All Apps and Add-ons

AAD Sign In Logs - Client app

jnowotny
Engager

In Azure AD, there is a new field for sign in logs called "client app" that allows to see whether the sign in was initiated by a browser, mobile/desktop app, or from a basic auth client (other clients)

Any possibility this information can be pulled down in the next release?

0 Karma
1 Solution

jconger
Splunk Employee
Splunk Employee

A new version of the app was uploaded that uses Microsoft Graph -> https://splunkbase.splunk.com/app/3757/
This will retrieve the clientAppUsed field requested. Note that this add-on requires different permissions since a different API is used under-the-hood.

  • Windows Azure Active Directory - Read directory data
  • Microsoft Graph - Read all audit log data

The Azure AD Application Registration needs to be in the Security Reader role for the subscription(s).

View solution in original post

0 Karma

remnant
Engager

@jconger 

Does the Azure AD inputs (audit and signins) require a subscription even if the logs don't go through the EventHub resource? 

So far we've configured an App Registration with the recommended permissions (application type) assigned, and our tenant doesn't have any subscriptions or other resources. It's barebones with Azure AD only.

When we configured the inputs using the Azure Add-on for Splunk

We tried 3 inputs:

1) Users

2) audit

3) signin

However, only Users input worked. Other inputs are getting the 403 error.

Would you happen to know why? Maybe other inputs require a subscription in place?

0 Karma

jconger
Splunk Employee
Splunk Employee

Azure AD exists above subscriptions.  So, "no" you don't need a subscription to get Azure AD logs.

To get Azure AD logs via the Splunk add-on, you will need to grant your Azure AD app registration the AuditLog.Read.All permission.  Additionally, you will need at least a P1 version of Azure AD to get sign-in logs.

Refer to this spreadsheet for necessary permissions => http://bit.ly/Splunk_Azure_Permissions

remnant
Engager

I did follow that when assigning permissions to the Azure AD app registration.

Good call on the AAD P1 license. Let me check on the AAD license!

Tags (1)
0 Karma

jconger
Splunk Employee
Splunk Employee

A new version of the app was uploaded that uses Microsoft Graph -> https://splunkbase.splunk.com/app/3757/
This will retrieve the clientAppUsed field requested. Note that this add-on requires different permissions since a different API is used under-the-hood.

  • Windows Azure Active Directory - Read directory data
  • Microsoft Graph - Read all audit log data

The Azure AD Application Registration needs to be in the Security Reader role for the subscription(s).

View solution in original post

0 Karma

jnowotny
Engager

Awesome job and response! A ton more data that we can utilize for reporting and alertings - THANKS!!

0 Karma

jconger
Splunk Employee
Splunk Employee

Azure Active Directory data is available via REST APIs or Event Hubs. The Microsoft Azure Active Directory Reporting Add-on for Splunk uses the REST API. The REST API used in the add-on would need to be updated to get the new data since it is version-specific.

If you want to get the data today, you can configure the AAD logs to go to an Event Hub. Once on the hub, you have 3 ways to get it into Splunk:

  1. Use the Azure Monitor Add-on for Splunk
  2. Use an Azure Function to push the events to Splunk via HTTP Event Collector
  3. Enable Kafka on your Event Hub and use Splunk Connect for Kafka

If you want to set up the Azure Monitor add-on, here are some pointers:

jnowotny
Engager

Is there a mechanism to request this functionality for the newest version? Do you happen to know if this on the roadmap for it?

0 Karma

jconger
Splunk Employee
Splunk Employee

I'm the author of the app, so consider your request received 😉 . It's a pretty easy change, so I'll get it in there ASAP.