Hello,
We have the Splunk Add-on for Microsoft Cloud Services installed on a HWF and we are pulling through the following events.
Service Status,
Operational Message,
Exchange Online Audit,
Sharepoint Online Audit
Azure AD Audit
We don't seem to be getting any DLP (security & compliance) events or anything from audit.general either. Does anyone know what the issue might be?
Thanks
Double check to see if you O365 tenant has DLP policies enabled for at least testing/monitor only, and the DLP policy items show up under:
sourcetype - ms:o365:management
user=DlpAgent
Audit.general is not supported yet. We've submitted an enhancement request for it, and I've been told that they hope to have it available around .conf... so... hopefully soon.
v2.1.0 in https://splunkbase.splunk.com/app/3110/ supports it supposedly. I updated the app...and in the MSapp -> inputs> edit your O365 api input> click on the data blank space field and Audit/General shows up to choose > click on it. Save. Wait. I'm keeping my fingers crossed...
Were you able to solve this problem? We submitted a product enhancement request that isn't supposed to be done until mid October and are looking for a quick solution to get it working.
We haven't been able to resolve the problem yet, it looks like it's not supported on the add-on. We're looking to try and implement using the separate REST API Modular add-on https://splunkbase.splunk.com/app/1546/#/details