Configure Azure Active Directory Sign in inputs for the Splunk Add on for Microsoft Azure

Before you enable inputs, complete the previous steps in the configuration process:

• Create an Azure AD App Registration
• Connect to your Azure Account with Splunk Add-on for Microsoft Azure

Configure your inputs on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You can configure inputs using Splunk Web, which is a best practice, or by using the configuration files.

Azure Active Directory Inputs

The Splunk Add-on for Microsoft Azure includes the following Azure Active Directory inputs:

• Interactive Sign-ins
• Directory Audit
• Users
• Group
• Devices
• Identity Protection (Risky Detections & Risky Users)

Configure inputs using Splunk Web

Configure your inputs using Splunk Web on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

1. In the Splunk Add-on for Microsoft Azure, click Inputs.
2. Click Create New Input and then select an Azure Active Directory input.
3. Enter the Name, Interval, Index, Azure App Account, Tenant ID, Environment, and other parameters using the information in the input parameter table below.

Configure inputs using configuration files

Configure your inputs using the configuration files on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

1. Create or modify a file named inputs.conf under $SPLUNK_HOME/etc/apps/TA-MS-AAD/local.
2. Refer to the sections below for input parameters.
3. Save and restart the Splunk platform.

Azure Active Directory Interactive Sign-ins Input

API used: https://docs.microsoft.com/en-us/graph/api/signin-list

Sign-in Data Collected

The API that the Azure Active Directory Sign-in input uses only returns sign-ins that are interactive in nature (where a username/password is passed as part of the auth token) and successful federation sign-ins. To collect sign-in data like non-interactive sign-ins, service principal sign-ins, managed identity sing-ins, etc., stream the Azure Active Directory data to an Event Hub. The Splunk Add-on for Microsoft Cloud Services or Splunk Data Manager can be used to retrieve Event Hub data.

Azure Active Directory Interactive Sign-ins Input Parameters

Each attribute in the following table corresponds to a field in Splunk Web.

Attribute	Corresponding field in Splunk Web	Description
[MS_AAD_signins://input_stanza_name]	Name	A friendly name for your input.
azure_app_account	Azure Account	The Azure App account from which you want to gather data.
endpoint	Endpoint	The Microsoft Graph endpoint used to retrieve data. Valid options are v1.0 and beta
environment	Environment	The Azure environment. Valid options are public and gov.
tenant_id	Tenant ID	The Azure Active Directory Tenant ID (a.k.a. Directory ID)
query_backoff_throttle	Query Backoff Throttle	Advanced: number of seconds to subtract from the end date of the query. This helps accommodate near real-time events toward the end of a query that may arrive non sequentially.
query_window_size	Query Limit (optional)	The maximum number of minutes used for the query range. This is useful for retrieving older data. Use this setting with caution. Specify '0' to disable.
sign_in_sourcetype	Sign-in Sourcetype	The sourcetype to use for this input.
start_date	Start Date	The add-on starts collecting data with a date later than this time. The format is YYYY-mm-ddTHH:MM:SSZ and the default is 24 hours in the past.
interval	Interval	The number of seconds to wait before the Splunk platform runs the command again.
index	Index	The index in which to store Azure data.

Verify that the value listed for azure_app_account matches the account entry in ta_ms_aad_account.conf.

Azure Active Directory Audit Input

API used: https://docs.microsoft.com/en-us/graph/api/directoryaudit-list

Azure Active Directory Audit Input Parameters

Each attribute in the following table corresponds to a field in Splunk Web.

Attribute	Corresponding field in Splunk Web	Description
[MS_AAD_audit://input_stanza_name]	Name	A friendly name for your input.
azure_app_account	Azure Account	The Azure App account from which you want to gather data.
endpoint	Endpoint	The Microsoft Graph endpoint used to retrieve data. Valid options are v1.0 and beta
environment	Environment	The Azure environment. Valid options are public and gov.
tenant_id	Tenant ID	The Azure Active Directory Tenant ID (a.k.a. Directory ID)
query_backoff_throttle	Query Backoff Throttle	Advanced: number of seconds to subtract from the end date of the query. This helps accommodate near real-time events toward the end of a query that may arrive non sequentially.
query_window_size	Query Limit (optional)	The maximum number of minutes used for the query range. This is useful for retrieving older data. Use this setting with caution. Specify '0' to disable.
audit_sourcetype	Audit Sourcetype	The sourcetype to use for this input.
start_date	Start Date	The add-on starts collecting data with a date later than this time. The format is YYYY-mm-ddTHH:MM:SSZ and the default is 7 days in the past.
interval	Interval	The number of seconds to wait before the Splunk platform runs the command again.
index	Index	The index in which to store Azure data.

