Configure Inputs for the Splunk Add-on for Microsoft Office 365
Prerequisites: Before you enable inputs, complete the previous steps in the configuration process:
- Configure an integration application in Azure AD for the Splunk Add-on for Microsoft Office 365
- Configure a Tenant in the Splunk Add-on for Microsoft Office 365
Configure your inputs using Splunk Web on the Splunk platform instance that you have designated as your configuration server for this add-on.
- Go to the Splunk Web home screen.
- Click on Splunk Add-on for Microsoft Office 365 in the left navigation banner.
- Click on the Inputs tab.
- Click Create New Input.
- Select the input type you want to create.
- Management Activity - All audit events visible through the Office 365 Management Activity API.
- Audit.AzureActiveDirectory - the audit logs for Microsoft Azure Active Directory
- Audit.Exchange - the audit logs for Microsoft Exchange
- Audit.SharePoint - the audit logs for Microsoft SharePoint
- Audit.General - the general audit logs for Microsoft Office 365
- DLP.All - all log information for DLP
- Service Health & Communications - Access the health status and message center posts.
- ServiceHealth.Read.All - Provides the health information of a specified service for a tenant.
- ServiceMessage.Read.All - Provides the message information of a specified service for a tenant.
- Mailbox - Audit events and reports visible through the Microsoft Graph API endpoints. This includes all log events and reports visible through the Microsoft Graph API.
- MailboxUsageDetail - Lists details about mailbox usage.
- MailboxUsageMailboxCounts - List details about active mailbox counts.
- Office 365 - Audit events and reports visible through the Microsoft Graph API endpoints. This includes all log events and reports visible through the Microsoft Graph API.
- Office365GroupsActivityDetail - List details about group activity details.
- Office365ServicesUserCounts - List details about Microsoft 365 Services counts.
- One Drive - Audit events and reports visible through the Microsoft Graph API endpoints. This includes all log events and reports visible through the Microsoft Graph API.
- OneDriveActivityUserCounts - List details about OneDrive user activity.
- OneDriveUsageAccountDetail - List details about OneDrive usage by account.
- OneDriveUsageStorage - List details regarding the amount of OneDrive storage.
- Share Point - Audit events and reports visible through the Microsoft Graph API endpoints. This includes all log events and reports visible through the Microsoft Graph API.
- SharePointSiteUsageDetail - List details about SharePoint site usage.
- SharePointSiteUsageFileCounts - List details about SharePoint file counts and activity.
- Teams - Audit events and reports visible through the Microsoft Graph API endpoints. This includes all log events and reports visible through the Microsoft Graph API.
- TeamsUserActivityCounts - List details about the number of Teams active by activity.
- TeamsUserActivityUserDetail - List details about Teams user activity.
- Yammer - Audit events and reports visible through the Microsoft Graph API endpoints. This includes all log events and reports visible through the Microsoft Graph API.
- YammerGroupsActivityDetail - List details about Yammer Group activity.
- YammerGroupsActivityGroupCounts - List details about Yammer group activity.
- Audit Logs - Audit events and reports visible through the Microsoft Graph API endpoints. This includes all log events and reports visible through the Microsoft Graph API.
- AuditLogs.SignIns - List user sign-ins to an Azure tenant.
- Cloud Application Security - All service policies, alerts and entities visible through the Microsoft Cloud Application Security portal.
- Policies - Lists threat protection policy information.
- Alerts - Lists information about risks identified.
- Cloud Discovery Entities - Lists information about accounts and users of cloud apps.
- Files - Lists information about files and folders metadata.
The retention period for historical data is 7 days.
- Management Activity - All audit events visible through the Office 365 Management Activity API.
- Fill in the required fields.
- Click Add. The Splunk Add-on for Microsoft Office 365 saves your input settings and divides up the data collection tasks included in the input evenly among all the forwarders that you have specified in the Forwarders tab on the Configuration page.
- Verify that data is successfully arriving by running one of the following searches on your search head depending on which input type you have defined:
sourcetype=o365:cas:api
sourcetype=o365:graph:api
sourcetype=o365:management:activity
sourcetype=o365:service:healthIssue
sourcetype=o365:service:updateMessage
If you do not see any events, check the Troubleshooting tab on your configuration server instance to verify that your accounts, forwarders, and inputs are all configured successfully. See also: Troubleshooting the Splunk Add-on for Microsoft Office 365.sourcetype=splunk:ta:o365:log
Configure a Tenant in the Splunk Add-on for Microsoft Office 365 | Configure Office 365 Management APIs inputs for the Splunk Add-on for Microsoft Office 365 |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!