Splunk Add-ons for Microsoft Cloud Data Sources

- O365 Email
- O365 Email Groups
- Microsoft Graph Security

Add-on	Input/Action	API	Permissions	Role (IAM)	Default Sourcetype(s) / Sources
Splunk Add-on for Microsoft Cloud Services Splunkbase Documentation	Azure Storage Table Azure Storage Blob	N/A	Access key OR Shared Access Signature (SAS) Storage Account SAS Requirements Detail Required settings for Shared Access Signature Allowed services: `Blob, Table` Allowed resource types: `Service, Container, Object` Allowed permissions: `Read, List`	N/A	`mscs:storage:blob mscs:storage:blob:json mscs:storage:blob:xml mscs:storage:table`
	Azure Audit	N/A	N/A	(Subscription) Reader	`mscs:azure:audit`
	Azure Resource	N/A	N/A	(Subscription) Reader	`mscs:resource:virtualMachine mscs:resource:networkInterfaceCard mscs:resource:publicIPAddress mscs:resource:virtualNetwork mscs:resource:disk mscs:resource:image mscs:resource:snapshot mscs:resource:resourceGroup mscs:resource:subscriptions mscs:resource:securityGroup`
	Event Hub	N/A	N/A	(Event Hub) Azure Event Hubs Data receiver	`mscs:azure:eventhub azure:monitor:aad azure:monitor:activity azure:monitor:resource` Event Hub Sourcetype Detail The Splunk Add-on for Microsoft Cloud Servies includes pre-trained sourcetypes for certain data sources. `azure:monitor:aad` - used for Microsoft Entra ID (Azure Active Directory) events such as sign-in events and Azure AD audit events. `azure:monitor:resource` - used for Azure resources such as Cosmos DB and Azure Data Share. `mscs:azure:eventhub` - used for generic event hub events. This sourcetype does not have any CIM mappings out-of-the-box.
	Metrics	N/A		(Subscription) Reader	`mscs:metrics mscs:metrics:events`
	Azure KQL Log Analytics	Log Analytics API	(Application) Data.Read - Read Log Analytics data	N/A	`mscs:kql mscs:kql:stats`
	Azure Consumption (Billing)	N/A		(Subscription) Reader	`mscs:consumption:billing mscs:consumption:reservation:recommendation`

Splunk Add-on for Microsoft Azure Splunkbase Documentation	Azure Active Directory ^[1] Sign-ins	Microsoft Graph	(Application) AuditLog.Read.All - Read all audit log data (Application) Directory.Read.All	N/A	`azure:aad:signin`
	Azure Active Directory ^[1] Audit	Microsoft Graph	(Application) AuditLog.Read.All - Read all audit log data (Application) Directory.Read.All	N/A	`azure:aad:audit`
	Azure Active Directory ^[1] Users	Microsoft Graph	(Application) User.Read.All - Read all users' full profiles	N/A	`azure:aad:user`
	Azure Active Directory ^[1] Groups	Microsoft Graph	(Application) Group.Read.All - Read all groups	N/A	`azure:aad:group`
	Azure Active Directory ^[1] Devices	Microsoft Graph	(Application) Device.Read.All - Read all devices	N/A	`azure:aad:device`
	Azure Active Directory ^[1] Risk Detection	Microsoft Graph	(Application) IdentityRiskEvent.Read.All - Read all identity risk event information (Application) IdentityRiskyUser.Read.All - Read all identity risk user information	N/A	`azure:aad:identity_protection:risk_detection azure:aad:identity_protection:risky_user`
	Azure Security Center ^[2] Alerts & Tasks	N/A		(Subscription) Reader	`azure:securityCenter:alert azure:securityCenter:task`
	Azure Resource Graph	N/A		(Subscription) Reader	`azure:resourcegraph`
	Azure Topology (automatic)	N/A		(Subscription) Reader	`azure:topology`
	Azure Topology (manual)	N/A		(Subscription) Reader	`azure:topology`
	Add member to Microsoft 365 Group (alert action)	Microsoft Graph	(Application) GroupMember.ReadWrite.All - Read and write all group memberships	N/A
	Stop Azure VM (alert action)	N/A		(Subscription) Virtual Machine Contributor
	Dismiss Azure Alert (alert action)	N/A		(Subscription) Contributor

