All Apps and Add-ons

Splunk Add-on for Microsoft Cloud Services: How do configure inputs.conf to have Security and Compliance Center events show?

alexlomas
Path Finder

We have the Splunk Add-on for Microsoft Cloud Services up and running fine but we don't seem to have any events for the SecurityComplianceCenter workload. These should be available according to https://msdn.microsoft.com/en-us/office-365/office-365-management-activity-api-schema

The 365 input is configured with:

Data: Service Status/3600,Operational Message/3600,Exchange Online Audit/3600,Sharepoint Online Audit/3600,Azure AD Audit/3600

So I guess that might be the reason.

Has anyone got SecurityComplianceCenter events and if so, what does your inputs data stanza look like?

Thanks!

0 Karma

alexlomas
Path Finder

Splunk support have confirmed this is coming in a future version of the add on.

Bloodnite
Path Finder

any updates on this?

0 Karma

cmeerbeek
Path Finder

OK thanks for posting! Good to know.

0 Karma

cmeerbeek
Path Finder

Got any _internal logging that point to a possible problem?

If SecurityComplianceCenter doesn't show up in the inputs config it might be that your azure app is not setup correctly.

0 Karma

hrottenberg_spl
Splunk Employee
Splunk Employee

All of the sourcetypes supported are listed in a table here: http://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/About. Once the Compliance center logs are added, it should be listed there.

0 Karma

alexlomas
Path Finder

There's nothing obviously wrong in _internal for sourcetype="ms:o365:jobinsight:account".

The Azure app permissions look correct - everything is checked except DLP.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...