https://community.splunk.com/t5/All-Apps-and-Add-ons/Azure-Monitor-Active-Directory-via-Event-Hub/m-p/426979#M52232 <P>Yes. Here's how:</P> <OL> <LI>Install the Azure Monitor Add-on <A href="https://github.com/Microsoft/AzureMonitorAddonForSplunk/wiki">https://github.com/Microsoft/AzureMonitorAddonForSplunk/wiki</A> (don't forget to get the node.js and Python dependencies)</LI> <LI>Setup all your Azure stuff (Event Hubs, Azure AD applications, Key Vault, SPNs) <UL> <LI>Easy way = run a script -&gt; <A href="https://github.com/microsoft/AzureMonitorAddonForSplunk/tree/master/scripts">https://github.com/microsoft/AzureMonitorAddonForSplunk/tree/master/scripts</A></LI> <LI>Manual way = <A href="https://www.splunk.com/blog/2018/04/20/splunking-microsoft-azure-monitor-data-part-1-azure-setup.html">https://www.splunk.com/blog/2018/04/20/splunking-microsoft-azure-monitor-data-part-1-azure-setup.html</A></LI> </UL></LI> <LI>Send your Azure AD sign-in and audit logs to an Event Hub</LI> <LI>Modify your hubs.json file in the add-on -&gt; <A href="https://github.com/microsoft/AzureMonitorAddonForSplunk/wiki/Configuration-of-Splunk#hubsjson">https://github.com/microsoft/AzureMonitorAddonForSplunk/wiki/Configuration-of-Splunk#hubsjson</A> <UL> <LI>Basically, after you enable the Azure AD logs going to an event hub, check the event hubs in the Azure portal for the name of the actual hub(s). It will be something like <CODE>insights-logs-signinlogs</CODE> and <CODE>insights-logs-auditlogs</CODE></LI> </UL></LI> <LI>Setup and Azure Monitor Diagnostic Logs input on the Splunk instance where you installed the Azure Monitor add-on</LI> <LI>Done</LI> </OL> Mon, 17 Jun 2019 16:37:52 GMT jconger 2019-06-17T16:37:52Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Azure-Monitor-Active-Directory-via-Event-Hub/m-p/426978#M52231 <P>Hi All,</P> <P>Anyone successful able to pull the logs (Sign-in and Audit logs) of Active Directory via Azure Event Hub. If yes which method you follow.</P> <P>Any other recommendation method. Thanks in advance </P> Mon, 17 Jun 2019 03:57:41 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Azure-Monitor-Active-Directory-via-Event-Hub/m-p/426978#M52231 sumitkathpal292 2019-06-17T03:57:41Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Azure-Monitor-Active-Directory-via-Event-Hub/m-p/426979#M52232 <P>Yes. Here's how:</P> <OL> <LI>Install the Azure Monitor Add-on <A href="https://github.com/Microsoft/AzureMonitorAddonForSplunk/wiki">https://github.com/Microsoft/AzureMonitorAddonForSplunk/wiki</A> (don't forget to get the node.js and Python dependencies)</LI> <LI>Setup all your Azure stuff (Event Hubs, Azure AD applications, Key Vault, SPNs) <UL> <LI>Easy way = run a script -&gt; <A href="https://github.com/microsoft/AzureMonitorAddonForSplunk/tree/master/scripts">https://github.com/microsoft/AzureMonitorAddonForSplunk/tree/master/scripts</A></LI> <LI>Manual way = <A href="https://www.splunk.com/blog/2018/04/20/splunking-microsoft-azure-monitor-data-part-1-azure-setup.html">https://www.splunk.com/blog/2018/04/20/splunking-microsoft-azure-monitor-data-part-1-azure-setup.html</A></LI> </UL></LI> <LI>Send your Azure AD sign-in and audit logs to an Event Hub</LI> <LI>Modify your hubs.json file in the add-on -&gt; <A href="https://github.com/microsoft/AzureMonitorAddonForSplunk/wiki/Configuration-of-Splunk#hubsjson">https://github.com/microsoft/AzureMonitorAddonForSplunk/wiki/Configuration-of-Splunk#hubsjson</A> <UL> <LI>Basically, after you enable the Azure AD logs going to an event hub, check the event hubs in the Azure portal for the name of the actual hub(s). It will be something like <CODE>insights-logs-signinlogs</CODE> and <CODE>insights-logs-auditlogs</CODE></LI> </UL></LI> <LI>Setup and Azure Monitor Diagnostic Logs input on the Splunk instance where you installed the Azure Monitor add-on</LI> <LI>Done</LI> </OL> Mon, 17 Jun 2019 16:37:52 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Azure-Monitor-Active-Directory-via-Event-Hub/m-p/426979#M52232 jconger 2019-06-17T16:37:52Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Azure-Monitor-Active-Directory-via-Event-Hub/m-p/426980#M52233 <P>Thanks @jconger it worked.</P> <P>Can we define sourcetype for sign and audit logs as currently sourcetype is defined which is amdl:diagnosticLogs.</P> Mon, 17 Jun 2019 23:45:19 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Azure-Monitor-Active-Directory-via-Event-Hub/m-p/426980#M52233 sumitkathpal292 2019-06-17T23:45:19Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Azure-Monitor-Active-Directory-via-Event-Hub/m-p/426981#M52234 <P>Yes - modify logCategories.json</P> <P><A href="https://github.com/microsoft/AzureMonitorAddonForSplunk/wiki/Configuration-of-Splunk#logcategoriesjson">https://github.com/microsoft/AzureMonitorAddonForSplunk/wiki/Configuration-of-Splunk#logcategoriesjson</A></P> Mon, 17 Jun 2019 23:55:59 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Azure-Monitor-Active-Directory-via-Event-Hub/m-p/426981#M52234 jconger 2019-06-17T23:55:59Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Azure-Monitor-Active-Directory-via-Event-Hub/m-p/426982#M52235 <P>Thanks for quick reply @jconger , you mean i need to update "MICROSOFT.AADIAM/AUDIT" OR "MICROSOFT.AADIAM/SIGNIN" with ?</P> <P>"MICROSOFT.AADIAM/AUDIT": "amdl:aadal:audit", <BR /> "MICROSOFT.AADIAM/SIGNIN": "amdl:aadal:signin"</P> Tue, 18 Jun 2019 00:33:23 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Azure-Monitor-Active-Directory-via-Event-Hub/m-p/426982#M52235 sumitkathpal292 2019-06-18T00:33:23Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Azure-Monitor-Active-Directory-via-Event-Hub/m-p/426983#M52236 <P>@jconger did u got change to have a look ?</P> Mon, 24 Jun 2019 03:27:23 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Azure-Monitor-Active-Directory-via-Event-Hub/m-p/426983#M52236 sumitkathpal292 2019-06-24T03:27:23Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Azure-Monitor-Active-Directory-via-Event-Hub/m-p/426984#M52237 <P>@jconger please help.</P> Wed, 31 Jul 2019 05:13:05 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Azure-Monitor-Active-Directory-via-Event-Hub/m-p/426984#M52237 sumitkathpal 2019-07-31T05:13:05Z