This is not a deep, beefy blog post, but more of an announcement post for those that have been wanting an easier way to get Splunk data into Azure Sentinel to tie the two systems together.
I’ve worked with a number of customers over the last year that are either wanting to move to Azure Sentinel from Splunk, or wanting to save Splunk costs by keeping cloud-data in Azure and on-prem data in Splunk. But, with each scenario, they would also love to tie the data from both system together. In one case, being able to perform a more comprehensive migration and relieve themselves of that big contract cost burden, and in the other case, to use both more intelligently.
Splunkbase has an add-on for Azure Sentinel customers called simply: Azure Sentinel Add-On for Splunk.
Fortunately, the add-on is free, and it was developed by Microsoft so it has to be fantastic — right? It enables customers to ingest Splunk data into Azure Sentinel and query the data with KQL in a custom table.
I may dig into the details of this a bit later in another blog post once I’m more comfortable with the add-on myself. I’m positive I’ll be working with this a lot due to customer interest.
Check it out and let me know what you think.
Reference: https://azurecloudai.blog/2020/11/06/how-to-get-splunk-data-into-azure-sentinel/
