Has anyone tried to onboard OneDrive Logs?

Hillary Masciave

We are following this document, https://docs.cribl.io/stream/usecase-rest-ms-graph/ We have tested bringing in Azure User and Device data in the past with no issue. We are having a problem figuring out the best Collect URL to use. We've tried many different ones. We've tested our URLs to Microsoft's Graph Explorer and we are not receiving the expected output in Cribl. We have also set all the permissions that a Splunk App would require, https://docs.splunk.com/Documentation/AddOns/released/MSO365/ConfigureappinAzureAD

Ron D.

Hey there @Hillary Masciave!

OneDrive (Sharepoint Online) logs are available via the Graph API's audit endpoint:

https://graph.microsoft.com/v1.0/auditLogs/signIns

Please keep in mind that the events logged by default are fairly basic. Additional configuration is required to gather all/relevant and useful events, both from Entra (Azure AD) and Sharepoint/OneDrive: https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-audit-logs https://support.microsoft.com/en-au/office/configure-audit-data-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2

Hillary Masciave

Thank you very much @Ron D. ! I'll pass this along to the team.