Getting Data In

Microsoft Azure Active Directory Reporting Add-on for Splunk not retrieving all events.

GRMcCauley
Explorer

We have an issue with the Microsoft Azure Active Directory Reporting Add-on for Splunk where it's not retrieving all the signin events.

We currently have our interval set at 60 seconds. We can turn up logging to debug and watch the log and the AzureAD Portal side by side. Occationally, the addon runs but returns 0 events even though we can see a new event in the portal. To one up this, we can also run the same API query with Postman and get the new events, so I'm pretty sure the issue is on the addon side and not the api side.

I would say that this isn't a big deal since it didn't update the checkpoint (since it didn't find any events), it should find the event on the next run. NOT! Even on the next run it's not finding the event. Eventually, we'll get a new signing and the addon will get that event and completely skip the missed event. In the last 20 minutes, I've had 15 signin events in the AzureAD Portal and querying API via Postman, but I only have 8 signin events in Splunk.

Has anyone else experienced similiar?

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.