How to forward Azure PIM logs to Splunk?

Question

I want to know step-by-step process on how to forward Entra PIM logs to Splunk. Any document availbe?

Also, I want to know if we have Splunk integration already in place and Azure logs are being forwarded, after PIM enabling, what extra configurations we need to make to let PIM logs be forwarded to Splunk?

Answer 1

Hi @Neel Darji

Thanks for reaching out to Microsoft Q&A.

By default, you can export Entra ID logs to Log Analytics (Azure Monitor), a storage account, event hub or a partner solution. PIM related logs are located inside Audit Logs.

Depending on the amount of data you want to export, usually, these data are sent to Log Analytics and then other tools, like Splunk, pulls the logs from there.

We do not have any documentation from Microsoft on exporting data to an specific tool, but I found a somewhat old procedure from Splunk that might give you some hints on how to do that. However, I'd recommend you reach out to Splunk support to validate if that documentation is accurate

https://www.splunk.com/en_us/blog/tips-and-tricks/splunking-microsoft-cloud-data-part-1.html?301=/en_us/blog/cloud/splunking-microsoft-cloud-data-part-1.html

About your second question, if you already export Entra ID audit logs to Splunk, no further action is required as those logs are part of the Audit Logs.

Let me know if you have any questions.

Thanks,

Fabio

Answer 2

Hi @Neel Darji

I just wanted to check in and see if you had any other questions or if you were able to resolve your issue.

If you have any other questions, please let me know.

Thanks,

Fabio

Answer 3

Hi @Neel Darji

I just wanted to check in and see if you had any other questions or if you were able to resolve your issue.

If you have any other questions, please let me know.

Thanks,

Fabio