We have the Splunk Add-on for Microsoft Cloud Services up and running fine but we don't seem to have any events for the SecurityComplianceCenter workload. These should be available according to https://msdn.microsoft.com/en-us/office-365/office-365-management-activity-api-schema
The 365 input is configured with:
Data: Service Status/3600,Operational Message/3600,Exchange Online Audit/3600,Sharepoint Online Audit/3600,Azure AD Audit/3600
So I guess that might be the reason.
Has anyone got SecurityComplianceCenter events and if so, what does your inputs data stanza look like?
All of the sourcetypes supported are listed in a table here: http://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/About. Once the Compliance center logs are added, it should be listed there.