Microsoft Azure Add on for Splunk 3.1.1 - authenti...

All Apps and Add-ons

It looks to be that in version 3.1.1 the defaults for AAD Sign Ins swaps away from BETA --> 1.0 which looks to not be providing authentication_method (MFA/2FA) information.

This default change in behaviour can be seen in this file 'input_module_MS_AAD_signins.py'

BEFORE:
url = graph_base_url + "/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+ge+%s+and+createdDateTime+le+%s" % (query_date, end_date.strftime('%Y-%m-%dT%H:%M:%S.%fZ'))

AFTER:
url = graph_base_url + "/%s/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+ge+%s+and+createdDateTime+le+%s" % (endpoint, query_date, end_date.strftime('%Y-%m-%dT%H:%M:%S.%fZ'))

For anyone who really needs/wants authentication_method information I strongly encourage you to back to your INPUTS and change the dropdown back to BETA.

These seem to have been dropped by MS in v1 . unless BETA is ahead .. in which case they will be and all that is required is to change the INPUT

Get Updates on the Splunk Community!

Microsoft Azure Add on for Splunk 3.1.1 - authentication_method

troubleshooting

Can’t make it to .conf25? Join us online!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Are you a member of the Splunk Community?