All Apps and Add-ons

Splunk Add-on for Microsoft Cloud Services: How do configure inputs.conf to have Security and Compliance Center events show?

Path Finder

We have the Splunk Add-on for Microsoft Cloud Services up and running fine but we don't seem to have any events for the SecurityComplianceCenter workload. These should be available according to https://msdn.microsoft.com/en-us/office-365/office-365-management-activity-api-schema

The 365 input is configured with:

Data: Service Status/3600,Operational Message/3600,Exchange Online Audit/3600,Sharepoint Online Audit/3600,Azure AD Audit/3600

So I guess that might be the reason.

Has anyone got SecurityComplianceCenter events and if so, what does your inputs data stanza look like?

Thanks!

0 Karma

Path Finder

Splunk support have confirmed this is coming in a future version of the add on.

Path Finder

any updates on this?

0 Karma

Path Finder

OK thanks for posting! Good to know.

0 Karma

Path Finder

Got any _internal logging that point to a possible problem?

If SecurityComplianceCenter doesn't show up in the inputs config it might be that your azure app is not setup correctly.

0 Karma

Splunk Employee
Splunk Employee

All of the sourcetypes supported are listed in a table here: http://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/About. Once the Compliance center logs are added, it should be listed there.

0 Karma

Path Finder

There's nothing obviously wrong in _internal for sourcetype="ms:o365:jobinsight:account".

The Azure app permissions look correct - everything is checked except DLP.

0 Karma