Microsoft Azure Active Directory Reporting Add-on ...

Getting Data In

We have an issue with the Microsoft Azure Active Directory Reporting Add-on for Splunk where it's not retrieving all the signin events.

We currently have our interval set at 60 seconds. We can turn up logging to debug and watch the log and the AzureAD Portal side by side. Occationally, the addon runs but returns 0 events even though we can see a new event in the portal. To one up this, we can also run the same API query with Postman and get the new events, so I'm pretty sure the issue is on the addon side and not the api side.

I would say that this isn't a big deal since it didn't update the checkpoint (since it didn't find any events), it should find the event on the next run. NOT! Even on the next run it's not finding the event. Eventually, we'll get a new signing and the addon will get that event and completely skip the missed event. In the last 20 minutes, I've had 15 signin events in the AzureAD Portal and querying API via Postman, but I only have 8 signin events in Splunk.

Has anyone else experienced similiar?

Get Updates on the Splunk Community!

Microsoft Azure Active Directory Reporting Add-on for Splunk not retrieving all events.

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation