Getting Data In

Microsoft Azure Active Directory Reporting Add-on for Splunk not retrieving all events.

GRMcCauley
Explorer

We have an issue with the Microsoft Azure Active Directory Reporting Add-on for Splunk where it's not retrieving all the signin events.

We currently have our interval set at 60 seconds. We can turn up logging to debug and watch the log and the AzureAD Portal side by side. Occationally, the addon runs but returns 0 events even though we can see a new event in the portal. To one up this, we can also run the same API query with Postman and get the new events, so I'm pretty sure the issue is on the addon side and not the api side.

I would say that this isn't a big deal since it didn't update the checkpoint (since it didn't find any events), it should find the event on the next run. NOT! Even on the next run it's not finding the event. Eventually, we'll get a new signing and the addon will get that event and completely skip the missed event. In the last 20 minutes, I've had 15 signin events in the AzureAD Portal and querying API via Postman, but I only have 8 signin events in Splunk.

Has anyone else experienced similiar?

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...