Re: Microsoft Azure Add-on for Splunk - non-intera...

wstarowicz · ‎10-22-2020

Hi, I'm trying to get Sign-ins for Azure. It seems that add-on is only fetching interactive sign-ins and not-interactive not. IS there a possibility to fetch these also? They are showing in Azure console as "User sign-ins (non-interactive)"

.

hughkelley · ‎06-09-2021

Azure AD sign-in logs -> Azure event hub -> Splunk.

Just make sure you're using v4.1.3 of the Splunk Add-on for Microsoft Cloud Services. Prior versions didn't handle event hubs properly.

https://splunkbase.splunk.com/app/3110/

hughkelley · ‎06-02-2021

The latest version of the Splunk Add-on for Microsoft Cloud Services (4.1.3) reads from event hubs. You can send the non-interactive sign-in Azure logs to an event hub and then consume from there.

hughkelley · ‎05-27-2021

I'm looking for the same. Based on this blog and my poking around the Graph API, I don't think they're easily accessible.

https://www.michev.info/Blog/Post/3127/azure-ad-sign-in-logs-for-service-principals-and-other-recent...

I'm looking into the Log Analytics Space -> Splunk options now.

Microsoft Azure Add-on for Splunk - non-interactive signins

configuration

development

troubleshooting

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio