We have the Splunk Add-on for Microsoft Cloud Services up and running fine but we don't seem to have any events for the SecurityComplianceCenter workload. These should be available according to https://msdn.microsoft.com/en-us/office-365/office-365-management-activity-api-schema
The 365 input is configured with:
Data: Service Status/3600,Operational Message/3600,Exchange Online Audit/3600,Sharepoint Online Audit/3600,Azure AD Audit/3600
So I guess that might be the reason.
Has anyone got SecurityComplianceCenter events and if so, what does your inputs data stanza look like?
Got any _internal logging that point to a possible problem?
If SecurityComplianceCenter doesn't show up in the inputs config it might be that your azure app is not setup correctly.
There's nothing obviously wrong in _internal for sourcetype="ms:o365:jobinsight:account".
The Azure app permissions look correct - everything is checked except DLP.
All of the sourcetypes supported are listed in a table here: http://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/About. Once the Compliance center logs are added, it should be listed there.
Splunk support have confirmed this is coming in a future version of the add on.