Splunk® Supported Add-ons

Splunk Add-on for Microsoft Office 365

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure Inputs for the Splunk Add-on for Microsoft Office 365

Prerequisites: Before you enable inputs, complete the previous steps in the configuration process:

Configure your inputs using Splunk Web on the Splunk platform instance that you have designated as your configuration server for this add-on.

  1. Go to the Splunk Web home screen.
  2. Click on Splunk Add-on for Microsoft Office 365 in the left navigation banner.
  3. Click on the Inputs tab.
  4. Click Create New Input.
  5. Select the input type you want to create.
    • Management Activity - All audit events visible through the Office 365 Management Activity API.
      • Audit.AzureActiveDirectory - the audit logs for Microsoft Azure Active Directory
      • Audit.Exchange - the audit logs for Microsoft Exchange
      • Audit.SharePoint - the audit logs for Microsoft SharePoint
      • Audit.General - the general audit logs for Microsoft Office 365
      • DLP.All - all log information for DLP
    • Service Health & Communications - Access the health status and message center posts.
      • ServiceHealth.Read.All - Provides the health information of a specified service for a tenant.
      • ServiceMessage.Read.All - Provides the message information of a specified service for a tenant.
    • Mailbox - Audit events and reports visible through the Microsoft Graph API endpoints. This includes all log events and reports visible through the Microsoft Graph API.
      • MailboxUsageDetail - Lists details about mailbox usage.
      • MailboxUsageMailboxCounts - List details about active mailbox counts.
    • Office 365 - Audit events and reports visible through the Microsoft Graph API endpoints. This includes all log events and reports visible through the Microsoft Graph API.
      • Office365GroupsActivityDetail - List details about group activity details.
      • Office365ServicesUserCounts - List details about Microsoft 365 Services counts.
    • One Drive - Audit events and reports visible through the Microsoft Graph API endpoints. This includes all log events and reports visible through the Microsoft Graph API.
      • OneDriveActivityUserCounts - List details about OneDrive user activity.
      • OneDriveUsageAccountDetail - List details about OneDrive usage by account.
      • OneDriveUsageStorage - List details regarding the amount of OneDrive storage.
    • Share Point - Audit events and reports visible through the Microsoft Graph API endpoints. This includes all log events and reports visible through the Microsoft Graph API.
      • SharePointSiteUsageDetail - List details about SharePoint site usage.
      • SharePointSiteUsageFileCounts - List details about SharePoint file counts and activity.
    • Teams - Audit events and reports visible through the Microsoft Graph API endpoints. This includes all log events and reports visible through the Microsoft Graph API.
      • TeamsUserActivityCounts - List details about the number of Teams active by activity.
      • TeamsUserActivityUserDetail - List details about Teams user activity.
    • Yammer - Audit events and reports visible through the Microsoft Graph API endpoints. This includes all log events and reports visible through the Microsoft Graph API.
      • YammerGroupsActivityDetail - List details about Yammer Group activity.
      • YammerGroupsActivityGroupCounts - List details about Yammer group activity.
    • Audit Logs - Audit events and reports visible through the Microsoft Graph API endpoints. This includes all log events and reports visible through the Microsoft Graph API.
      • AuditLogs.SignIns - List user sign-ins to an Azure tenant.
    • Cloud Application Security - All service policies, alerts and entities visible through the Microsoft Cloud Application Security portal.
      • Policies - Lists threat protection policy information.
      • Alerts - Lists information about risks identified.
      • Cloud Discovery Entities - Lists information about accounts and users of cloud apps.
      • Files - Lists information about files and folders metadata.

      The retention period for historical data is 7 days.

  6. Fill in the required fields.
  7. Click Add. The Splunk Add-on for Microsoft Office 365 saves your input settings and divides up the data collection tasks included in the input evenly among all the forwarders that you have specified in the Forwarders tab on the Configuration page.
  8. Verify that data is successfully arriving by running one of the following searches on your search head depending on which input type you have defined:

    sourcetype=o365:cas:api

    sourcetype=o365:graph:api

    sourcetype=o365:management:activity

    sourcetype=o365:service:healthIssue

    sourcetype=o365:service:updateMessage

    sourcetype=splunk:ta:o365:log

    If you do not see any events, check the Troubleshooting tab on your configuration server instance to verify that your accounts, forwarders, and inputs are all configured successfully. See also: Troubleshooting the Splunk Add-on for Microsoft Office 365.
Last modified on 20 February, 2024
PREVIOUS
Configure a Tenant in the Splunk Add-on for Microsoft Office 365 		  NEXT
Configure Office 365 Management APIs inputs for the Splunk Add-on for Microsoft Office 365

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters