After upgrading the Microsoft Azure add-on for Splunk from ver. 3.0.1 to 3.1.1, I noticed that some important details are missing in the sign-ins events collected through the "Microsoft Azure Active Directory Sign-ins" input.
For example, the whole authenticationDetails section is no longer visualized.
the event from ver. 3.0.1 add-on contains:
.....
appId: xxxxxxx-xxxxx-xxxx-xxxxx-xxxxxxxxx
appliedConditionalAccessPolicies: [ [+]
]
authenticationDetails: [ [+]
]
authenticationMethodsUsed: [ [+]
]
authenticationProcessingDetails: [ [+]
]
authenticationRequirement: multiFactorAuthentication
authenticationRequirementPolicies: [ [+]
]
clientAppUsed: Browser
....
while the events from ver 3.1.1, doesn't:
appId: xxxxxxx-xxxxx-xxxx-xxxxx-xxxxxxxxx
appliedConditionalAccessPolicies: [ [+]
]
clientAppUsed: Browser
....
Also some other information like userAgent or userType are missing.
Did someone of you experience the same issue?
Awsome, that was a quick fix, thanks for the quick response "Fed_Kerr"!
We also see this issue after upgrade to 3.1.1.
Did you find any resolution to the problem?
Cloud being so important and these log sources are really important, so it's strange that this is an unsupported app from Splunk.
I saw that in this new version there is a new setting called "Endpoint" for some inputs such as "MS Azure Active Directory Sign-ins" or "AD Users". I tried to set it to "beta" instead of v1.0 and all missing fields got collected.
I'm assuming that since it's called beta it is under testing, but, hopefully, with the next version update, they will make it official.