Great questions and allow me to clarify: I have this data in a spreadsheet that I simply refer back to I want to append to the kvstore lookup as new rows as the data I have in my spreadsheet  doesn't exist in the kvstore For example, I see src IPs that have no zone associated with them because that data is not in the kvstore, but in my spreadsheet so I'd like to append that data so it's in the kvstore/lookup Hope this helps Thx ... View more

TYVM for the reply. On a different tack, I found this article - https://www.deductiv.net/blog/gettin-fuzzy-with-it - that mentioned this app - https://splunkbase.splunk.com/app/3626/ (JellyFisher is a Splunk custom search command that leverage the excellent jellyfish python's library to do approximate and phonetic strings matching), which I then added the line  | jellyfisher levenshtein_distance(src,previous_src) to the SPL that leads me to believe I can search for levenshtein_distance > 1 to eliminate similar src values as another way to tackle the issue of similar src names ... View more

One issue I see is that with using isnull/isnotnull as follows, it tags all values from the bunits field as critical: | eval priority=if(isnull(mvfind(bunit,"(%foo%)")), "critical" , "TBD")   Is there a better information function (https://docs.splunk.com/Documentation/SCS/current/SearchReference/InformationalFunctions#isstr.28.26lt.3Bvalue.26gt.3B.29) to use? ... View more

Thx again ... View more

That worked after making a slight change so TYVM! At first when I used the following, the priority field was still coming back as TBD | eval priority=if(isnotnull(mvfind(bunit,"fis")), "critical" , "TBD") However, when I made the change from isnotnull to isnull (and added % to foo) the bunit field was now tagged as critical | eval priority=if(isnull(mvfind(bunit,"%foo%")), "critical" , "TBD") Is it possible to search for multiple values in the bunit filed in the eval like as follows? I have a list of zones/bunits I need to tag as critical | eval priority=if(isnull(mvfind(bunit,"%foo%", "%bar%, "%abc%)), "critical" , "TBD")  Thx again! ... View more

My apologies as reviewing the search output I need to dedup fields with bunit being one of those fields. Here is my entire search:   index=arp sourcetype=foo_arp NOT mac IN (incomplete) | lookup securitygroupmembers_lookup cidr_range as ip | lookup dnslookup clientip as ip OUTPUT clienthost as dns | fillnull value=NULL | search zone!="" | eval zone=coalesce(zone,"null") | rename zone AS bunit | eval priority=if(like(bunit,"%foo%"), "critical" , "TBD") | eval ip=mvdedup(ip), mac=mvdedup(mac), dns=mvdedup(dns), bunit=mvdedup(bunit), device=mvdedup(device), interface=mvdedup(interface) | table ip, mac, nt_host, dns, owner, priority, lat, long, city, country, bunit, category, pci_domain, is_expected, should_timesync, should_update, requires_av, device, interface | search bunit=*foo*   For some reason I am getting dupes in various fields so I use an eval to dedup those fields. With bunit being a multi value field, what effect does that have? Thx ... View more

bunit just has one value per IP ... View more

Thx for the update and for sharing your settings for the add-on / one would think Microsoft would have a better API for message trace logs knowing the importance of those logs Glad you got it working and hope it stays that way! ... View more

Thx for posting @jconger as followed the instructions you laid out and was able to add a few Defender for Cloud App inputs - alerts and policies ... View more

Have you opened a case with Microsoft by any chance as I believe the issue lies with them? ... View more

Thx for the reply I am using the Palo TA and ingesting the logs via HF with the sourcetype set to pan:traffic ... View more

I recreated the input on the add-on and recreated the app registration in Azure and still not working for me ... View more

Any reply to the question or did you figure it out? I'm seeing a different error starting today: 021-11-08 16:31:12,318 ERROR pid=4614 tid=MainThread file=base_modinput.py:log_error:309 | Traceback (most recent call last): File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/aob_py3/splunklib/binding.py", line 1262, in request raise HTTPError(response) splunklib.binding.HTTPError: HTTP 500 Internal Server Error -- b'{"messages":[{"type":"ERROR","text":"Unexpected error \\"<class \'splunktaucclib.rest_handler.error.RestError\'>\\" from python handler: \\"REST Error [400]: Bad Request -- HTTP 400 Bad Request -- int() argument must be a string, a bytes-like object or a number, not \'NoneType\'\\". See splunkd.log for more details."}]}' ... View more

Thx for the reply and info, but I actually opened a case with Microsoft about this and they said the issue was on their side and that they just fixed it.  I had all permissions and configs set correctly, but once they fixed their issue, sign in events/logs started to flow in.   Thx ... View more

So far I have not been able to fix it. If I do, I will definitely post the fix. Thx ... View more

I was also getting this error as well so I created a new client secret and double checked API permissions and I am now getting this error message:   Traceback (most recent call last): File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events self.collect_events(ew) File "/opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_signins.py", line 92, in collect_events input_module.collect_events(self, ew) File "/opt/splunk/etc/apps/TA-MS-AAD/bin/input_module_MS_AAD_signins.py", line 86, in collect_events sign_in_response = azutils.get_items_batch(helper, access_token, url) File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/utils.py", line 55, in get_items_batch raise e File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/utils.py", line 49, in get_items_batch r.raise_for_status() File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/aob_py3/requests/models.py", line 940, in raise_for_status raise HTTPError(http_error_msg, response=self) requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+gt+2021-04-26T16:06:15.458362Z+and+createdDateTime+le+2021-04-27T19:59:15.673961Z ... View more

TYVM or posting! ... View more