All Apps and Add-ons

Microsoft Azure Active Directory Add-on for Splunk not ingesting audit logs, only Sign-Ins and Users.

ylucena
Explorer

Hello everyone,

I am facing this issue where for some reason audit logs are not being ingested into Splunk. The app lives on a Heavy Forwarder.

Both Sign-In and Audit logs are set and have the same credentials. I triple-checked their input configurations and all seems correct. Sign-in logs are now being ingested as expected, unlike the audit logs.

They are all configured with a 300 second interval and with the default range for old logs. The errors I see are:

"python /opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_audit.py" HTTPError: 400 Client Error: Bad Request for url: https://graph.microsoft.com/beta/auditLogs/directoryAudits?$orderby=activityDateTime&$filter=activit...

I was seeing some 429, which I found out had to do with API throttling but now that I have it set to 300 seconds I don't seem to be getting those anymore:

-0400 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_signins.py" HTTPError: 429 Client Error: for url: https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+...

Have any of you experienced something similar with this app? I am super stuck and have no idea what is going on...

I would appreciate any help! 😉

Thanks,
Yan

0 Karma

subbarayudu
New Member

Configure signinsand Audit logs on different HWF's.

Thanks,
Subbu

0 Karma

ylucena
Explorer

Hey, thanks for the answer! However, I don't believe that should be the solution. Any HF should work the same, moreover, I don't have another one. Any other ideas?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...