Splunk Add-on for Microsoft Office 365 Splunkbase Documentation	Management Activity: Audit.Azure Active Directory Audit.Exchange Audit.Share Point Audit.General DLP.All	Office 365 Management APIs	(Application) ActivityFeed.Read (Application) ActivityFeed.ReadDlp (if collecting DLP data) (Delegated) ActivityFeed.Read (Delegated) ActivityFeed.ReadDlp (if collecting DLP data)	N/A	`o365:management:activity`
	Service Health & Communications Service Health Service Update Messages	Microsoft Graph	(Application) ServiceHealth.Read.All (Application) ServiceMessage.Read.All	N/A	`o365:service:healthIssue o365:service:updateMessage`
	Mailbox Mailbox Usage Detail Mailbox Usage Mailbox Counts	Microsoft Graph	(Application) Reports.Read.All	N/A	`sourcetype=o365:graph:api source=MailboxUsageMailboxCounts source=MailboxUsageDetail`
	Office 365 Office 365 Groups Activity Detail Office 365 Services User Counts	Microsoft Graph	(Application) Reports.Read.All	N/A	`sourctype=o365:graph:api source=Office365GroupsActivityDetail source=Office365ServicesUserCounts`
	OneDrive One Drive Activity User Counts One Drive Usage Account Detail One Drive Usage Storage	Microsoft Graph	(Application) Reports.Read.All	N/A	`sourcetype=o365:graph:api source=OneDriveActivityUserCounts source=OneDriveUsageAccountDetail source=OneDriveUsageStorage`
	SharePoint SharePoint Site Usage Detail SharePoint Site Usage File Counts	Microsoft Graph	(Application) Reports.Read.All	N/A	`sourcetype=o365:graph:api source=SharePointSiteUsageDetail source=SharePointSiteUsageFileCounts`
	Teams Teams User Activity Counts Teams User Activity User Detail	Microsoft Graph	(Application) Reports.Read.All	N/A	`sourcetype=o365:graph:api source=TeamsUserActivityCounts source=TeamsUserActivityUserDetail`
	Yammer Yammer Groups Activity Detail Yammer Groups Activity Group Counts	Microsoft Graph	(Application) Reports.Read.All	N/A	`sourcetype=o365:graph:api source=YammerGroupsActivityDetail source=YammerGroupsActivityGroupCounts`
	Audit Logs Audit Logs.Sign Ins	Microsoft Graph	(Application) AuditLog.Read.All (Application) Directory.Read.All	N/A	`sourcetype=o365:graph:api source=AuditLogs.SignIns`
	Cloud Application Security ^[3] Policies Alerts Cloud Discovery Entities Files Cloud Application Security is now Microsoft Defender for Cloud Apps				`o365:cas:api`
	Message Trace	Office 365 Exchange Online	(Application) ReportingWebService.Read.All	Global Reader	`o365:reporting:messagetrace`

Microsoft O365 Email Add-on for Splunk Splunkbase Documentation	O365 Email	Microsoft Graph	(Application) Mail.ReadWrite	N/A	`ms:o365:email`
	O365 Email Groups	Microsoft Graph	(Application) Group.Read.All (Application) GroupMember.Read.All (Application) Directory.Read.All	N/A	`ms:o365:groups`

Microsoft Teams Add-on for Splunk Splunkbase Documentation	Teams User Report	Microsoft Graph	(Application) Reports.Read.All (Delegated) Reports.Read.All	N/A	`m365:teams:user:report`
	Teams Subscription	Microsoft Graph	(Delegated) Subscriptions.Read.All	N/A	`m365:subscription`
	Teams Call Record	Microsoft Graph	(Application) CallRecords.Read.All	N/A	`m365:teams:callRecord`
	Teams Webhook	N/A	N/A	N/A	`m365:webhook`

Splunk Add-on for Microsoft Security Splunkbase Documentation	Microsoft 365 Defender Incidents	Microsoft Threat Protection	(Application) Incident.Read.All	N/A	`m365:defender:incident m365:defender:incident:alerts`
	Defender Advanced Hunting (action)	Microsoft Threat Protection	(Application) AdvancedHunting.Read.All	N/A	`m365:defender:incident:advanced_hunting`
	Defender Update Incident (action)	Microsoft Threat Protection	(Application) Incident.ReadWrite.All	N/A	N/A
	Microsoft Defender for Endpoint Alerts	WindowsDefenderATP	(Application) Alert.Read.All	N/A	`ms:defender:atp:alerts`

Microsoft Graph Security API Add-on for Splunk Splunkbase Documentation	Microsoft Graph Security	Microsoft Graph	(Application) SecurityEvents.Read.All	N/A	`mscs:resource:virtualMachine mscs:resource:networkInterfaceCard mscs:resource:publicIPAddress mscs:resource:virtualNetwork mscs:resource:disk mscs:resoure:image mscs:resoure:snapshot mscs:resoure:resourceGroup mscs:resoure:subscriptions mscs:resoure:securityGroup`

[1] Azure Active Directory is now Microsoft Entra ID

[2] Azure Security Center is now Microsoft Defender for Cloud

[3] Cloud Application Security is now Microsoft Defender for Cloud Apps