Configure Microsoft Entra ID Metadata inputs for the Splunk Add-on for Microsoft Office 365

Description: Metadata events for supported Microsoft Entra ID types.

Prerequisites: Before you enable inputs, complete the previous steps in the configuration process:

• Configure an integration application in Microsoft Entra ID (Azure AD) for the Splunk Add-on for Microsoft Office 365
• Configure a Tenant in the Splunk Add-on for Microsoft Office 365

Configure your inputs on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You can configure inputs using Splunk Web (recommended) or using the configuration files.

Configure inputs using Splunk Web

Configure your inputs using Splunk Web on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

1. In the Splunk Add-on for Microsoft Office 365, click Inputs > Create New Input > Microsoft Entra ID Metadata.
2. Enter the parameter values using information provided in the input parameter table below.
3. Click Add.
4. Verify that data is successfully arriving by running the following search on your search head:

Splunk Search

sourcetype=o365:metadata

If you do not see any events, check the Troubleshooting tab on your data collection node to verify that your accounts, forwarders, and inputs are all configured successfully.

Configure inputs in the configuration files

Configure your inputs using the configuration files on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

1. Create $SPLUNK_HOME/etc/apps/Splunk_ta_o365/local/inputs.conf.
2. Add the following stanza.

[splunk_ta_o365_microsoft_entra_id_metadata://<ms_entra_id_metadata_input_name>]
tenant_name = <value>
entra_id_type = <value>
sourcetype = <value>
query_parameters = <value>
index = <value>
interval = <value>

3. (Optional) Configure a custom index.
4. Restart your Splunk platform instance.
5. Verify that data is successfully arriving by running the following search on your search head:

Splunk Search

sourcetype=o365:metadata

If you do not see any events, check the Troubleshooting tab on your data collection node to verify that your accounts, forwarders, and inputs are all configured successfully.

Input Parameters

Each attribute in the following table corresponds to a field in Splunk Web.

Input name	Corresponding field in Splunk Web	Description
ms_entra_id_metadata_input_name	Input Name	A unique name for your input.
tenant_name	Tenant Name	The Microsoft Office 365 account from which you want to gather data.
entra_id_type	Microsoft Entra ID Type	Entra ID Type for which you want to collect metadata. Supported Microsoft Entra ID Types are: Users Groups Applications Devices Multiple Microsoft Entra ID Types can be selected in a single input.
sourcetype	Sourcetype	Sourcetype in which the metadata will be collected. The default value is o365:metadata. If multiple Entra ID types are configured in a single input, you can filter the logs by source for a particular Entra ID type.
query_parameters	Query Parameters	Query Filters to be used while retrieving the events from the API. If you want to use type-specific query parameter, make sure you select single Microsoft Entra ID Type in the input as that particular query parameter might not be supported in all the Microsoft Entra ID Types.
index	Index	The index in which the Microsoft Entra ID metadata should be stored. The default is main.
interval	Interval (seconds)	Rerun the input after the defined value, in seconds. The default value is 86400.