Active Directory / Azure Active Directory

Windows Active Directory Data

Use the Windows Add-on to collect Active Directory related logs https://docs.splunk.com/Documentation/WindowsAddOn/latest/User/AbouttheSplunkAdd-onforWindows.

This data is required for Active Directory related alerts/dashboards (Group Changes, Group Policy Changes, and User Changes) and it is only compatible with plain text formatted events.

Refer to A-TA-ad_inputs App on this GitHub Repo for inputs.conf reference.

Reference for admon input creation:https://docs.splunk.com/Documentation/Splunk/8.1.3/Data/MonitorActiveDirectory

Estimated Data Size

Data size with updated stanzas:

  • MSAD Health and Active Directory both use < 10 MB per day.

Note: The data size tends to vary based on how large the Active Directory environment is, but generally it consumes very little license usage overall.

Microsoft Office 365 Management Activities Data

The Splunk Add-on for Microsoft Office 365 will be required in order to collect management activity data.

Splunkbase Download: https://splunkbase.splunk.com/app/4055/

Installation Guide: https://docs.splunk.com/Documentation/AddOns/released/MSO365/Installationsteps

How to Install and Configure the Splunk Add-on for Microsoft Office 365:

  1. Install the Add-on on the Heavy Forwarder.
  2. Configure the Add-on on the Heavy Forwarder.
  3. Configure the Inputs on the Heavy Forwarder.
  4. Install the Add-on on the Search Head.

Estimated Data Size

It consumes around 80-100MB of license usage per day.

The total amount of data varies based on the size of your organization (our calculations are based on organizations with around thirty Office 365 users).


Copyright © 2024 CrossRealms International.