Solved: Splunk add-on for Microsoft Cloud Service v2.1.0 -...

joelim · ‎03-17-2019

Hi all,

I am currently having issues determining weather or not I am ingesting mscs:azure:audit sourcetype.

We were ingesting mscs:azure:audit prior to upgrading from v2.0.3 to v2.1.0 and now we are not. However, we are ingesting ms:o365:management.

We are running on Splunk Enterprise v6.5.3.1

I know the version that we are running is old but we have several dependencies that we need to test out before moving to version 3.0.0.

**Edit: The following parameters are already configured: Modular inputs, O365 account, Azure app account, Azure storage account , proxy and certificate.

Any help would be appreciated as I am currently clutching at straws.

joelim · ‎03-21-2019

Spoke to Splunk support; looks like there is a bug.

Workaround is documented here:

https://answers.splunk.com/answers/694725/splunk-add-on-for-microsoft-cloud-service-showing.html?chi...

View solution in original post

joelim · ‎03-21-2019

Spoke to Splunk support; looks like there is a bug.

Workaround is documented here:

https://answers.splunk.com/answers/694725/splunk-add-on-for-microsoft-cloud-service-showing.html?chi...

deepashri_123 · ‎03-17-2019

Hey@joelim,

I think you need to configure Modular input for audit logs.
You can refer this logs:
https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Configureinputs2

Let me know if this helps!!

joelim · ‎03-17-2019

@deepashri_123
Yes, I have configured the modular inputs via the app's GUI. I have also tried removing and re-creating each input but still no joy.

Other parameters configured: Inputs, Azure account and Azure storage account.

Splunk add-on for Microsoft Cloud Service v2.1.0 - Not seeing mscs:azure:audit sourcetype

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases