Microsoft Azure Active Directory Add-on for Splunk
Splunk AppInspect Passed
Overview
Details
This add-on collects sign-in, audit, and user data from Microsoft Azure Active Directory including the following:
Sign-in data
- Application targeted for sign-in
- Date/time of the sign-in
- Status of login (success/fail)
- Failure reason if applicable
- User
- Geo data like coordinates, city, state, zip
Audit activity data
- Activity
- Actor (ip address, user name)
- Targets (what was changed including old and new values)
- Tenant details
User data
- Name
- Department
- Phone numbers
- Email addresses
Sign-in data
- Application targeted for sign-in
- Date/time of the sign-in
- Status of login (success/fail)
- Failure reason if applicable
- User
- Geo data like coordinates, city, state, zip
Audit activity data
- Activity
- Actor (ip address, user name)
- Targets (what was changed including old and new values)
- Tenant details
User data
- Name
- Department
- Phone numbers
- Email addresses
Microsoft Azure Active Directory Add-on for Splunk
This add-on collects sign-in, audit, and user data from Microsoft Azure Active Directory including the following:
- Sign-in data
- Application targeted for sign-in
- Date/time of the sign-in
- Status of login (success/fail)
- Failure reason if applicable
- User
- Geo data like coordinates, city, state, zip
- Audit activity data
- Activity
- Actor (ip address, user name)
- Targets (what was changed including old and new values)
- Tenant details
- User data
- Name
- Department
- Phone numbers
- Email addresses
About
- Version: 1.2.4
- Vendor Products: Microsoft Azure Active Directory Sign-ins, Audit, and Users
- Splunk platform versions: 6.5 and later
- Platforms: Platform independent
- Visible: Yes, this add-on contains configuration
Prerequisites
- An Azure Active Directory Premium P1 or P2 edition
- Complete the prerequisites to access the Azure AD reporting API.
- After the saving the application, click the "Grant Permissions" button to complete the Azure application setup.
Required APIs and Permissions
| API | Permission |
|---|---|
| Windows Azure Active Directory | Read directory data |
| Microsoft Graph | Read all audit log data |
The Azure AD Application Registration needs to be in the Security Reader role for the subscription(s).
Installing
Where to install this add-on
Unless otherwise noted, all supported add-ons can be safely installed to all tiers of a distributed Splunk platform deployment. See Where to install Splunk add-ons in Splunk Add-ons for more information.
This table provides a reference for installing this specific add-on to a distributed deployment of Splunk Enterprise.
| Splunk platform component | Supported | Required | Comments |
|---|---|---|---|
| Search Heads | Yes | Yes | This add-on contains search-time knowledge. It is recommended to turn visibility off on your search heads to prevent data duplication errors that can result from running inputs on your search heads instead of (or in addition to) on your data collection node. |
| Heavy Forwarders | Yes | No (but recommended) | It is recommended to install this add-on on a heavy forwarder for data collection. Data collection should be configured in only 1 place to avoid duplicates. |
| Indexers | Yes | No | Not required as the parsing operations occur on the forwarders. |
| Universal Forwarders | No | No | Universal forwarders are not supported for data collection because the modular inputs require Python and the Splunk REST handler. |
Configuration
Ensure the prerequisites are met above.
- Access Splunk Web on the node of your Splunk platform installation that collects data for this add-on.
- Launch the add-on.
- Click the Inputs menu item.
- Click Create New Input.
- (optional) Select a Start Date to specify how far back to go when initially collecting data.
- Click Save.
CIM Compliance
Version 4.12.0
- Authentication model
Release Notes
1.2.4
- Small update to ensure only HTTPS traffic is allowed (required for Splunk Cloud)
1.2.3
- Inventory (user) CIM mapping
- Bug fix: proxy issue obtaining access token
- Changed validation check for 'Start Date' parameter
1.2.2
- Added a parameter for 'query limit' to the sign-in and audit inputs.
- This parameter will limit the number of results retrieved each interval by enforcing a start and end date in the API call to Microsoft Graph. This is helpful when retrieving older data as it will limit the amount of resources consumed.
- Use this setting with caution as specifying a limit too small with result in no data collected.
- Specifying '0' will disable this limit.
1.2.1
- Added input to collect user object detail
- Added proxy support
1.1.0
- Changed the underlying data collection API to Microsoft Graph.
- Moved Client ID and Client Secret parameters to the input to better support multiple tenants.
- Added KV Store lookup to inspect input checkpoints. Use the following search:
| inputlookup AAD_checkpoint_lookup | eval key=_key
1.0.3
- Added support to pull more than 1,000 records per polling interval.
Version 1.0.0
- Initial release
Privacy
Use of this add-on is permitted subject to your obligations, including data privacy obligations, under your agreement with Splunk and Splunk's Privacy Policy.
Contributors
- Jason Conger
- Ryan Lait
- Nick Black
- Sandeep Vasani
- Nishchal Kush
Third-party software attributions
Refer to the README.md file included in this package for details.
Release Notes
Version 1.2.4
June 27, 2019
Small update to ensure only HTTPS traffic is allows (required for Splunk Cloud)