https://lantern.splunk.com/Data_Descriptors/Microsoft/Getting_started_with_Microsoft_Teams_call_record_data | ||||||||||||||||||||||
55 | Teams Subscription | Microsoft Graph | (Delegated) Subscriptions.Read.All | m365:subscription | |||||||||||||||||||||||||
56 | Teams Call Record | Microsoft Graph | (Application) CallRecords.Read.All | m365:teams:callRecord | |||||||||||||||||||||||||
57 | Teams Webhook | N/A | N/A | m365:webhook | |||||||||||||||||||||||||
58 | |||||||||||||||||||||||||||||
59 | Splunk Add-on for Microsoft Security https://splunkbase.splunk.com/app/6207/ | Microsoft 365 Defender Incidents (input) | Microsoft Threat Protection | (Application) Incident.Read.All | N/A | m365:defender:incident m365:defender:incident:alerts | https://docs.microsoft.com/en-us/microsoft-365/security/defender/api-hello-world?view=o365-worldwide | ||||||||||||||||||||||
60 | Defender Advanced Hunting (action) | Microsoft Threat Protection | (Application) AdvancedHunting.Read.All | N/A | m365:defender:incident:advanced_hunting | https://docs.microsoft.com/en-us/microsoft-365/security/defender/api-advanced-hunting?view=o365-worldwide | |||||||||||||||||||||||
61 | Defender Update Incident (action) | Microsoft Threat Protection | (Application) Incident.ReadWrite.All | N/A | N/A | https://docs.microsoft.com/en-us/microsoft-365/security/defender/api-update-incidents?view=o365-worldwide | |||||||||||||||||||||||
62 | Microsoft Defender for Endpoint Alerts (input) | WindowsDefenderATP | (Application) Alert.Read.All | N/A | ms:defender:atp:alerts | https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/api-hello-world?view=o365-worldwide | |||||||||||||||||||||||
63 | |||||||||||||||||||||||||||||
64 | Microsoft Graph Security API Add-on for Splunk https://splunkbase.splunk.com/app/4564/ | Microsoft Graph Security | Microsoft Graph | (Application) SecurityEvents.Read.All | N/A | mscs:resource:virtualMachine mscs:resource:networkInterfaceCard mscs:resource:publicIPAddress mscs:resource:virtualNetwork mscs:resource:disk mscs:resoure:image mscs:resoure:snapshot mscs:resoure:resourceGroup mscs:resoure:subscriptions mscs:resoure:securityGroup | https://docs.microsoft.com/en-us/graph/security-concept-overview | ||||||||||||||||||||||
65 | |||||||||||||||||||||||||||||
66 | |||||||||||||||||||||||||||||
67 | |||||||||||||||||||||||||||||
68 | |||||||||||||||||||||||||||||
69 | |||||||||||||||||||||||||||||
70 | |||||||||||||||||||||||||||||
71 | |||||||||||||||||||||||||||||
72 | |||||||||||||||||||||||||||||
73 | |||||||||||||||||||||||||||||
74 | |||||||||||||||||||||||||||||
75 | |||||||||||||||||||||||||||||
76 | |||||||||||||||||||||||||||||
77 | |||||||||||||||||||||||||||||
78 | |||||||||||||||||||||||||||||
79 | |||||||||||||||||||||||||||||
80 | |||||||||||||||||||||||||||||
81 | |||||||||||||||||||||||||||||
82 | |||||||||||||||||||||||||||||
83 | |||||||||||||||||||||||||||||
84 | |||||||||||||||||||||||||||||
85 | |||||||||||||||||||||||||||||
86 | |||||||||||||||||||||||||||||
87 | |||||||||||||||||||||||||||||
88 | |||||||||||||||||||||||||||||
89 | |||||||||||||||||||||||||||||
90 | |||||||||||||||||||||||||||||
91 | |||||||||||||||||||||||||||||
92 | |||||||||||||||||||||||||||||
93 | |||||||||||||||||||||||||||||
94 | |||||||||||||||||||||||||||||
95 | |||||||||||||||||||||||||||||
96 | |||||||||||||||||||||||||||||
97 | |||||||||||||||||||||||||||||
98 | |||||||||||||||||||||||||||||
99 | |||||||||||||||||||||||||||||
100 | |||||||||||||||||||||||||||||