My company is transitioning from an on-premise MFA setup within ADFS to the Azure MFA setup. What's the best approach to getting those MFA events into Splunk? Does the Splunk Addon for Microsoft Azure (splunkbase 3757) meet that goal?
The best way is to send your Microsoft Entra ID (formerly Azure AD) data to an event hub. Then, use the Splunk Add-on for Microsoft Cloud Services to ingest the data (hint: use the azure:monitor:aad sourcetype). Here's a Lantern article for setting up the add-on => https://lantern.splunk.com/Data_Descriptors/Microsoft/Getting_started_with_Microsoft_Azure_Event_Hub...
Alternatively, you can use Splunk Add-on for Microsoft Azure. Use the "Azure Active Directory Interactive Sign-ins" input to get the data. Depending on your environment size, you may hit some throttling limitations with the REST API this add-on uses => https://github.com/splunk/splunk-add-on-microsoft-azure/wiki/Configure-Azure-Active-Directory-inputs...
