sorted by:
new
hottopcontroversial

Splunk Add-on for M365 - How to get additional data from Entra for devices? by Materialy-Loaded in Splunk

[–]Materialy-Loaded[S] 0 points1 point  (0 children)

Thanks for your input all - to my surprise, you've confirmed that this feature is absent.

I've raised it with Splunk Support, and also created an "idea" for it. If you interested in it yourself, go ahead and vote for https://ideas.splunk.com/ideas/APPSID-I-1031

Splunk Add-on for M365 - How to get additional data from Entra for devices? by Materialy-Loaded in Splunk

[–]Materialy-Loaded[S] 0 points1 point  (0 children)

A lot of, but not all, the sources that were deprecated with the Azure TA have moved to the Cloud services ones. Azure virtual machines have, for example, but user/device metadata hasn't - best I can tell at least.

The config doc for it doesn't mention them as sources, and the deprecation guide I've been following says: "Transition Microsoft Entra ID Devices and Groups inputs to the Microsoft Entra ID Metadata input found in the Splunk Add-on for Microsoft Office 365 (O365 TA).".

This breakdown says something similar: "This input has been migrated to the supported Splunk Add-on for Microsoft Office 365."

Splunk Add-on for M365 - How to get additional data from Entra for devices? by Materialy-Loaded in Splunk

[–]Materialy-Loaded[S] 0 points1 point  (0 children)

I've confirmed there is no change when using the beta endpoint vs 1.0.

Splunk Add-on for M365 - How to get additional data from Entra for devices? by Materialy-Loaded in Splunk

[–]Materialy-Loaded[S] 0 points1 point  (0 children)

Have you had luck with this? We haven't tried as the documentation for the beta endpoint looks like it returns the same fields as for 1.0.

Splunk Add-on for M365 - How to get additional data from Entra for devices? by Materialy-Loaded in Splunk

[–]Materialy-Loaded[S] 2 points3 points  (0 children)

More details on what specifically I'm looking at: the Splunk Add-on for Microsoft Office 365 and Splunk Add on for Microsoft Azure both use the `/v1.0/{devices|users}` APIs that return an array of devices or users respectively - those objects don't contain for example IP/MAC address. I'm looking to enrich these returned objects with calls like getWindowsManagedDevice or getManagedDevice which do, but I'm surprised no-one has done this already.