All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I get Azure Sign-In data into Splunk?

rkantamaneni_sp
Splunk Employee
Splunk Employee
‎05-10-2019 09:19 AM

I'm using the Splunk Add-On for Microsoft Cloud Services, and after properly configuring it, I am unable to see the Azure Sign-In Audit Data. Am I doing something wrong or how do I see that data?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rkantamaneni_sp
Splunk Employee
Splunk Employee
‎05-10-2019 09:25 AM

All sign-in data comes from Microsoft Azure AD, but there are a few main types (with respect to entry points/schema):

1.) Azure Application Data
2.) Azure User Account Sign-Ins (this is separate from the Audit data)
3.) Office 365 Management – Sign-Ins

What Splunk currently officially supports is number 3, O365 Management Sign-Ins, which was part of the Splunk MSCS Add-On until it was separated into the separate Splunk O365 Add-On (https://splunkbase.splunk.com/app/4055/). So technically, at one point, MSCS was supporting "Sign-In" data, but it pertained to O365, not Azure. Splunk plans to officially support the other sign-in data sources at a later date (active work in progress), but as of now, it is not supported. An enhancement request was created, ADDON-21972. If you'd like to follow this, please contact Splunk Support with a message stating you wish to be added to the Enhancement Request ADDON-21972 and reach out to your Splunk account team for status updates. In the mean time, there are unsupported ways to get that data into Splunk explained below.

The Azure Audit sign-in data sources for 1 and 2 above (currently not supported by the Splunk MSCS Add-On) can be obtained using apps created by Splunk Works/the community. There are two ways to get that sign-in data using those published Add-Ons:

a.) Using the Azure AD reporting add-on -> https://splunkbase.splunk.com/app/3757/

b.) Sending the Azure AD logs to an Event Hub and using the Azure monitor add-on -> https://splunkbase.splunk.com/app/3534/

https://www.splunk.com/blog/2018/04/20/splunking-microsoft-azure-monitor-data-part-1-azure-setup.htm...

https://www.splunk.com/blog/2018/05/07/splunking-microsoft-azure-monitor-data-part-2-splunk-setup.ht...

https://splunkbase.splunk.com/app/4343/#/details

Separately, it may be possible to just download the data directly with a script and ingest it into Splunk as a log appropriately. An example of a download script can be found here: https://gallery.technet.microsoft.com/scriptcenter/Pull-Azure-AD-Sign-In-3fead683

View solution in original post

Reply
Solved! Jump to solution
Solution

rkantamaneni_sp
Splunk Employee
Splunk Employee
‎05-10-2019 09:25 AM

All sign-in data comes from Microsoft Azure AD, but there are a few main types (with respect to entry points/schema):

1.) Azure Application Data
2.) Azure User Account Sign-Ins (this is separate from the Audit data)
3.) Office 365 Management – Sign-Ins

What Splunk currently officially supports is number 3, O365 Management Sign-Ins, which was part of the Splunk MSCS Add-On until it was separated into the separate Splunk O365 Add-On (https://splunkbase.splunk.com/app/4055/). So technically, at one point, MSCS was supporting "Sign-In" data, but it pertained to O365, not Azure. Splunk plans to officially support the other sign-in data sources at a later date (active work in progress), but as of now, it is not supported. An enhancement request was created, ADDON-21972. If you'd like to follow this, please contact Splunk Support with a message stating you wish to be added to the Enhancement Request ADDON-21972 and reach out to your Splunk account team for status updates. In the mean time, there are unsupported ways to get that data into Splunk explained below.

The Azure Audit sign-in data sources for 1 and 2 above (currently not supported by the Splunk MSCS Add-On) can be obtained using apps created by Splunk Works/the community. There are two ways to get that sign-in data using those published Add-Ons:

a.) Using the Azure AD reporting add-on -> https://splunkbase.splunk.com/app/3757/

b.) Sending the Azure AD logs to an Event Hub and using the Azure monitor add-on -> https://splunkbase.splunk.com/app/3534/

https://www.splunk.com/blog/2018/04/20/splunking-microsoft-azure-monitor-data-part-1-azure-setup.htm...

https://www.splunk.com/blog/2018/05/07/splunking-microsoft-azure-monitor-data-part-2-splunk-setup.ht...

https://splunkbase.splunk.com/app/4343/#/details

Separately, it may be possible to just download the data directly with a script and ingest it into Splunk as a log appropriately. An example of a download script can be found here: https://gallery.technet.microsoft.com/scriptcenter/Pull-Azure-AD-Sign-In-3fead683

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...