Hello everyone, we are trying to get Azure Information Protection data into Splunk, specifically, we need to get insights on who are the users that uses Azure Information Protection to classify files. I really don't have any experience with Azure and Microsoft Cloud, and from my researches I've found some add-ons, but don't know if they're useful or not. Splunk add-on for Microsoft Graph API: this seems only importing security alerts related to (also) AIP. Splunk add-on for Microsoft Cloud Services: it allows to pull data directly from Azure assets, but don't know if AIP data are in the perimeter. Microsoft Azure add-on for Splunk: it allows collection of a large perimeter of informations, but same as the previous point. Can you help me to clear my mind on this variety of add-ons and see if one of those add-ons (or maybe another one that i forgot to mention) is suitable for our needs? Thank you so much.
... View more
Same problem for me, I need to populate some alert with the info generated by the whois command, but considering that the command " | whois xxx.xxx.xxx.xxx" must be inserted as the first command, I opted for the lookup whois, but when using: ... | lookup whois host as <my_field_containing_ip_addr> ... it show only blank columns, this makes me thinking that the "whois" lookup is empty, so with | inputlookup whois the result is empty... Hoping someone will help with this.
... View more