With this add-on will I be able to see user login activity with source IP, etc.? I want to be able to monitor when and from where (especially by Country) user accounts are logging in.
Splunk 7.3 Enterprise, on-prem, O365 tenant(s), No Azure AD
Correction to my post - we do have AzureAD.
The answer is yes, you get ClientIP and can iplocation that value to get Country.
Following the steps was fairly straightforward, but the documentation is a bit behind the current interface meaning the specific steps and screenshots don't always match (Microsoft).
One more catch - the Splunk input setup may not allow you to select the index you want to use, I just edited the inputs.conf file for what I wanted.