All Apps and Add-ons

Splunk Add on for MS Cloud Services: Audit.General and DLP.All (Security & Compliance) Events not showing

jp_elizabeth
Explorer

Hello,

We have the Splunk Add-on for Microsoft Cloud Services installed on a HWF and we are pulling through the following events.

Service Status,
Operational Message,
Exchange Online Audit,
Sharepoint Online Audit
Azure AD Audit

We don't seem to be getting any DLP (security & compliance) events or anything from audit.general either. Does anyone know what the issue might be?

Thanks

Bloodnite
Path Finder

Double check to see if you O365 tenant has DLP policies enabled for at least testing/monitor only, and the DLP policy items show up under:

sourcetype - ms:o365:management
user=DlpAgent

0 Karma

a212830
Champion

Audit.general is not supported yet. We've submitted an enhancement request for it, and I've been told that they hope to have it available around .conf... so... hopefully soon.

0 Karma

Bloodnite
Path Finder

v2.1.0 in https://splunkbase.splunk.com/app/3110/ supports it supposedly. I updated the app...and in the MSapp -> inputs> edit your O365 api input> click on the data blank space field and Audit/General shows up to choose > click on it. Save. Wait. I'm keeping my fingers crossed...

0 Karma

HereIAm
New Member

Were you able to solve this problem? We submitted a product enhancement request that isn't supposed to be done until mid October and are looking for a quick solution to get it working.

0 Karma

jp_elizabeth
Explorer

We haven't been able to resolve the problem yet, it looks like it's not supported on the add-on. We're looking to try and implement using the separate REST API Modular add-on https://splunkbase.splunk.com/app/1546/#/details

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...