All Apps and Add-ons
Highlighted

How do I get Azure Sign-In data into Splunk?

Splunk Employee
Splunk Employee

I'm using the Splunk Add-On for Microsoft Cloud Services, and after properly configuring it, I am unable to see the Azure Sign-In Audit Data. Am I doing something wrong or how do I see that data?

0 Karma
Highlighted

Re: How do I get Azure Sign-In data into Splunk?

Splunk Employee
Splunk Employee

All sign-in data comes from Microsoft Azure AD, but there are a few main types (with respect to entry points/schema):

1.) Azure Application Data
2.) Azure User Account Sign-Ins (this is separate from the Audit data)
3.) Office 365 Management – Sign-Ins

What Splunk currently officially supports is number 3, O365 Management Sign-Ins, which was part of the Splunk MSCS Add-On until it was separated into the separate Splunk O365 Add-On (https://splunkbase.splunk.com/app/4055/). So technically, at one point, MSCS was supporting "Sign-In" data, but it pertained to O365, not Azure. Splunk plans to officially support the other sign-in data sources at a later date (active work in progress), but as of now, it is not supported. An enhancement request was created, ADDON-21972. If you'd like to follow this, please contact Splunk Support with a message stating you wish to be added to the Enhancement Request ADDON-21972 and reach out to your Splunk account team for status updates. In the mean time, there are unsupported ways to get that data into Splunk explained below.

The Azure Audit sign-in data sources for 1 and 2 above (currently not supported by the Splunk MSCS Add-On) can be obtained using apps created by Splunk Works/the community. There are two ways to get that sign-in data using those published Add-Ons:

a.) Using the Azure AD reporting add-on -> https://splunkbase.splunk.com/app/3757/

b.) Sending the Azure AD logs to an Event Hub and using the Azure monitor add-on -> https://splunkbase.splunk.com/app/3534/

https://www.splunk.com/blog/2018/04/20/splunking-microsoft-azure-monitor-data-part-1-azure-setup.htm...

https://www.splunk.com/blog/2018/05/07/splunking-microsoft-azure-monitor-data-part-2-splunk-setup.ht...

https://splunkbase.splunk.com/app/4343/#/details

Separately, it may be possible to just download the data directly with a script and ingest it into Splunk as a log appropriately. An example of a download script can be found here: https://gallery.technet.microsoft.com/scriptcenter/Pull-Azure-AD-Sign-In-3fead683

View solution in original post