Splunk Search

o365 admin center workload


Hi guys,

I'm trying to create a search that triggers an alert every time a user has been signed out of their o365 session, however, I am unable to identify which is the correct workload.

I'd like to clarify that I currently do not have access to the o365 splunk add-on (and it probably won't be installed anytime soon). Which workload do I need to use if I need to identify activity performed in the o365 admin portal?

I initially thought it would be index=o365 sourcetype=o365:management:activity Workload=SecurityComplianceCenter but it doesn't seem to show me anything related to sessions that have been signed out.

Any useful feedback would be much appreciated.



Labels (1)
Tags (3)
0 Karma
Get Updates on the Splunk Community!

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...