All Apps and Add-ons

Microsoft Azure Add-on - What attributes will be collected for users (azure:aad:user)?

mlichtjx
Explorer

I would like to setup an identity lookup for Azure AD user accounts in Splunk ES.  It looks like the Microsoft Azure Add-on collects the user data using the Microsoft Azure Active Directory Users input. How can I tell and configure what user attributes will be collected? 

@sleclerc1 I saw you had success with getting this going, can you share what attributes you got back for each user? 

Thanks.

Labels (2)
0 Karma
1 Solution

sleclerc1
Explorer

Hi @mlichtjx !

There are quite a few attributes 😁 and it will likely be different than what we ingest (e.g. we have some sync'ed attributes with our on-premise infrastructure).  However, I would recommend that you try using the following tool:

 Microsoft Graph Explorer 

to replicate the API query that the add-on uses to pull user data.  You might have to meddle w/ some permissions in your azure environment to ensure that the user making the query has permissions to pull that data from Azure.  To find what url the add-on is using, check out the file in the addon's /bin directory (TA-MS-AAD/bin/), named "input_module_MS_AAD_user.py".  In our use-case, we modified the query with some filters to exclude certain users.

Once we got the data in (we run it on a 24 hour interval), I wrote a scheduled search that would transform the data into a table into ES-relevant fields, then piped it to "outputlookup" to write it to the CSV that ES leverages for it's identity lookup table.

Hope this helps!  Let me know if you have any additional questions!

View solution in original post

sleclerc1
Explorer

Hi @mlichtjx !

There are quite a few attributes 😁 and it will likely be different than what we ingest (e.g. we have some sync'ed attributes with our on-premise infrastructure).  However, I would recommend that you try using the following tool:

 Microsoft Graph Explorer 

to replicate the API query that the add-on uses to pull user data.  You might have to meddle w/ some permissions in your azure environment to ensure that the user making the query has permissions to pull that data from Azure.  To find what url the add-on is using, check out the file in the addon's /bin directory (TA-MS-AAD/bin/), named "input_module_MS_AAD_user.py".  In our use-case, we modified the query with some filters to exclude certain users.

Once we got the data in (we run it on a 24 hour interval), I wrote a scheduled search that would transform the data into a table into ES-relevant fields, then piped it to "outputlookup" to write it to the CSV that ES leverages for it's identity lookup table.

Hope this helps!  Let me know if you have any additional questions!

mlichtjx
Explorer

Thanks @sleclerc1 ! 

Thanks for these tips! How's the performance impact of this on 600k users? Good point about testing with Graph Explorer. I unpacked the SPL and found that py script to dig into. 

0 Karma

sleclerc1
Explorer

We ingest the data via a heavy forwarder (following best practice), and as long as you have decent hardware specs, it shouldn't be that intensive.  I would turn debug logs on, however, and ensure that the API call retrieves all the user data you're looking for.  In our case, without using a filter, we were ingesting close to 800K users, but logs would state the pagination used by the graph query would fail near the end.  Rather than troubleshoot the error, we opted to use filters to bring in the users we cared about the most, and the errors subsided.

mlichtjx
Explorer

Thanks, I am going to check this out.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...