In Azure AD, there is a new field for sign in logs called "client app" that allows to see whether the sign in was initiated by a browser, mobile/desktop app, or from a basic auth client (other clients)
Any possibility this information can be pulled down in the next release?
A new version of the app was uploaded that uses Microsoft Graph -> https://splunkbase.splunk.com/app/3757/
This will retrieve the clientAppUsed
field requested. Note that this add-on requires different permissions since a different API is used under-the-hood.
The Azure AD Application Registration needs to be in the Security Reader role for the subscription(s).
Does the Azure AD inputs (audit and signins) require a subscription even if the logs don't go through the EventHub resource?
So far we've configured an App Registration with the recommended permissions (application type) assigned, and our tenant doesn't have any subscriptions or other resources. It's barebones with Azure AD only.
When we configured the inputs using the Azure Add-on for Splunk
We tried 3 inputs:
1) Users
2) audit
3) signin
However, only Users input worked. Other inputs are getting the 403 error.
Would you happen to know why? Maybe other inputs require a subscription in place?
Azure AD exists above subscriptions. So, "no" you don't need a subscription to get Azure AD logs.
To get Azure AD logs via the Splunk add-on, you will need to grant your Azure AD app registration the AuditLog.Read.All permission. Additionally, you will need at least a P1 version of Azure AD to get sign-in logs.
Refer to this spreadsheet for necessary permissions => http://bit.ly/Splunk_Azure_Permissions
I did follow that when assigning permissions to the Azure AD app registration.
Good call on the AAD P1 license. Let me check on the AAD license!
A new version of the app was uploaded that uses Microsoft Graph -> https://splunkbase.splunk.com/app/3757/
This will retrieve the clientAppUsed
field requested. Note that this add-on requires different permissions since a different API is used under-the-hood.
The Azure AD Application Registration needs to be in the Security Reader role for the subscription(s).
Awesome job and response! A ton more data that we can utilize for reporting and alertings - THANKS!!
Azure Active Directory data is available via REST APIs or Event Hubs. The Microsoft Azure Active Directory Reporting Add-on for Splunk uses the REST API. The REST API used in the add-on would need to be updated to get the new data since it is version-specific.
If you want to get the data today, you can configure the AAD logs to go to an Event Hub. Once on the hub, you have 3 ways to get it into Splunk:
If you want to set up the Azure Monitor add-on, here are some pointers:
Is there a mechanism to request this functionality for the newest version? Do you happen to know if this on the roadmap for it?
I'm the author of the app, so consider your request received 😉 . It's a pretty easy change, so I'll get it in there ASAP.