Splunk® Data Stream Processor

Getting Data In

Acrobat logo Download manual as PDF


On April 3, 2023, Splunk Data Stream Processor will reach its end of sale, and will reach its end of life on February 28, 2025. If you are an existing DSP customer, please reach out to your account team for more information.
This documentation does not apply to the most recent version of Splunk® Data Stream Processor. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Use the Microsoft 365 Connector with Splunk DSP

Use the Microsoft 365 Connector to collect data from the Office 365 Management Activity API. The API lets you audit the end-user activity in your Microsoft 365 and Office 365 services by providing logs that track the status, messages, and management activity in each service.

To use the Microsoft 365 Connector, start by creating a connection that allows it to access data from the Office 365 Management Activity API. Then, add the Microsoft 365 Connector to the start of your data pipeline and configure it to use the connection that you created.

Behavior of the Microsoft 365 Connector

The Microsoft 365 Connector has the following behavior:

  • The first time a scheduled job runs, the connector collects data from the past 30 minutes. For all following scheduled jobs, the connector collects data according to the schedule that you specified.
  • In some cases, the connector doesn't collect an event until an upwards of 5 days after the event was originally generated. For more information about this delay, search for "Office 365 Management Activity API frequently asked questions" in the Office 365 Management APIs documentation.
  • The connector can send a maximum of 2,000 requests per minute.
  • Each request from the connector is limited to a maximum time period of 24 hours.

Create a connection using the Microsoft 365 Connector

Create a connection so that the Microsoft 365 Connector can access data from the Office 365 Management Activity API and send the data into a Splunk Data Stream Processor (DSP) pipeline.

If you are editing a connection that's being used by an active pipeline, you must reactivate that pipeline after making your changes.

Prerequisites

Before you can use the Microsoft 365 Connector, you must have the following:

  • An integration application that registers the connector in Microsoft Azure Active Directory (AD), and has the Read activity data for your organization permission assigned to it.
  • The following credentials from the integration application:
    • Tenant ID, which is also known as a directory ID.
    • Client ID, which is also known as an application ID.
    • Client secret, which is also known as a key.

If you don't have this integration application or the credentials, ask your Microsoft 365 administrator for assistance. For information about creating integration applications, search for "Get started with Office 365 Management APIs" in the Office 365 Management APIs documentation.

Steps

  1. From the Data Management page, select the Connections tab.
  2. Click Create New Connection.
  3. Select Microsoft 365 Connector and then click Next.
  4. Complete the following fields:
    Field Description
    Connection Name A unique name for your connection.
    Tenant ID The tenant ID from Azure AD.
    Client ID The client ID from your integration application in Azure AD.
    Client Secret The client secret from your integration application in Azure AD.
    Content Types The types of logs to collect from Microsoft 365 and Office 365 services. Select one or more of the following types:
    • Audit.AzureActiveDirectory: The audit logs for Azure AD.
    • Audit.Exchange: The audit logs for Microsoft Exchange.
    • Audit.SharePoint: The audit logs for Microsoft SharePoint.
    • Audit.General: The general audit logs for Microsoft 365.
    • DLP.All: The data loss protection (DLP) event logs for all services.
    Scheduled This parameter is on by default, indicating that jobs run automatically. Toggle this parameter off to stop the scheduled job from automatically running. Jobs that are currently running aren't affected.
    Schedule The time-based job schedule that determines when the connector executes jobs for collecting data. Select a predefined value or write a custom CRON schedule. All CRON schedules are based on UTC.

    To avoid running long jobs that don't collect any additional data, schedule your jobs to run for 24 hours or less. Each request from the connector to the API is limited to a maximum time period of 24 hours.

    Workers The number of workers you want to use to collect data.

    If your data fails to get into DSP, check the fields again to make sure you have the name, tenant ID, client ID, and client secret for your Microsoft 365 connection. DSP doesn't run a check to see if you enter the valid credentials.

  5. Click Save.

You can now use your connection in a data pipeline.

Last modified on 23 October, 2020
PREVIOUS
Use the Google Cloud Monitoring Metrics Connector with Splunk DSP
 

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.1.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters