All Apps and Add-ons

Duplicate Azure security alerts , No Checkpoints !

s_alatroshi
New Member

Hi All,

I have installed the azure TA "3757" v2 on our HF and followed the docs , we are successfully ingesting the Azure security alerts , the issue is that each time it runs it keeps ingesting same data ! , when I am checking the checkpoint lookup it is always empty, could not find any error even with Debug level, I have also tried (index=_internal TA_MS_AAD_checkpointer ) , but there is no event reporting regarding this collection , Any idea of some blocking that may happen or some ports/end point should be opened?

Thanks

0 Karma
1 Solution

jconger
Splunk Employee
Splunk Employee

The API used to collect the data has an issue with using a date/time filter ( https://techcommunity.microsoft.com/t5/Azure/Azure-REST-API-filter-param-for-time-delta-throws-Provi... ). So, there isn't a working way to ask the API for only new data.

We're looking at a different way to throw away duplicate data on the add-on side before sending it to the index in a future release. For now, we'll need to rely on deduplication on the search side.

View solution in original post

0 Karma

jconger
Splunk Employee
Splunk Employee

The API used to collect the data has an issue with using a date/time filter ( https://techcommunity.microsoft.com/t5/Azure/Azure-REST-API-filter-param-for-time-delta-throws-Provi... ). So, there isn't a working way to ask the API for only new data.

We're looking at a different way to throw away duplicate data on the add-on side before sending it to the index in a future release. For now, we'll need to rely on deduplication on the search side.

View solution in original post

0 Karma

s_alatroshi
New Member

Thanks for the feedback Jconger , will keep following for a solution on the new release

0 Karma

jconger
Splunk Employee
Splunk Employee

Version 2.0.1 fixes the duplicate alert data issue.

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!