top of page
Search

Get Information On Azure Users from Splunk

This walk through will show you how to quickly and easily obtain user information from Azure AD directly from a Splunk search. This method is an alternative to the approach of ingesting this information on an interval via the Splunk Add-on for Azure. The primary benefits of using Dataflect to accomplish this are:

  • Real-time information - want to make sure there have been no changes since the last time that the Add-on for Azure ran?

  • Flexibility - with Dataflect you can flexibly parse and retrieve only the information you're interested in. In this example you will see how we normalize the fields at time of query using Dataflect's ability to parse API responses.

Register an Application in Azure AD

  1. Navigate to the Azure portal.

  2. Go to Azure Active Directory > App registrations > New registration.

  3. Enter a name for the application, select the supported account types, and provide a Redirect URI (if necessary).

  4. After registration, note down the Application (client) ID.

Create a Client Secret

  1. Under your application registration, navigate to Certificates & secrets.

  2. Click New client secret, give it a description and an expiration period.

  3. Once created, copy the Value of the client secret (it won’t be visible again).

Assign Permissions to the Applicaation

  1. Navigate to "Enterprise Applications"

  2. Select your newly created application

  3. Select "API permissions"

  4. Click "Add a permission"

  5. Add the Microsoft Graph "User.Read.All" permission.

Add graph.microsoft.com to the list of Allowed Domains in dataflect

Create a Credential with your new App Registration information in Dataflect

  1. Type = OAuth (Client Credentials)

  2. Client ID = Your Application ID

  3. Client Secret = Your Client Secret

  4. Token Endpoint URL = https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token

    1. Be sure to replace {tenant} with your tenant ID

  5. Scope = https://graph.microsoft.com/.default

Run a basic search over the "users" endpoint


For many this might be good enough, from here you can output the fields your interested in to a lookup, or search for disabled users, or search for users with a particular role, etc...


For those that want more control, let's refine the search and pass some parameters to specify which fields we're interested in to add some additional context:


Now let's make the field names more Splunk Common Information Model compliant. This will make it easier to add the information returned to a Splunk identities lookup which you might use for any number of reasons.


From Dataflect, navigate to "Settings", and select "Data Normalization"

Create a new Dataflect Normalization Collection. In this example we'll give it the name: azure_users, but this can be anything.

Now let's add some normalization configurations to our new collection.


From Dataflect, navigate to "Normalizations", and select your newly created Collection

Now reference this new Normalization lookup in our search by adding props=azure_users


Voila! With Dataflect it's really that easy. If you're interested in learning the many ways Dataflect can help you maximize your investement contact us at sales@dataflect.com to schedule a demo today!

Comments


bottom of page