Getting Data In

microsoft azure add-on for Splunk is unable to pull ad risky sign-on logs


microsoft azure add-on for Splunk is unable to pull ad risky sign-on logs

if we look for internal logs , getting below mentioned events frequently , didn't see any issue but still we are not seeing any data.

2019-12-23 14:44:18,779 DEBUG pid=28967 tid=MainThread | Starting new HTTPS connection (1):
2019-12-23 14:44:18,772 INFO pid=28967 tid=MainThread | Proxy is not enabled!
2019-12-23 14:44:18,772 DEBUG pid=28967 tid=MainThread | _Splunk
Getting proxy server.
2019-12-23 14:44:18,772 DEBUG pid=28967 tid=MainThread | Splunk nextLink URL (@odata.nextLink):$orderby=createdDateTime&$filter=createdDateTime+...
2019-12-23 14:44:18,134 DEBUG pid=28967 tid=MainThread | "GET /beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+gt+2019-12-22T14%3a42%3a44.517899Z+and+createdDateTime+le+2019-12-23T14%3a35%3a44.819576Z&$skiptoken=*****************************_16000 HTTP/1.1" 200 None

0 Karma

Path Finder

1. Are you getting any logs at all from this app? Whether sign ins, users, directory audit, risk detections, or directory devices? 

2. Are you using the latest version of the app?

3. Are you using a proxy in your environment? I see from the message that it is not using a in the app, but if a proxy is blocking your internet access then this could make a problem.

4. Have you double-checked your Tenant ID, Client ID, and Client Secret (the latter two are for your App Registration which must have the required permissions

0 Karma

Path Finder

OK so he added the permission, now seen this error on a one-off basis:


2021-04-09 13:56:10,464 ERROR pid=136881 tid=MainThread | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/aob_py3/modinput_wrapper/", line 128, in stream_events
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/", line 76, in collect_events
input_module.collect_events(self, ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/", line 36, in collect_events
users_response = azutils.get_items_batch(helper, access_token, url)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/", line 55, in get_items_batch
raise e
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/", line 49, in get_items_batch
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/aob_py3/requests/", line 940, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: Forbidden for url:

0 Karma

Path Finder

Hi Dave, thanks for the fast response.

I have been given the details from devops for logins, we still need to set permissions etc on the azure side, but expecting an error detailing this, when it does happen.

The version we're using is not the latest, its the one before as we're using it for eventhubs right now, so we cant bump it up.

We're running on S8 and dont use a proxy, proxy is disabled, we do however have URL whitelisting on our firewalls.

Can you please confirm the URLs that are used for obtaining AAD Users?

I've asked devops to check for anything on the azure side.



0 Karma

Path Finder

Hi, i have the same issue, what was your resolution?

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...