Configure Azure Active Directory inputs for the Splunk Add on for Microsoft Azure - splunk/splunk-add-on-microsoft-azure GitHub Wiki
[!NOTE]
Azure Active Directory has been renamed to Microsoft Entra ID.
Azure Active Directory Inputs
The Splunk Add-on for Microsoft Azure includes the following Azure Active Directory inputs:
- Interactive Sign-ins
- Directory Audit
- Users
- Groups
- Devices
- Identity Protection (Risky Detections & Risky Users)
Refer to the side menu for configuration details.
Azure Active Directory Input Notes
Throttling Guidance
The Azure Active Directory Sign-in and Audit inputs in this add-on utilize Azure AD activity reports available in the Microsoft Graph API. Microsoft Graph imposes service-specific limits to prevent the overuse of resources. These limits affect the scalability and throughput of the Azure Active Directory Sign-in and Audit inputs in this add-on. Refer to the identity and access reports service limits for specific imposed limits.
Identifying Throttling in your Splunk Environment
When throttling happens, an HTTP response code 429 is returned. Run the following search to determine if throttling is impacting your data ingestion:
index=_internal 429 client error
Paging
When a request is made to Microsoft Graph, only the first 1,000 records are returned. If there are more than 1,000 records available, a continuation token is returned along with the data. In this scenario, Splunk will index the 1,000 records returned and then follow the continuation token to retrieve the next 1,000 records. Each 1,000 record request counts toward the throttling limits.
Recommendation
To overcome throttling and collect non-interactive sign-in data, send Azure Active Directory Sign-in and Audit data to an Event Hub. The Splunk Add-on for Microsoft Cloud Services can be utilized to collect Event Hub data. For Splunk Cloud environments, Splunk Data Manager can be used to retrieve Azure Active Directory Sign-in and Audit data.