Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Apps and Add-ons
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Azure Monitor Active Directory via Event Hub
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sumitkathpal292
New Member
06-16-2019
08:57 PM
Hi All,
Anyone successful able to pull the logs (Sign-in and Audit logs) of Active Directory via Azure Event Hub. If yes which method you follow.
Any other recommendation method. Thanks in advance
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jconger
Splunk Employee
06-17-2019
09:37 AM
Yes. Here's how:
- Install the Azure Monitor Add-on https://github.com/Microsoft/AzureMonitorAddonForSplunk/wiki (don't forget to get the node.js and Python dependencies)
- Setup all your Azure stuff (Event Hubs, Azure AD applications, Key Vault, SPNs)
- Send your Azure AD sign-in and audit logs to an Event Hub
- Modify your hubs.json file in the add-on -> https://github.com/microsoft/AzureMonitorAddonForSplunk/wiki/Configuration-of-Splunk#hubsjson
- Basically, after you enable the Azure AD logs going to an event hub, check the event hubs in the Azure portal for the name of the actual hub(s). It will be something like
insights-logs-signinlogsandinsights-logs-auditlogs
- Basically, after you enable the Azure AD logs going to an event hub, check the event hubs in the Azure portal for the name of the actual hub(s). It will be something like
- Setup and Azure Monitor Diagnostic Logs input on the Splunk instance where you installed the Azure Monitor add-on
- Done
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jconger
Splunk Employee
06-17-2019
09:37 AM
Yes. Here's how:
- Install the Azure Monitor Add-on https://github.com/Microsoft/AzureMonitorAddonForSplunk/wiki (don't forget to get the node.js and Python dependencies)
- Setup all your Azure stuff (Event Hubs, Azure AD applications, Key Vault, SPNs)
- Send your Azure AD sign-in and audit logs to an Event Hub
- Modify your hubs.json file in the add-on -> https://github.com/microsoft/AzureMonitorAddonForSplunk/wiki/Configuration-of-Splunk#hubsjson
- Basically, after you enable the Azure AD logs going to an event hub, check the event hubs in the Azure portal for the name of the actual hub(s). It will be something like
insights-logs-signinlogsandinsights-logs-auditlogs
- Basically, after you enable the Azure AD logs going to an event hub, check the event hubs in the Azure portal for the name of the actual hub(s). It will be something like
- Setup and Azure Monitor Diagnostic Logs input on the Splunk instance where you installed the Azure Monitor add-on
- Done
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sumitkathpal292
New Member
06-17-2019
04:45 PM
Thanks @jconger it worked.
Can we define sourcetype for sign and audit logs as currently sourcetype is defined which is amdl:diagnosticLogs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jconger
Splunk Employee
06-17-2019
04:55 PM
Yes - modify logCategories.json
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sumitkathpal292
New Member
06-17-2019
05:33 PM
Thanks for quick reply @jconger , you mean i need to update "MICROSOFT.AADIAM/AUDIT" OR "MICROSOFT.AADIAM/SIGNIN" with ?
"MICROSOFT.AADIAM/AUDIT": "amdl:aadal:audit",
"MICROSOFT.AADIAM/SIGNIN": "amdl:aadal:signin"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sumitkathpal292
New Member
06-23-2019
08:27 PM
@jconger did u got change to have a look ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sumitkathpal
Explorer
07-30-2019
10:13 PM
@jconger please help.
Got questions? Get answers!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Meet up IRL or virtually!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Get Updates on the Splunk Community!
Announcing Modern Navigation: A New Era of Splunk User Experience
We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...
