We have the Splunk Add-on for Microsoft Cloud Services up and running fine but we don't seem to have any events for the SecurityComplianceCenter workload. These should be available according to https://msdn.microsoft.com/en-us/office-365/office-365-management-activity-api-schema
The 365 input is configured with:
Data: Service Status/3600,Operational Message/3600,Exchange Online Audit/3600,Sharepoint Online Audit/3600,Azure AD Audit/3600
So I guess that might be the reason.
Has anyone got SecurityComplianceCenter events and if so, what does your inputs data stanza look like?
Thanks!
Splunk support have confirmed this is coming in a future version of the add on.
any updates on this?
OK thanks for posting! Good to know.
Got any _internal logging that point to a possible problem?
If SecurityComplianceCenter doesn't show up in the inputs config it might be that your azure app is not setup correctly.
All of the sourcetypes supported are listed in a table here: http://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/About. Once the Compliance center logs are added, it should be listed there.
There's nothing obviously wrong in _internal for sourcetype="ms:o365:jobinsight:account".
The Azure app permissions look correct - everything is checked except DLP.