Hi Team,
We have recently configured and ingested the Azure Active Directory Logs into Splunk. Hence we have installed the "Splunk Add-on for Microsoft Office 365" in our Heavy Forwarder server and followed the below documentation process as provided.
https://blog.avotrix.com/to-collect-ad-azure-logs-to-splunk/
In our Add-On we have provided the Tenant details i.e. Tenant ID and Client ID and post which I have created the inputs --> Add Inputs "Management Activity" and provided the requested details and saved it.
Then the logs were getting ingested into Splunk as desired and we are getting the relevant fields as well with required data.
But one important field is missing that is the "Application Name" . So we want the Application Name field in which the user had logged on so that it will be really helpful for analysis. But the field is available in Azure AD whereas not in the Logs ingested into Splunk.
We can see the below fields are getting extracted but not the "Application Name" field and moreover in the raw logs also the field is not present. So how to get those field also ingested into Splunk as well.
Sample List of fields which are getting extracted automatically.
ActorContextId
ActorIpAddress
Actor{}.ID
Actor{}.Type
ApplicationId
AzureActiveDirectoryEventType
ClientIP
CreationTime
DeviceProperties{}.Name
DeviceProperties{}.Value
ErrorNumber
ExtendedProperties{}.Name
ExtendedProperties{}.Value
Id
InterSystemsId
IntraSystemId
LogonError
ModifiedProperties{}.Name
ModifiedProperties{}.NewValue
ModifiedProperties{}.OldValue
ObjectId
Operation
So kindly help to check on how to extract the Application Field.
I am so sorry no one has replied to this post. I have the EXACT same issue. Did you end up finding a solution to this? I would be interested in pursuing that. Thank you.
-Steve