I have been using this Add-on to collection signin and audit logs for Azure AD for a while now. However, there is a continue problem of randomly stop of data ingestion.
I couldn’t find any relevant error messages in the debug logs, and I had to re-enable the data inputs to fix it.
Are you using version 1.0.3 of the add-on? There were some improvements made to the data collection code in that release.
Also, Microsoft has exposed Azure AD sign-in and audit logs via Event Hubs now. The Azure Monitor Add-on for Splunk can ingest the Azure AD logs from an Event Hub -> https://splunkbase.splunk.com/app/3534/
Yes I am using version 1.0.3 Microsoft Azure Active Directory Reporting Add-on for Splunk