Getting Data In

Why is "Application Name" field is available in Azure AD but not in the logs ingested into Splunk?

anandhalagaras1
Path Finder

Hi Team,

We have recently configured and ingested the Azure Active Directory Logs into Splunk. Hence we have installed the "Splunk Add-on for Microsoft Office 365" in our Heavy Forwarder server and followed the below documentation process as provided.
https://blog.avotrix.com/to-collect-ad-azure-logs-to-splunk/

In our Add-On we have provided the Tenant details i.e. Tenant ID and Client ID and post which I have created the inputs --> Add Inputs "Management Activity" and provided the requested details and saved it.

Then the logs were getting ingested into Splunk as desired and we are getting the relevant fields as well with required data.


But one important field is missing that is the "Application Name" . So we want the Application Name field in which the user had logged on so that it will be really helpful for analysis. But the field is available in Azure AD whereas not in the Logs ingested into Splunk. 

We can see the below fields are getting extracted but not the "Application Name" field and moreover in the raw logs also the field is not present. So how to get those field also ingested into Splunk as well.

Sample List of fields which are getting extracted automatically.
ActorContextId
ActorIpAddress
Actor{}.ID
Actor{}.Type
ApplicationId
AzureActiveDirectoryEventType
ClientIP
CreationTime
DeviceProperties{}.Name
DeviceProperties{}.Value
ErrorNumber
ExtendedProperties{}.Name
ExtendedProperties{}.Value
Id
InterSystemsId
IntraSystemId
LogonError
ModifiedProperties{}.Name
ModifiedProperties{}.NewValue
ModifiedProperties{}.OldValue
ObjectId
Operation


So kindly help to check on how to extract the Application Field.

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...