Microsoft announces Azure Sentinel, a cloud-native SIEM (self.microsoft) submitted 1 month ago by ryanwheff Microsoft Employee Today, Microsoft announced Azure Sentinel, a cloud-native security information event management (SIEM) and security orchestration automated response (SOAR) solution.
Prerequisites: Before you enable inputs, complete the previous steps in the configuration process:
Configure your inputs on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You can configure inputs using Splunk Web (recommended) or using the configuration files.
Note:
- If you want to collect audit logs for mailbox access from Exchange Online, you need to turn on mailbox audit logging in Office 365, which is not enabled by default. See Exchange audit logging.
- If you configure the Office365 input for the first time, the activity log (such as Audit.Exchange, Audit.Sharepoint and Audit.AzureActivityDirectory) will subscribe the data from Microsoft side. But it will take up to 12 hours for the first content blobs to become available for that subscription in Microsoft.
Configure inputs using Splunk Web
Configure your inputs using Splunk Web on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.
1. In the Splunk Add-on for Microsoft Cloud Services, click Inputs.
2. Click Create New Input and then select Office 365 Management APIs.
3. Enter the Name, Account, Data and Index using information in the input parameter table below.
4. Click Add.
5. Verify that data is successfully arriving by running the following search on your search head: sourcetype=ms:o365:management*
If you do not see any events, check the Troubleshooting tab on your data collection node to verify that your accounts, forwarders, and inputs are all configured successfully. See Troubleshoot the Splunk Add-on for Microsoft Cloud Services for information about enabling this dashboard on your heavy forwarder.
Configure inputs in the configuration files
Configure your inputs using the configuration files on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.
1. Create
$SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/local/splunk_ta_ms_o365_server_management_api_inputs.conf
.2. Add the following stanza.
3. (Optional) If you want to change the data sources or polling intervals, edit the
data
parameter. These default values represent all the data sources currently available for collection with this add-on.Note: CurrentStatus also includes HistoricalStatus. CurrentStatus uses the interval defined here, but HistoricalStatus uses 86400 (24 hours), because Microsoft generates historical status once per day. For more information, see https://msdn.microsoft.com/EN-US/library/office/dn707386.aspx.
4. (Optional) Configure a custom
index
.5. Restart your Splunk platform instance.
6. Verify that data is successfully arriving by running the following search on your search head: sourcetype=ms:o365:management*
If you do not see any events, check the Troubleshooting tab on your data collection node to verify that your accounts, forwarders, and inputs are all configured successfully. See Troubleshoot the Splunk Add-on for Microsoft Cloud Services for information about enabling this dashboard on your heavy forwarder.
Input Parameters
Each attribute in the following table corresponds to a field in Splunk Web.
Attribute | Corresponding field in Splunk Web | Description |
---|---|---|
management_input_name | Name | A friendly name for your input. |
account | Account | The Microsoft Office 365 account from which you want to gather data. |
data | Data | The Microsoft cloud services from which you want to collect data through the API, with intervals for data collection for each service. The add-on automatically lists all services currently available. You can remove any or click the interval value to edit the frequency with which the add-on polls for new data from the API. Note: CurrentStatus also includes HistoricalStatus. CurrentStatus uses the interval defined here, but HistoricalStatus uses 86400 (24 hours), because Microsoft generates historical status once per day. For more information, see https://msdn.microsoft.com/EN-US/library/office/dn707386.aspx. |
index | Index | The index in which the Microsoft cloud services data should be stored. The default is main. |