Configure Graph Reporting inputs for the Splunk Add-on for Microsoft Office 365

Description:

Following reporting APIs data collection is supported.

• Office 365 - Audit events and reports visible through the Microsoft Graph API endpoints. This includes all log events and reports visible through the Microsoft Graph API.
  • Office365GroupsActivityDetail - List details about group activity details.
  • Office365ServicesUserCounts - List details about Microsoft 365 Services counts.
• One Drive - Audit events and reports visible through the Microsoft Graph API endpoints. This includes all log events and reports visible through the Microsoft Graph API.
  • OneDriveActivityUserCounts - List details about OneDrive user activity.
  • OneDriveUsageAccountDetail - List details about OneDrive usage by account.
  • OneDriveUsageStorage - List details regarding the amount of OneDrive storage.
• Share Point - Audit events and reports visible through the Microsoft Graph API endpoints. This includes all log events and reports visible through the Microsoft Graph API.
  • SharePointSiteUsageDetail - List details about SharePoint site usage.
  • SharePointSiteUsageFileCounts - List details about SharePoint file counts and activity.
• Teams - Audit events and reports visible through the Microsoft Graph API endpoints. This includes all log events and reports visible through the Microsoft Graph API.
  • TeamsUserActivityCounts - List details about the number of Teams active by activity.
  • TeamsUserActivityUserDetail - List details about Teams user activity.
• Yammer - Audit events and reports visible through the Microsoft Graph API endpoints. This includes all log events and reports visible through the Microsoft Graph API.
  • YammerGroupsActivityDetail - List details about Yammer Group activity.
  • YammerGroupsActivityGroupCounts - List details about Yammer group activity.

Note

Start Date and Delay Throttle parameters are supported for following content-types only

• Office365GroupsActivity Detail
• OneDriveUsageAccountDetail
• SharePointSiteUsageDetail
• TeamsUserActivityUserDetail
• YammerGroupsActivityDetail

Prerequisites: Before you enable inputs, complete the previous steps in the configuration process:

• Configure an integration application in Microsoft Entra ID (Azure AD) for the Splunk Add-on for Microsoft Office 365
• Configure a Tenant in the Splunk Add-on for Microsoft Office 365

Configure your inputs on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You can configure inputs using Splunk Web (recommended) or using the configuration files.

Configure inputs using Splunk Web

Configure your inputs using Splunk Web on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

1. Following Graph reporting inputs can be configured from Create New Input option.
   • MailBox
   • Office365
   • OneDrive
   • SharePoint
   • Teams
   • Yammer
2. Enter the parameter values using information provided in the input parameter table below.
3. Click Add.
4. Verify that data is successfully arriving by running the following search on your search head:

Splunk Search

sourcetype=o365:graph:api

If you do not see any events, check the Troubleshooting tab on your data collection node to verify that your accounts, forwarders, and inputs are all configured successfully.

Configure inputs in the configuration files

Configure your inputs using the configuration files on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

1. Create $SPLUNK_HOME/etc/apps/Splunk_ta_o365/local/inputs.conf.
2. Add the following stanza.

[splunk_ta_o365_graph_api://<reporting_input_name>]
content_type = <value>
index = <value>
delay_throttle = <value>
interval = <value>
start_date = <value>
tenant_name = <value>

3. (Optional) Configure a custom index.
4. Restart your Splunk platform instance.
5. Verify that data is successfully arriving by running the following search on your search head:

Splunk Search

sourcetype=o365:graph:api

If you do not see any events, check the Troubleshooting tab on your data collection node to verify that your accounts, forwarders, and inputs are all configured successfully.

Input Parameters

Each attribute in the following table corresponds to a field in Splunk Web.

Input Name	Corresponding field in Splunk Web	Description
reporting_input_name	Input Name	A unique name for your input.
tenant_name	Tenant Name	The Microsoft Office 365 account from which you want to gather data.
content_type	Content Type	Content-type for fetching Audit Logs data AuditLogs.SignIns
start_date	Start Date	Select a Start Date to specify how far back to go when initially collecting data. This parameter is optional. If no date is given, the input will start 7 days in the past.
delay_throttle	Delay Throttle(In Days)	Microsoft generally reports events with a delay of at least 2 days.
index	Index	The index in which the Audit Logs data should be stored. The default is main.
interval	Interval (seconds)	Rerun the input after the defined value, in seconds.