Configure Audit Logs inputs for the Splunk Add-on for Microsoft Office 365¶
Description: List user signins to an azure tenant.
Prerequisites: Before you enable inputs, complete the previous steps in the configuration process:
- Configure an integration application in Microsoft Entra ID (Azure AD) for the Splunk Add-on for Microsoft Office 365
- Configure a Tenant in the Splunk Add-on for Microsoft Office 365
Configure your inputs on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You can configure inputs using Splunk Web (recommended) or using the configuration files.
Configure inputs using Splunk Web¶
Configure your inputs using Splunk Web on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.
- In the Splunk Add-on for Microsoft Office 365, click Inputs > Create New Input > Audit Logs.
- Enter the parameter values using information provided in the input parameter table below.
- Click Add.
- Verify that data is successfully arriving by running the following search on your search head:
Splunk Search
sourcetype=o365:graph:api
If you do not see any events, check the Troubleshooting tab on your data collection node to verify that your accounts, forwarders, and inputs are all configured successfully.
Configure inputs in the configuration files¶
Configure your inputs using the configuration files on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.
- Create
$SPLUNK_HOME/etc/apps/Splunk_ta_o365/local/inputs.conf. - Add the following stanza.
[splunk_ta_o365_graph_api://<audit_logs_input_name>]
content_type = AuditLogs.SignIns
index = <value>
interval = <value>
query_window_size = <value>
request_timeout = <value>
start_date = <value>
tenant_name = <value>
- (Optional) Configure a custom
index. - Restart your Splunk platform instance.
- Verify that data is successfully arriving by running the following search on your search head:
Splunk Search
sourcetype=o365:graph:api
If you do not see any events, check the Troubleshooting tab on your data collection node to verify that your accounts, forwarders, and inputs are all configured successfully.
Input Parameters¶
Each attribute in the following table corresponds to a field in Splunk Web.
| Input Name | Corresponding field in Splunk Web | Description |
|---|---|---|
audit_logs_input_name |
Input Name | A unique name for your input. |
tenant_name |
Tenant Name | The Microsoft Office 365 account from which you want to gather data. |
content_type |
Content Type | Content-type for fetching Audit Logs data AuditLogs.SignIns |
start_date |
Start Date | Select a Start Date to specify how far back to go when initially collecting data. This parameter is optional. If no date is given, the input will start 1 days in the past. |
index |
Index | The index in which the Audit Logs data should be stored. The default is main. |
interval |
Interval (seconds) | Rerun the input after the defined value, in seconds. |
request_timeout |
Request Timeout (seconds) | Specifies the maximum time (in seconds) the system will wait for a request to complete before timing out. |
query_window_size |
Query Window Size (minutes) | Defines the time interval (in minutes) for each data query chunk, allowing the system to retrieve data in specified time-based segments. |