All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I get Azure Sign-In data into Splunk?

rkantamaneni_sp
Splunk Employee
Splunk Employee
‎05-10-2019 09:19 AM

I'm using the Splunk Add-On for Microsoft Cloud Services, and after properly configuring it, I am unable to see the Azure Sign-In Audit Data. Am I doing something wrong or how do I see that data?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rkantamaneni_sp
Splunk Employee
Splunk Employee
‎05-10-2019 09:25 AM

All sign-in data comes from Microsoft Azure AD, but there are a few main types (with respect to entry points/schema):

1.) Azure Application Data
2.) Azure User Account Sign-Ins (this is separate from the Audit data)
3.) Office 365 Management – Sign-Ins

What Splunk currently officially supports is number 3, O365 Management Sign-Ins, which was part of the Splunk MSCS Add-On until it was separated into the separate Splunk O365 Add-On (https://splunkbase.splunk.com/app/4055/). So technically, at one point, MSCS was supporting "Sign-In" data, but it pertained to O365, not Azure. Splunk plans to officially support the other sign-in data sources at a later date (active work in progress), but as of now, it is not supported. An enhancement request was created, ADDON-21972. If you'd like to follow this, please contact Splunk Support with a message stating you wish to be added to the Enhancement Request ADDON-21972 and reach out to your Splunk account team for status updates. In the mean time, there are unsupported ways to get that data into Splunk explained below.

The Azure Audit sign-in data sources for 1 and 2 above (currently not supported by the Splunk MSCS Add-On) can be obtained using apps created by Splunk Works/the community. There are two ways to get that sign-in data using those published Add-Ons:

a.) Using the Azure AD reporting add-on -> https://splunkbase.splunk.com/app/3757/

b.) Sending the Azure AD logs to an Event Hub and using the Azure monitor add-on -> https://splunkbase.splunk.com/app/3534/

https://www.splunk.com/blog/2018/04/20/splunking-microsoft-azure-monitor-data-part-1-azure-setup.htm...

https://www.splunk.com/blog/2018/05/07/splunking-microsoft-azure-monitor-data-part-2-splunk-setup.ht...

https://splunkbase.splunk.com/app/4343/#/details

Separately, it may be possible to just download the data directly with a script and ingest it into Splunk as a log appropriately. An example of a download script can be found here: https://gallery.technet.microsoft.com/scriptcenter/Pull-Azure-AD-Sign-In-3fead683

View solution in original post

Reply
Solved! Jump to solution
Solution

rkantamaneni_sp
Splunk Employee
Splunk Employee
‎05-10-2019 09:25 AM

All sign-in data comes from Microsoft Azure AD, but there are a few main types (with respect to entry points/schema):

1.) Azure Application Data
2.) Azure User Account Sign-Ins (this is separate from the Audit data)
3.) Office 365 Management – Sign-Ins

What Splunk currently officially supports is number 3, O365 Management Sign-Ins, which was part of the Splunk MSCS Add-On until it was separated into the separate Splunk O365 Add-On (https://splunkbase.splunk.com/app/4055/). So technically, at one point, MSCS was supporting "Sign-In" data, but it pertained to O365, not Azure. Splunk plans to officially support the other sign-in data sources at a later date (active work in progress), but as of now, it is not supported. An enhancement request was created, ADDON-21972. If you'd like to follow this, please contact Splunk Support with a message stating you wish to be added to the Enhancement Request ADDON-21972 and reach out to your Splunk account team for status updates. In the mean time, there are unsupported ways to get that data into Splunk explained below.

The Azure Audit sign-in data sources for 1 and 2 above (currently not supported by the Splunk MSCS Add-On) can be obtained using apps created by Splunk Works/the community. There are two ways to get that sign-in data using those published Add-Ons:

a.) Using the Azure AD reporting add-on -> https://splunkbase.splunk.com/app/3757/

b.) Sending the Azure AD logs to an Event Hub and using the Azure monitor add-on -> https://splunkbase.splunk.com/app/3534/

https://www.splunk.com/blog/2018/04/20/splunking-microsoft-azure-monitor-data-part-1-azure-setup.htm...

https://www.splunk.com/blog/2018/05/07/splunking-microsoft-azure-monitor-data-part-2-splunk-setup.ht...

https://splunkbase.splunk.com/app/4343/#/details

Separately, it may be possible to just download the data directly with a script and ingest it into Splunk as a log appropriately. An example of a download script can be found here: https://gallery.technet.microsoft.com/scriptcenter/Pull-Azure-AD-Sign-In-3fead683

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...