All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I get Azure Sign-In data into Splunk?

rkantamaneni_sp
Splunk Employee
Splunk Employee
‎05-10-2019 09:19 AM

I'm using the Splunk Add-On for Microsoft Cloud Services, and after properly configuring it, I am unable to see the Azure Sign-In Audit Data. Am I doing something wrong or how do I see that data?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rkantamaneni_sp
Splunk Employee
Splunk Employee
‎05-10-2019 09:25 AM

All sign-in data comes from Microsoft Azure AD, but there are a few main types (with respect to entry points/schema):

1.) Azure Application Data
2.) Azure User Account Sign-Ins (this is separate from the Audit data)
3.) Office 365 Management – Sign-Ins

What Splunk currently officially supports is number 3, O365 Management Sign-Ins, which was part of the Splunk MSCS Add-On until it was separated into the separate Splunk O365 Add-On (https://splunkbase.splunk.com/app/4055/). So technically, at one point, MSCS was supporting "Sign-In" data, but it pertained to O365, not Azure. Splunk plans to officially support the other sign-in data sources at a later date (active work in progress), but as of now, it is not supported. An enhancement request was created, ADDON-21972. If you'd like to follow this, please contact Splunk Support with a message stating you wish to be added to the Enhancement Request ADDON-21972 and reach out to your Splunk account team for status updates. In the mean time, there are unsupported ways to get that data into Splunk explained below.

The Azure Audit sign-in data sources for 1 and 2 above (currently not supported by the Splunk MSCS Add-On) can be obtained using apps created by Splunk Works/the community. There are two ways to get that sign-in data using those published Add-Ons:

a.) Using the Azure AD reporting add-on -> https://splunkbase.splunk.com/app/3757/

b.) Sending the Azure AD logs to an Event Hub and using the Azure monitor add-on -> https://splunkbase.splunk.com/app/3534/

https://www.splunk.com/blog/2018/04/20/splunking-microsoft-azure-monitor-data-part-1-azure-setup.htm...

https://www.splunk.com/blog/2018/05/07/splunking-microsoft-azure-monitor-data-part-2-splunk-setup.ht...

https://splunkbase.splunk.com/app/4343/#/details

Separately, it may be possible to just download the data directly with a script and ingest it into Splunk as a log appropriately. An example of a download script can be found here: https://gallery.technet.microsoft.com/scriptcenter/Pull-Azure-AD-Sign-In-3fead683

View solution in original post

Reply
Solved! Jump to solution
Solution

rkantamaneni_sp
Splunk Employee
Splunk Employee
‎05-10-2019 09:25 AM

All sign-in data comes from Microsoft Azure AD, but there are a few main types (with respect to entry points/schema):

1.) Azure Application Data
2.) Azure User Account Sign-Ins (this is separate from the Audit data)
3.) Office 365 Management – Sign-Ins

What Splunk currently officially supports is number 3, O365 Management Sign-Ins, which was part of the Splunk MSCS Add-On until it was separated into the separate Splunk O365 Add-On (https://splunkbase.splunk.com/app/4055/). So technically, at one point, MSCS was supporting "Sign-In" data, but it pertained to O365, not Azure. Splunk plans to officially support the other sign-in data sources at a later date (active work in progress), but as of now, it is not supported. An enhancement request was created, ADDON-21972. If you'd like to follow this, please contact Splunk Support with a message stating you wish to be added to the Enhancement Request ADDON-21972 and reach out to your Splunk account team for status updates. In the mean time, there are unsupported ways to get that data into Splunk explained below.

The Azure Audit sign-in data sources for 1 and 2 above (currently not supported by the Splunk MSCS Add-On) can be obtained using apps created by Splunk Works/the community. There are two ways to get that sign-in data using those published Add-Ons:

a.) Using the Azure AD reporting add-on -> https://splunkbase.splunk.com/app/3757/

b.) Sending the Azure AD logs to an Event Hub and using the Azure monitor add-on -> https://splunkbase.splunk.com/app/3534/

https://www.splunk.com/blog/2018/04/20/splunking-microsoft-azure-monitor-data-part-1-azure-setup.htm...

https://www.splunk.com/blog/2018/05/07/splunking-microsoft-azure-monitor-data-part-2-splunk-setup.ht...

https://splunkbase.splunk.com/app/4343/#/details

Separately, it may be possible to just download the data directly with a script and ingest it into Splunk as a log appropriately. An example of a download script can be found here: https://gallery.technet.microsoft.com/scriptcenter/Pull-Azure-AD-Sign-In-3fead683

Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...