Configure Management Activity inputs for the Splunk Add-on for Microsoft Office 365¶
Description: All audit events visible through the Office 365 Management Activity API.
Following content-types are supported for Management Activity input.
- Audit.AzureActiveDirectory: The audit logs for Microsoft Azure Active Directory
- Audit.Exchange: The audit logs for Microsoft Exchange
- Audit.SharePoint: The audit logs for Microsoft SharePoint
- Audit.General: The general audit logs for Microsoft Office 365
- DLP.All: All log information for DLP
Note
Version 4.3.0 and higher is expected to have around 1% of event duplication for the Management Activity input in the Splunk platform due to duplicate events from the Microsoft API.
Note
Versions 4.2.0 and higher of the Splunk Add-on for Microsoft Office 365 contain changes to the checkpoint mechanism for the Management Activity input. See the upgrade steps in this manual for more information.
Note
- If you want to collect audit logs for mailbox access from Exchange Online, you need to turn on mailbox audit logging in Office 365, which is not enabled by default.
- If you configure the Office365 input for the first time, the activity log (such as Audit.Exchange, Audit.Sharepoint and Audit.AzureActivityDirectory) will subscribe the data from Microsoft side. But it will take up to 12 hours for the first content blobs to become available for that subscription in Microsoft.
- The retention period for historical data is 7 days.
Prerequisites: Before you enable inputs, complete the previous steps in the configuration process:
- Configure an integration application in Microsoft Entra ID (Azure AD) for the Splunk Add-on for Microsoft Office 365
- Configure a Tenant in the Splunk Add-on for Microsoft Office 365
Configure your inputs on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You can configure inputs using Splunk Web (recommended) or using the configuration files.
Configure inputs using Splunk Web¶
Configure your inputs using Splunk Web on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.
- In the Splunk Add-on for Microsoft Office 365, click Inputs > Create New Input > Management Activity.
- Enter the Input Name, Tenant Name, Content Type, Start date/time and Index using information in the following input parameter table.
- Click Add.
- Verify that data is successfully arriving by running the following search on your search head:
Splunk Search
sourcetype=o365:management:activity
If you do not see any events, check the Troubleshooting tab on your data collection node to verify that your accounts, forwarders, and inputs are all configured successfully.
Configure inputs in the configuration files¶
Configure your inputs using the configuration files on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.
- Create
$SPLUNK_HOME/etc/apps/Splunk_ta_o365/local/inputs.conf
. - Add the following stanza.
[splunk_ta_o365_management_activity://<management_input_name>]
tenant_name = <value>
interval = <value>
index = <value>
content_type = <value>
start_date_time = <value>
- (Optional) Configure a custom
index
. - Restart your Splunk platform instance.
- Verify that data is successfully arriving by running the following search on your search head:
Splunk Search
sourcetype=o365:management:activity
If you do not see any events, check the Troubleshooting tab on your data collection node to verify that your accounts, forwarders, and inputs are all configured successfully.
Input Parameters¶
Each attribute in the following table corresponds to a field in Splunk Web.
Input Name | Corresponding field in Splunk Web | Description |
---|---|---|
management_input_name |
Input Name | A unique name for your input. |
tenant_name |
Tenant Name | The Microsoft Office 365 account from which you want to gather data. |
content_type |
Content type | Supported content-type of the Management Activity API, from which data is to be fetched. |
start_date_time |
Start date/time | Select a Start date/time to specify how far back to go when initially collecting data. This parameter is optional. If no date/time is given, the input will start 4 hours in the past. |
index |
Index | The index in which the Microsoft Cloud Services data should be stored. The default is main. |