Splunk Add-on for Microsoft Cloud Services: How do...

alexlomas · ‎03-20-2017

We have the Splunk Add-on for Microsoft Cloud Services up and running fine but we don't seem to have any events for the SecurityComplianceCenter workload. These should be available according to https://msdn.microsoft.com/en-us/office-365/office-365-management-activity-api-schema

The 365 input is configured with:

Data: Service Status/3600,Operational Message/3600,Exchange Online Audit/3600,Sharepoint Online Audit/3600,Azure AD Audit/3600

So I guess that might be the reason.

Has anyone got SecurityComplianceCenter events and if so, what does your inputs data stanza look like?

Thanks!

alexlomas · ‎03-24-2017

Splunk support have confirmed this is coming in a future version of the add on.

Bloodnite · ‎01-24-2018

any updates on this?

cmeerbeek · ‎03-24-2017

OK thanks for posting! Good to know.

cmeerbeek · ‎03-20-2017

Got any _internal logging that point to a possible problem?

If SecurityComplianceCenter doesn't show up in the inputs config it might be that your azure app is not setup correctly.

hrottenberg_spl · ‎05-23-2017

All of the sourcetypes supported are listed in a table here: http://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/About. Once the Compliance center logs are added, it should be listed there.

alexlomas · ‎03-20-2017

There's nothing obviously wrong in _internal for sourcetype="ms:o365:jobinsight:account".

The Azure app permissions look correct - everything is checked except DLP.

Splunk Add-on for Microsoft Cloud Services: How do configure inputs.conf to have Security and Compliance Center events show?