All Apps and Add-ons

Splunk Add on for MS Cloud Services: Audit.General and DLP.All (Security & Compliance) Events not showing

jp_elizabeth
Explorer

Hello,

We have the Splunk Add-on for Microsoft Cloud Services installed on a HWF and we are pulling through the following events.

Service Status,
Operational Message,
Exchange Online Audit,
Sharepoint Online Audit
Azure AD Audit

We don't seem to be getting any DLP (security & compliance) events or anything from audit.general either. Does anyone know what the issue might be?

Thanks

Bloodnite
Path Finder

Double check to see if you O365 tenant has DLP policies enabled for at least testing/monitor only, and the DLP policy items show up under:

sourcetype - ms:o365:management
user=DlpAgent

0 Karma

a212830
Champion

Audit.general is not supported yet. We've submitted an enhancement request for it, and I've been told that they hope to have it available around .conf... so... hopefully soon.

0 Karma

Bloodnite
Path Finder

v2.1.0 in https://splunkbase.splunk.com/app/3110/ supports it supposedly. I updated the app...and in the MSapp -> inputs> edit your O365 api input> click on the data blank space field and Audit/General shows up to choose > click on it. Save. Wait. I'm keeping my fingers crossed...

0 Karma

HereIAm
New Member

Were you able to solve this problem? We submitted a product enhancement request that isn't supposed to be done until mid October and are looking for a quick solution to get it working.

0 Karma

jp_elizabeth
Explorer

We haven't been able to resolve the problem yet, it looks like it's not supported on the add-on. We're looking to try and implement using the separate REST API Modular add-on https://splunkbase.splunk.com/app/1546/#/details

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...