Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Apps and Add-ons
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Re: Azure Monitor Active Directory via Event Hub
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sumitkathpal292
New Member
06-16-2019
08:57 PM
Hi All,
Anyone successful able to pull the logs (Sign-in and Audit logs) of Active Directory via Azure Event Hub. If yes which method you follow.
Any other recommendation method. Thanks in advance
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jconger
Splunk Employee
06-17-2019
09:37 AM
Yes. Here's how:
- Install the Azure Monitor Add-on https://github.com/Microsoft/AzureMonitorAddonForSplunk/wiki (don't forget to get the node.js and Python dependencies)
- Setup all your Azure stuff (Event Hubs, Azure AD applications, Key Vault, SPNs)
- Send your Azure AD sign-in and audit logs to an Event Hub
- Modify your hubs.json file in the add-on -> https://github.com/microsoft/AzureMonitorAddonForSplunk/wiki/Configuration-of-Splunk#hubsjson
- Basically, after you enable the Azure AD logs going to an event hub, check the event hubs in the Azure portal for the name of the actual hub(s). It will be something like
insights-logs-signinlogsandinsights-logs-auditlogs
- Basically, after you enable the Azure AD logs going to an event hub, check the event hubs in the Azure portal for the name of the actual hub(s). It will be something like
- Setup and Azure Monitor Diagnostic Logs input on the Splunk instance where you installed the Azure Monitor add-on
- Done
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jconger
Splunk Employee
06-17-2019
09:37 AM
Yes. Here's how:
- Install the Azure Monitor Add-on https://github.com/Microsoft/AzureMonitorAddonForSplunk/wiki (don't forget to get the node.js and Python dependencies)
- Setup all your Azure stuff (Event Hubs, Azure AD applications, Key Vault, SPNs)
- Send your Azure AD sign-in and audit logs to an Event Hub
- Modify your hubs.json file in the add-on -> https://github.com/microsoft/AzureMonitorAddonForSplunk/wiki/Configuration-of-Splunk#hubsjson
- Basically, after you enable the Azure AD logs going to an event hub, check the event hubs in the Azure portal for the name of the actual hub(s). It will be something like
insights-logs-signinlogsandinsights-logs-auditlogs
- Basically, after you enable the Azure AD logs going to an event hub, check the event hubs in the Azure portal for the name of the actual hub(s). It will be something like
- Setup and Azure Monitor Diagnostic Logs input on the Splunk instance where you installed the Azure Monitor add-on
- Done
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sumitkathpal292
New Member
06-17-2019
04:45 PM
Thanks @jconger it worked.
Can we define sourcetype for sign and audit logs as currently sourcetype is defined which is amdl:diagnosticLogs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jconger
Splunk Employee
06-17-2019
04:55 PM
Yes - modify logCategories.json
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sumitkathpal292
New Member
06-17-2019
05:33 PM
Thanks for quick reply @jconger , you mean i need to update "MICROSOFT.AADIAM/AUDIT" OR "MICROSOFT.AADIAM/SIGNIN" with ?
"MICROSOFT.AADIAM/AUDIT": "amdl:aadal:audit",
"MICROSOFT.AADIAM/SIGNIN": "amdl:aadal:signin"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sumitkathpal292
New Member
06-23-2019
08:27 PM
@jconger did u got change to have a look ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sumitkathpal
Explorer
07-30-2019
10:13 PM
@jconger please help.
Get Updates on the Splunk Community!
Splunk Enterprise Security: Your Command Center for PCI DSS Compliance
Every security professional knows the drill. The PCI DSS audit is approaching, and suddenly everyone's asking ...
Developer Spotlight with Guilhem Marchand
From Splunk Engineer to Founder: The Journey Behind TrackMe
After spending over 12 years working full time ...
Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...
The Problem: When Networks and Services Don't Talk
Payment systems fail at a retail location. Customers are ...
