The API used to collect the data has an issue with using a date/time filter ( https://techcommunity.microsoft.com/t5/Azure/Azure-REST-API-filter-param-for-time-delta-throws-ProviderError/m-p/748451 ). So, there isn't a working way to ask the API for only new data. We're looking at a different way to throw away duplicate data on the add-on side before sending it to the index in a future release. For now, we'll need to rely on deduplication on the search side. ... View more

Yes, this add-on pulls in the same Event Hub data (Activity Log and Diagnostic Logs) as the Azure Monitor add-on. The setup experience in the MS Azure Add-on for Splunk is simplified as well - all you need is the Event Hub connection string and the name of the Event Hub you want to query. You don't need a key vault or service principal. Also, this add-on collects metrics from the same place the Azure Monitor add-on uses ( https://docs.microsoft.com/en-us/azure/azure-monitor/platform/metrics-supported ). ... View more

Do you see anything in _internal for the add-on using the following search? index=_internal sourcetype="ta:ms:aad:log" source=*hub* ... View more

It's mainly the inputs. The Splunk Add-on for Microsoft Cloud Services (MSCS) collects 5 main things: Activity (a.k.a. Audit) logs - meaning who did what and when. The MSCS add-on does this via a REST API. Generic data stored in an Azure Table Generic data stored in an Azure Blob Azure Resources (VMs and VNETs mainly) Azure Virtual Machine Metrics (Via an Azure Storage Table) The Microsoft Azure Add-on for Splunk has 15 inputs. I won't list them all, but here are are a few: Generic Event Hub reader - there can be some overlap here with the MSCS add-on since Activity Logs can be sent to an Event Hub Azure AD collection - users, sign-ins, changes Billing and consumption data Azure Security Center alerts and tasks A more detailed rundown of the add-ons can be found here -> http://bit.ly/Splunk_Azure_Add-ons ... View more

Yes, you can get data from multiple subscriptions. Here's how: Grant your Azure AD application registration Reader access to your subscriptions. If you are using the Topology input, you will need to grant Network Contributor access. For more information about required permissions, see this spreadsheet -> http://bit.ly/Splunk_Azure_Permissions Create a new input in the add-on and supply the tenant ID and subscription ID. ... View more

For the Office 365 add-on, you will need to configure one input per content type. It sounds like you only have an input for Audit.AzureActiveDirectory ... View more

Yes. Here's how: Install the Azure Monitor Add-on https://github.com/Microsoft/AzureMonitorAddonForSplunk/wiki (don't forget to get the node.js and Python dependencies) Setup all your Azure stuff (Event Hubs, Azure AD applications, Key Vault, SPNs) Easy way = run a script -> https://github.com/microsoft/AzureMonitorAddonForSplunk/tree/master/scripts Manual way = https://www.splunk.com/blog/2018/04/20/splunking-microsoft-azure-monitor-data-part-1-azure-setup.html Send your Azure AD sign-in and audit logs to an Event Hub Modify your hubs.json file in the add-on -> https://github.com/microsoft/AzureMonitorAddonForSplunk/wiki/Configuration-of-Splunk#hubsjson Basically, after you enable the Azure AD logs going to an event hub, check the event hubs in the Azure portal for the name of the actual hub(s). It will be something like insights-logs-signinlogs and insights-logs-auditlogs Setup and Azure Monitor Diagnostic Logs input on the Splunk instance where you installed the Azure Monitor add-on Done ... View more

This looks to be an error retrieving the checkpoint data. The checkpoint contains the timestamp of the last Azure AD event read to use as a starting point for the next query. Try the following search to see what data is in the checkpoint: | inputlookup AAD_checkpoint_lookup | eval key=_key Another thing to try is disabling your input(s) and creating a new one with the start date/time specified. This will create a new checkpoint entry. ... View more