Hi, I'm trying to get Sign-ins for Azure. It seems that add-on is only fetching interactive sign-ins and not-interactive not. IS there a possibility to fetch these also? They are showing in Azure console as "User sign-ins (non-interactive)"
.
Azure AD sign-in logs -> Azure event hub -> Splunk.
Just make sure you're using v4.1.3 of the Splunk Add-on for Microsoft Cloud Services. Prior versions didn't handle event hubs properly.
The latest version of the Splunk Add-on for Microsoft Cloud Services (4.1.3) reads from event hubs. You can send the non-interactive sign-in Azure logs to an event hub and then consume from there.
I'm looking for the same. Based on this blog and my poking around the Graph API, I don't think they're easily accessible.
https://www.michev.info/Blog/Post/3127/azure-ad-sign-in-logs-for-service-principals-and-other-recent...
I'm looking into the Log Analytics Space -> Splunk options now.