Verify that the value listed for azure_app_account matches the account entry in ta_ms_aad_account.conf.

Azure Active Directory Users Input

API used: https://docs.microsoft.com/en-us/graph/api/user-list

Azure Active Directory Users Input Parameters

Each attribute in the following table corresponds to a field in Splunk Web.

Attribute	Corresponding field in Splunk Web	Description
[MS_AAD_user://input_stanza_name]	Name	A friendly name for your input.
azure_app_account	Azure Account	The Azure App account from which you want to gather data.
endpoint	Endpoint	The Microsoft Graph endpoint used to retrieve data. Valid options are v1.0 and beta
environment	Environment	The Azure environment. Valid options are public and gov.
tenant_id	Tenant ID	The Azure Active Directory Tenant ID (a.k.a. Directory ID)
user_sourcetype	User Sourcetype	The sourcetype to use for this input.
filter	Query Parameters (optional)	OData parameters.
interval	Interval	The number of seconds to wait before the Splunk platform runs the command again.
index	Index	The index in which to store Azure data.

Verify that the value listed for azure_app_account matches the account entry in ta_ms_aad_account.conf.

Azure Active Directory Groups Input

API used: https://docs.microsoft.com/en-us/graph/api/group-list

Azure Active Directory Groups Input Parameters

Each attribute in the following table corresponds to a field in Splunk Web.

Attribute	Corresponding field in Splunk Web	Description
[MS_AAD_group://input_stanza_name]	Name	A friendly name for your input.
azure_app_account	Azure Account	The Azure App account from which you want to gather data.
endpoint	Endpoint	The Microsoft Graph endpoint used to retrieve data. Valid options are v1.0 and beta
environment	Environment	The Azure environment. Valid options are public and gov.
tenant_id	Tenant ID	The Azure Active Directory Tenant ID (a.k.a. Directory ID)
group_sourcetype	Group Sourcetype	The sourcetype to use for this input.
filter	Query Parameters (optional)	OData parameters.
interval	Interval	The number of seconds to wait before the Splunk platform runs the command again.
index	Index	The index in which to store Azure data.

Verify that the value listed for azure_app_account matches the account entry in ta_ms_aad_account.conf.

Azure Active Directory Devices Input

API used: https://docs.microsoft.com/en-us/graph/api/device-list

Azure Active Directory Devices Input Parameters

Each attribute in the following table corresponds to a field in Splunk Web.

Attribute	Corresponding field in Splunk Web	Description
[MS_AAD_device://input_stanza_name]	Name	A friendly name for your input.
azure_app_account	Azure Account	The Azure App account from which you want to gather data.
endpoint	Endpoint	The Microsoft Graph endpoint used to retrieve data. Valid options are v1.0 and beta
environment	Environment	The Azure environment. Valid options are public and gov.
tenant_id	Tenant ID	The Azure Active Directory Tenant ID (a.k.a. Directory ID)
device_sourcetype	Device Sourcetype	The sourcetype to use for this input.
interval	Interval	The number of seconds to wait before the Splunk platform runs the command again.
index	Index	The index in which to store Azure data.

Verify that the value listed for azure_app_account matches the account entry in ta_ms_aad_account.conf.

---

Azure Active Directory Input Notes

Throttling Guidance

The Azure Active Directory Sign-in and Audit inputs in this add-on utilize Azure AD activity reports available in the Microsoft Graph API. Microsoft Graph imposes service-specific limits to prevent the overuse of resources. These limits affect the scalability and throughput of the Azure Active Directory Sign-in and Audit inputs in this add-on. Refer to the identity and access reports service limits for specific imposed limits.

Identifying Throttling in your Splunk Environment

When throttling happens, an HTTP response code 429 is returned. Run the following search to determine if throttling is impacting your data ingestion:

index=_internal 429 client error

Paging

When a request is made to Microsoft Graph, only the first 1,000 records are returned. If there are more than 1,000 records available, a continuation token is returned along with the data. In this scenario, Splunk will index the 1,000 records returned and then follow the continuation token to retrieve the next 1,000 records. Each 1,000 record request counts toward the throttling limits.

Recommendation

To overcome throttling and collect non-interactive sign-in data, send Azure Active Directory Sign-in and Audit data to an Event Hub. The Splunk Add-on for Microsoft Cloud Services can be utilized to collect Event Hub data.

---