Configure Azure Active Directory Audit inputs for the Splunk Add on for Microsoft Azure - splunk/splunk-add-on-microsoft-azure GitHub Wiki
Note
Azure Active Directory has been renamed to Microsoft Entra ID.
Before you enable inputs, complete the previous steps in the configuration process:
- Create an Azure AD App Registration
- Connect to your Azure Account with Splunk Add-on for Microsoft Azure
Configure your inputs on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You can configure inputs using Splunk Web, which is a best practice, or by using the configuration files.
Azure Active Directory (Azure AD) audit log.
The Azure Active Directory audit log includes changes within Azure Active Directory including users, groups, apps, devices, password management (self-service password reset), privileged identity management (PIM), etc.
| API | Permissions | Notes |
|---|---|---|
| Microsoft Graph | (Application) AuditLog.Read.All and Directory.Read.All
|
This API has a known issue and currently requires consent to both the AuditLog.Read.All and Directory.Read.All permissions. |
Configure your inputs using Splunk Web on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.
- In the Splunk Add-on for Microsoft Azure, click Inputs.
- Click Create New Input and then select Azure Active Directory Audit.
- Enter the Name, Interval, Index, Azure App Account, Tenant ID, Environment, and other parameters using the information in the input parameter table below.
Configure your inputs using the configuration files on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.
- Create or modify a file named
inputs.confunder$SPLUNK_HOME/etc/apps/TA-MS-AAD/local. - Add the following stanza:
[MS_AAD_audit://<input_stanza_name>]
audit_sourcetype = <value>
azure_app_account = <value>
endpoint = <value>
environment = <value>
index = <value>
interval = <value>
query_backoff_throttle = <value>
query_window_size = <value>
tenant_id = <value>
- Save and restart the Splunk platform.
Verify that the value listed for
azure_app_accountmatches the account entry inta_ms_aad_account.conf.
Each attribute in the following table corresponds to a field in Splunk Web.
| Attribute | Corresponding field in Splunk Web | Description |
|---|---|---|
[MS_AAD_audit://input_stanza_name] |
Name | A friendly name for your input. |
azure_app_account |
Azure Account | The Azure App account from which you want to gather data. |
endpoint |
Endpoint | The Microsoft Graph endpoint used to retrieve data. Valid options are v1.0 and beta
|
environment |
Environment | The Azure environment. Valid options are public and gov. |
tenant_id |
Tenant ID | The Azure Active Directory Tenant ID (a.k.a. Directory ID) |
query_backoff_throttle |
Query Backoff Throttle | Advanced: number of seconds to subtract from the end date of the query. This helps accommodate near real-time events toward the end of a query that may arrive non sequentially. |
query_window_size |
Query Limit (optional) | The maximum number of minutes used for the query range. This is useful for retrieving older data. Use this setting with caution. Specify '0' to disable. |
audit_sourcetype |
Audit Sourcetype | The sourcetype to use for this input. |
start_date |
Start Date | The add-on starts collecting data with a date later than this time. The format is YYYY-mm-ddTHH:MM:SSZ and the default is 7 days in the past. |
interval |
Interval | The number of seconds to wait before the Splunk platform runs the command again. |
index |
Index | The index in which to store Azure data. |
