We are following this document, https://docs.cribl.io/stream/usecase-rest-ms-graph/ We have tested bringing in Azure User and Device data in the past with no issue. We are having a problem figuring out the best Collect URL to use. We've tried many different ones. We've tested our URLs to Microsoft's Graph Explorer and we are not receiving the expected output in Cribl. We have also set all the permissions that a Splunk App would require, https://docs.splunk.com/Documentation/AddOns/released/MSO365/ConfigureappinAzureAD
Page 1 / 1
Hey there @Hillary Masciave!
OneDrive (Sharepoint Online) logs are available via the Graph API's audit endpoint:
https://graph.microsoft.com/v1.0/auditLogs/signIns
Please keep in mind that the events logged by default are fairly basic. Additional configuration is required to gather all/relevant and useful events, both from Entra (Azure AD) and Sharepoint/OneDrive: https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs https://support.microsoft.com/en-au/office/configure-audit-data-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2
Thank you very much @Ron D. ! I'll pass this along to the team.
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.