Using Microsoft Azure Add-on for Splunk v 3.0.0, have successfully gotten events from AD & Event Hub and now we are now attempting to get Security Center Alerts & Tasks but we're getting the following stack trace:
2020-12-09 22:24:55,806 ERROR pid=31658 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/azure_security_center_input.py", line 88, in collect_events
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/input_module_azure_security_center_input.py", line 83, in collect_events
if (this_changedTime > max_asc_task_date):
TypeError: '>' not supported between instances of 'str' and 'NoneType'
Our app has "Reader" permissions in Azure which fixed a 403 error before we got to this point, and its very likely that this error is related to a permission setting somewhere in Azure (potentially similar to this solved question). This error is only happening for Security TASKs, though we are not getting any events for Security Alerts either when one is enabled and the other is disabled.