Hi I see that there are missing logs. I can see them under Microsoft Graph, but they are not ingested using add-on. If I'll clone input and change dates (changing date in existing input does not work) - missing logs are ingested. My interval is set to 300s - maybe this is the key? Do you have any suggestions to the settings?
I had this issue with 1.0.3 as well. I contacted MS Support and was told:
For sign-ins to Azure services, we expect latency of up to 5 minutes. From the o365 side, they allow latency of up to 24 hours, but say delays should be considerably shorter.
Basically, Signin logs aren't available via API in chronological order, but the Signin Time is accurate.
So you may get:
Because the app uses the checkpoint time of the newest event, you'd lose Events 2 and 3 in this scenario if the scripted input ran between Event 4 being available via API and Event 3 being available.
What I did was update the python code to search from the checkpoint date/time to 10 minutes ago. This means that my log data is always 10 minutes behind, but I can live with that.
FYI - I also noticed a bug where the graph URL is using ge (greater than or equal to) instead of gt (greater than). This caused the newest event from each run to be duplicated. If you had several runs with no new data, that event could get duplicated many times.
My updated portion of the python script is as follows:
# Added by George to account for events not being made available via API in chronological order # toDateTime = (datetime.datetime.utcnow() - datetime.timedelta(minutes=10)).strftime('%Y-%m-%dT%H:%M:%SZ') url = "https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+gt+%s+and+createdDateTime+lt+%s" % (query_date, toDateTime) #url = "https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+ge+%s" % query_date # # Done with George Additions
I did not notice missing audit events with 1.0.3, but I'll be validating that data this week since I just upgraded the App to 1.1.0.
Checkpoint seems to be ok - "2019-04-25T07:14:44.588042Z", but there are still missing logs (judging on one application which is very rarely used so far). Logon is in audit log in Azure, but not in ingested into Splunk.
I'll try to change interval to 10 min, because I'm observing that logs appear in Azure after ~5 minutes.
If this was an in-place upgrade, the checkpoint may have caused the issue. The checkpoint contains the timestamp of the last Azure AD event read to use as a starting point for the next query. Try the following search to see what data is in the checkpoint:
| inputlookup AAD_checkpoint_lookup | eval key=_key
When you created the new input, a new checkpoint was established since checkpoints are unique to the input. Your specified interval seem fine.