Splunk Add on for MS Cloud Services: Audit.General...

jp_elizabeth · ‎08-31-2017

Hello,

We have the Splunk Add-on for Microsoft Cloud Services installed on a HWF and we are pulling through the following events.

Service Status,
Operational Message,
Exchange Online Audit,
Sharepoint Online Audit
Azure AD Audit

We don't seem to be getting any DLP (security & compliance) events or anything from audit.general either. Does anyone know what the issue might be?

Thanks

Bloodnite · ‎09-18-2017

Double check to see if you O365 tenant has DLP policies enabled for at least testing/monitor only, and the DLP policy items show up under:

sourcetype - ms:o365:management
user=DlpAgent

a212830 · ‎09-18-2017

Audit.general is not supported yet. We've submitted an enhancement request for it, and I've been told that they hope to have it available around .conf... so... hopefully soon.

Bloodnite · ‎04-27-2018

v2.1.0 in https://splunkbase.splunk.com/app/3110/ supports it supposedly. I updated the app...and in the MSapp -> inputs> edit your O365 api input> click on the data blank space field and Audit/General shows up to choose > click on it. Save. Wait. I'm keeping my fingers crossed...

HereIAm · ‎09-12-2017

Were you able to solve this problem? We submitted a product enhancement request that isn't supposed to be done until mid October and are looking for a quick solution to get it working.

jp_elizabeth · ‎09-12-2017

We haven't been able to resolve the problem yet, it looks like it's not supported on the add-on. We're looking to try and implement using the separate REST API Modular add-on https://splunkbase.splunk.com/app/1546/#/details

Splunk Add on for MS Cloud Services: Audit.General and DLP.All (Security & Compliance) Events not showing

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2