All Apps and Add-ons

Only pulling user change logs and not login attempts

jared_anderson
Path Finder

We are only receiving logs that pertain to user modifications, and not user authentication events. We used the global admin account and that account has full rights.

centrafraserk
Path Finder

If you figure out this problem I would be very interested to hear it. I'm not sure why the Splunk employee is directing you to the AD reporting Add-on, but you are very much correct that there is a problem with the TA. This TA will give you UserLoggedIn as well as UserLogonFailed events, but will stop and then only continue to give you the audit data. If I can't find any more information I will have to file an urgent support ticket because I really need this data to continue to flow.

0 Karma

jconger
Splunk Employee
Splunk Employee

The Splunk Add-on for Microsoft Cloud Services uses the Office 365 Management Activity API to gather Azure AD information. The AAD data available from that API is detailed here, and the logon specific data is here.

You can think of Azure AD as a totally different service than O365 or Azure. Both O365 and Azure use AAD for user identity and access management, but not in the same way. Therefore, the data you get from the O365 management activity API is specific to how O365 uses AAD. If you are looking for sign-in and audit data for AAD like you see in the Azure Portal, it won't be there. Instead, you can use the Microsoft Azure AD Reporting Add-on to get this data.

0 Karma

centrafraserk
Path Finder

The logs he is referring to are the AzureAD.Audit from the O365 Management API. I think he correct that the TA is now broken due an issue either from a change on Microsoft's end or a misconfiguration in the TA. The last version of this TA was released to fix this exact issue, but it seems to be broken again.

http://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Releasenotes

Notice that this version of the TA has revisited the ADDON-15540 bug in the "New Known Issues" section, which the poster above is referring to.

0 Karma

centrafraserk
Path Finder
0 Karma