Configure optional settings for the Splunk Add-on for Microsoft Office 365

The Splunk Add-on for Microsoft Office 365 only supports HTTP proxy.

Prerequisites: Before you configure the Settings, complete the previous steps in the configuration process:

• Configure an integration application in Azure AD for the Splunk Add-on for Microsoft Office 365
• Configure a Tenant in the Splunk Add-on for Microsoft Office 365
• Configure Inputs for the Splunk Add-on for Microsoft Office 365

Configure Proxy and Log Level settings

Using Splunk Web, configure Proxy and Log Level settings on the Splunk platform instance that you have designated as your configuration server for this add-on.

1. On your Splunk platform instance, navigate to the Splunk Web home screen.
2. In the left navigation banner, click on Splunk Add-on for Microsoft Office 365.
3. Click on the Configuration tab.
4. If you need to use a proxy:
   1. Click the Proxy tab
   2. Fill in the form with your proxy details. If your proxy server does not require authentication, leave the username and password fields empty.
   3. Click Save.
5. To change the logging levels:
   1. Click the Logging tab.
   2. Select the Log Level.
   3. Click Save.

Configure the request timeout parameter for management activity inputs

Configure the request_timeout parameter for management activity inputs.

request_timeout is the number of seconds to wait before timeout while getting a response from the subscription API.

• The range for the parameter is from 10 to 600 seconds.
• The default value of request_timeout parameter is 60 seconds.
• The upper limit value of a request_timeout parameter is 600 seconds.
• The lower limit value of a request_timeout parameter is 10 seconds.

There are two ways to add a request_timeout parameter with a configured input.

1. Make the request_timeout parameter configurable to all configured inputs.
   1. Navigate to $SPLUNK_HOME/etc/apps/splunk_ta_o365/local, and create an inputs.conf file, if it does not already exist.
   2. Copy below stanza, and add it to the $SPLUNK_HOME/etc/apps/splunk_ta_o365/local/inputs.conf file.

      [splunk_ta_o365_management_activity]
      request_timeout = <integer>
      

      This setting would override the default value of request_timeout defined in default/inputs.conf and it would be applicable to all configurable management activity inputs.

   3. Save your changes.
2. Make request_timeout parameter configurable by adding request_timeout to specific management activity input.
1. Configure Inputs for the Splunk Add-on for Microsoft Office 365 using Splunk Web.
2. Navigate to $SPLUNK_HOME/etc/apps/splunk_ta_o365/local, and create an inputs.conf file, if it does not already exist.
3. Open $SPLUNK_HOME/etc/apps/splunk_ta_o365/local/inputs.conf and add request_timeout = <integer> parameter under each configured input. For example, [splunk_ta_o365_management_activity://<Input_Name>].
4. Save your changes.

Configure the request timeout parameter for Graph API inputs

Configure the request_timeout parameter for Audit Logs inputs.

request_timeout is the number of seconds to wait before timeout while getting a response from the Graph API.

• The range for the parameter is from 10 to 600 seconds.
• The default value of request_timeout parameter is 60 seconds.
• The upper limit value of a request_timeout parameter is 600 seconds.
• The lower limit value of a request_timeout parameter is 10 seconds.

To configure it from UI

• Click on "Create New Input" and Select "Audit Logs".
• Under the "Advanced Settings" section configure "Request Timeout" parameter.

You can also configure the request_timeout in all the Graph API inputs from $SPLUNK_HOME/etc/apps/splunk_ta_o365/local/inputs.conf.

Configure the token refresh window parameter for management activity inputs

Configure the token_refresh_window parameter for management activity inputs.

token_refresh_window is the number of seconds before the token expires, and must be refreshed. For example, if the token is expiring at 01:00 PM and the user has entered the 600 as a value of parameter token_refresh_window then the token will be refreshed at 12:50 PM.

• The range for the token_refresh_window parameter is from 400 seconds to 3600 seconds.
• The default value of token_refresh_window is 600 seconds.
• The upper limit of token_refresh_window is 3600 seconds.
• The lower limit of token_refresh_window is 400 seconds.

There are two ways to add a token_refresh_window parameter with configured inputs.

1. Make the token_refresh_window parameter configurable to all configured inputs.
1. Navigate to $SPLUNK_HOME/etc/apps/splunk_ta_o365/local, and create an inputs.conf file, if it does not already exist.
2. Copy the below stanza, and add it to the $SPLUNK_HOME/etc/apps/splunk_ta_o365/local/inputs.conf file.

   [splunk_ta_o365_management_activity]
   token_refresh_window = <integer>
   

   This setting would override the default value of token_refresh_window defined in default/inputs.conf and it would be applicable to all configurable management activity inputs.

3. Save your changes.
2. Make the token_refresh_window parameter configurable by adding token_refresh_window to specific management activity inputs.
   1. Configure Inputs for the Splunk Add-on for Microsoft Office 365 using Splunk Web.
   2. Navigate to $SPLUNK_HOME/etc/apps/splunk_ta_o365/local, and create an inputs.conf file, if it does not already exist.
   3. Open $SPLUNK_HOME/etc/apps/splunk_ta_o365/local/inputs.conf, and add the token_refresh_window = <integer> parameter to each specific management activity input. For example, the [splunk_ta_o365_management_activity://<Input_Name>] stanza.
   4. Save your changes.