This walk through will show you how to quickly and easily obtain user information from Azure AD directly from a Splunk search. This method is an alternative to the approach of ingesting this information on an interval via the Splunk Add-on for Azure. The primary benefits of using Dataflect to accomplish this are:
Real-time information - want to make sure there have been no changes since the last time that the Add-on for Azure ran?
Flexibility - with Dataflect you can flexibly parse and retrieve only the information you're interested in. In this example you will see how we normalize the fields at time of query using Dataflect's ability to parse API responses.
Register an Application in Azure AD
Navigate to the Azure portal.
Go to Azure Active Directory > App registrations > New registration.
Enter a name for the application, select the supported account types, and provide a Redirect URI (if necessary).
After registration, note down the Application (client) ID.
Create a Client Secret
Under your application registration, navigate to Certificates & secrets.
Click New client secret, give it a description and an expiration period.
Once created, copy the Value of the client secret (it won’t be visible again).
Assign Permissions to the Applicaation
Navigate to "Enterprise Applications"
Select your newly created application
Select "API permissions"
Click "Add a permission"
Add the Microsoft Graph "User.Read.All" permission.
Add graph.microsoft.com to the list of Allowed Domains in dataflect
Create a Credential with your new App Registration information in Dataflect
Type = OAuth (Client Credentials)
Client ID = Your Application ID
Client Secret = Your Client Secret
Token Endpoint URL = https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Be sure to replace {tenant} with your tenant ID
Run a basic search over the "users" endpoint
For many this might be good enough, from here you can output the fields your interested in to a lookup, or search for disabled users, or search for users with a particular role, etc...
For those that want more control, let's refine the search and pass some parameters to specify which fields we're interested in to add some additional context:
Now let's make the field names more Splunk Common Information Model compliant. This will make it easier to add the information returned to a Splunk identities lookup which you might use for any number of reasons.
From Dataflect, navigate to "Settings", and select "Data Normalization"
Create a new Dataflect Normalization Collection. In this example we'll give it the name: azure_users, but this can be anything.
Now let's add some normalization configurations to our new collection.
From Dataflect, navigate to "Normalizations", and select your newly created Collection
Now reference this new Normalization lookup in our search by adding props=azure_users
Voila! With Dataflect it's really that easy. If you're interested in learning the many ways Dataflect can help you maximize your investement contact us at sales@dataflect.com to schedule a demo today!
Comments