Configure Azure Active Directory Identity Protection inputs for the Splunk Add on for Microsoft Azure
Note
Azure Active Directory has been renamed to Microsoft Entra ID.
Before you enable inputs, complete the previous steps in the configuration process:
- Create an Azure AD App Registration
- Connect to your Azure Account with Splunk Add-on for Microsoft Azure
Configure your inputs on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You can configure inputs using Splunk Web, which is a best practice, or by using the configuration files.
Configure your inputs using Splunk Web on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.
- In the Splunk Add-on for Microsoft Azure, click Inputs.
- Click Create New Input and then select Azure Active Directory Identity Protection.
- Enter the Name, Interval, Index, Azure App Account, Tenant ID, Environment, and other parameters using the information in the input parameter table below.
Configure your inputs using the configuration files on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.
- Create or modify a file named
inputs.confunder$SPLUNK_HOME/etc/apps/TA-MS-AAD/local. - Add the following stanza:
[MS_AAD_identity_protection://<input_stanza_name>]
azure_app_account = <value>
collect_risk_detection_data = <value>
collect_risky_user_data = <value>
endpoint = <value>
environment = <value>
index = <value>
interval = <value>
risk_detection_sourcetype = <value>
risky_user_sourcetype = <value>
tenant_id = <value>
- Save and restart the Splunk platform.
Verify that the value listed for
azure_app_accountmatches the account entry inta_ms_aad_account.conf.
Each attribute in the following table corresponds to a field in Splunk Web.
| Attribute | Corresponding field in Splunk Web | Description |
|---|---|---|
[MS_AAD_identity_protection://input_stanza_name] |
Name | A friendly name for your input. |
azure_app_account |
Azure Account | The Azure App account from which you want to gather data. |
endpoint |
Endpoint | The Microsoft Graph endpoint used to retrieve data. Valid options are v1.0 and beta
|
environment |
Environment | The Azure environment. Valid options are public and gov. |
tenant_id |
Tenant ID | The Azure Active Directory Tenant ID (a.k.a. Directory ID) |
collect_risk_detection_data |
Collect Risk Detection Data | Suspicious actions related to user accounts in the directory. |
risk_detection_sourcetype |
Risk Detection Sourcetype | The sourcetype to use for Risk Detection data. |
collect_risky_user_data |
Collect Risky User Data | Represents Azure AD users who are at risk. |
risky_user_sourcetype |
Risky User Sourcetype | The sourcetype to use for Risky User data. |
interval |
Interval | The number of seconds to wait before the Splunk platform runs the command again. |
index |
Index | The index in which to store Azure data. |
