https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Microsoft-Cloud-Services-How-to-index-Azure/m-p/259574#M29902 <P>do it via API: <A href="https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-guide">https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-guide</A> all signin data should be pulled</P> Fri, 10 Feb 2017 21:48:02 GMT dstefan 2017-02-10T21:48:02Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Microsoft-Cloud-Services-How-to-index-Azure/m-p/259567#M29895 <P>Hi -</P> <P>We have the Splunk Add-on for Microsoft Cloud Services installed and are currently collecting Azure "Activity Logs" into Splunk.</P> <P>However, we'd also like to capture the Azure (portal.azure.com) -&gt; Azure Active Directory -&gt; "Sign-Ins" data into Splunk. </P> <P>Can anyone advise as how to achieve this?</P> <P>Many thanks,<BR /> Tom</P> Thu, 01 Dec 2016 14:15:09 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Microsoft-Cloud-Services-How-to-index-Azure/m-p/259567#M29895 djukicm 2016-12-01T14:15:09Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Microsoft-Cloud-Services-How-to-index-Azure/m-p/259568#M29896 <P>All authentication can be ingested using the O365 Management Activity input. You just need to select the Azure Authentication from that input. This is technically ingesting all Azure authentication beyong O365 apps. <BR /> You can use the Azure audit input for Azure portal audit related. </P> Thu, 01 Dec 2016 17:59:25 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Microsoft-Cloud-Services-How-to-index-Azure/m-p/259568#M29896 ehaddad_splunk 2016-12-01T17:59:25Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Microsoft-Cloud-Services-How-to-index-Azure/m-p/259569#M29897 <P>I am using this add-on and was able to get logs from table and blob storage to Splunk.<BR /> But even after configuring the AD application details and audit input, Activity logs are not getting indexed in Splunk.<BR /> I have the requirement of Active directory Audit and Sign in logs to be indexed. Can you please help me on this?<BR /> 1) Indexing Azure activity logs<BR /> 2) Indexing Azure AD audit and Sign in logs.</P> Wed, 14 Dec 2016 22:06:48 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Microsoft-Cloud-Services-How-to-index-Azure/m-p/259569#M29897 arunkabrahamdnb 2016-12-14T22:06:48Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Microsoft-Cloud-Services-How-to-index-Azure/m-p/259570#M29898 <P>I am using this add-on and was able to get logs from table and blob storage to Splunk.<BR /> But even after configuring the AD application details and audit input, Activity logs are not getting indexed in Splunk.<BR /> I have the requirement of Active directory Audit and Sign in logs to be indexed. Can you please help me on this?<BR /> 1) Indexing Azure activity logs<BR /> 2) Indexing Azure AD audit and Sign in logs.</P> Wed, 14 Dec 2016 22:07:02 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Microsoft-Cloud-Services-How-to-index-Azure/m-p/259570#M29898 arunkabrahamdnb 2016-12-14T22:07:02Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Microsoft-Cloud-Services-How-to-index-Azure/m-p/259571#M29899 <P>What errors are you getting in index=_internal? <BR /> I would suggest to file a support ticket and upload diag on that ticket for us to get a closer look. Hard to tell what the problem is without the log files.</P> Wed, 14 Dec 2016 23:44:02 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Microsoft-Cloud-Services-How-to-index-Azure/m-p/259571#M29899 ehaddad_splunk 2016-12-14T23:44:02Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Microsoft-Cloud-Services-How-to-index-Azure/m-p/259572#M29900 <P>Copied the logs for a short period. Can this help?</P> <PRE><CODE>12/15/16 3:31:54.878 PM 12-15-2016 15:31:54.878 +0000 WARN FieldAliaser - Invalid field alias specification in stanza 'ri:pas:application': FIELDALIAS-event_id='event_id AS event_id' host = prd-p-59vhkzlq9h5s source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd 12/15/16 3:31:19.941 PM 12-15-2016 15:31:19.941 +0000 WARN SearchOperator:kv - IndexOutOfBounds invalid The FORMAT capturing group id: id=3, transform_name='error_info' host = prd-p-59vhkzlq9h5s source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd 12/15/16 3:31:19.888 PM 12-15-2016 15:31:19.888 +0000 WARN SearchOperator:kv - Invalid key-value parser, ignoring it, transform_name='mscs_counter_name' host = prd-p-59vhkzlq9h5s source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd 12/15/16 3:31:19.833 PM 12-15-2016 15:31:19.833 +0000 WARN FieldAliaser - Invalid field alias specification in stanza 'ri:pas:application': FIELDALIAS-event_id='event_id AS event_id' host = prd-p-59vhkzlq9h5s source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd 12/15/16 3:31:02.341 PM 12-15-2016 15:31:02.341 +0000 WARN SearchOperator:kv - IndexOutOfBounds invalid The FORMAT capturing group id: id=3, transform_name='error_info' host = prd-p-59vhkzlq9h5s source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd 12/15/16 3:31:02.227 PM 12-15-2016 15:31:02.227 +0000 WARN SearchOperator:kv - Invalid key-value parser, ignoring it, transform_name='mscs_counter_name' host = prd-p-59vhkzlq9h5s source = /opt/splunk/var/log/splunk/splunkd.log sourcetype = splunkd 12/15/16 3:31:02.103 PM 12-15-2016 15:31:02.103 +0000 WARN FieldAliaser - Invalid field alias specification in stanza 'ri:pas:application': FIELDALIAS-event_id='event_id AS event_id' </CODE></PRE> Thu, 15 Dec 2016 15:35:58 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Microsoft-Cloud-Services-How-to-index-Azure/m-p/259572#M29900 arunkabrahamdnb 2016-12-15T15:35:58Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Microsoft-Cloud-Services-How-to-index-Azure/m-p/259573#M29901 <P>Thanks ehaddad - when I attempt to link our Office365 account I get the following error when signing in:</P> <P>"Sorry, but we're having trouble signing you in. We received a bad request"</P> <P>and</P> <P>"Resource '<A href="https://manage.office.com">https://manage.office.com</A>' is disabled" </P> <P>Any further ideas on this?</P> Fri, 16 Dec 2016 17:07:16 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Microsoft-Cloud-Services-How-to-index-Azure/m-p/259573#M29901 djukicm 2016-12-16T17:07:16Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Microsoft-Cloud-Services-How-to-index-Azure/m-p/259574#M29902 <P>do it via API: <A href="https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-guide">https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-guide</A> all signin data should be pulled</P> Fri, 10 Feb 2017 21:48:02 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Add-on-for-Microsoft-Cloud-Services-How-to-index-Azure/m-p/259574#M29902 dstefan 2017-02-10T21:48:02Z