Hi @jconger , Thanks for your advice. I have created a new input named Prod_AAD_Audit5 and can see the start time is correct by going back to the past seven days. "activityDateTime+gt+2022-09-21T23:56:27.306392Z" Unfortunately getting the connection was broken by 'ReadTimeoutError" and finally stopped by the "Max retries exceeded with URL" after five times retrying. "2022-09-28 23:56:53,529 ERROR pid=25364 tid=MainThread file=base_modinput.py:log_error:316 | Get error when collecting events. Traceback (most recent call last): File ""/opt/splunk/etc/apps/TA-MS-AAD/lib/urllib3/connectionpool.py"", line 449, in _make_request six.raise_from(e, None) File ""/opt/splunk/etc/apps/TA-MS-AAD/lib/urllib3/util/retry.py"", line 592, in increment raise MaxRetryError(_pool, url, error or ResponseError(cause)) urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='graph.microsoft.com', port=443): Max retries exceeded with url: /v1.0/auditLogs/directoryAudits?$orderby=activityDateTime&$filter=activityDateTime+gt+2022-09-21T23:56:27.306392Z+and+activityDateTime+le+2022-09-28T23:49:27.438651Z (Caused by ReadTimeoutError(""HTTPSConnectionPool(host='graph.microsoft.com', port=443): Read timed out. (read timeout=5)"")) 2022-09-28 23:56:27,438 DEBUG pid=25364 tid=MainThread file=base_modinput.py:log_debug:298 | _Splunk_ input_name=Prod_AAD_Audit5 Audit URL used: https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$orderby=activityDateTime&$filter=activityDateTime+gt+2022-09-21T23:56:27.306392Z+and+activityDateTime+le+2022-09-28T23:49:27.438651Z 2022-09-28 23:56:32,458 DEBUG pid=25364 tid=MainThread file=retry.py:increment:594 | Incremented Retry for (url='/v1.0/auditLogs/directoryAudits?$orderby=activityDateTime&$filter=activityDateTime+gt+2022-09-21T23:56:27.306392Z+and+activityDateTime+le+2022-09-28T23:49:27.438651Z'): Retry(total=2, connect=3, read=2, redirect=None, status=None)   ... View more

I am facing the same problem. I have configured via web UI on the Splunk cloud IDM instance. I am getting the aad device, sign-in, groups and identity protection from the same MS Azure graph API with the tenant ID and app account. In my case, this is appearing as v1.0 but getting error HTTP error for the audit logs. 2022-09-26 23:45:24,180 ERROR pid=25942 tid=MainThread file=base_modinput.py:log_error:316 | Get error when collecting events. Traceback (most recent call last): File "/opt/splunk/etc/apps/TA-MS-AAD/lib/splunktaucclib/modinput_wrapper/base_modinput.py", line 140, in stream_events self.collect_events(ew) File "/opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_audit.py", line 168, in collect_events response = azutils.get_items_batch_session(helper=helper, url=url, session=session) File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/utils.py", line 119, in get_items_batch_session raise e File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/utils.py", line 115, in get_items_batch_session r.raise_for_status() File "/opt/splunk/etc/apps/TA-MS-AAD/lib/requests/models.py", line 1021, in raise_for_status raise HTTPError(http_error_msg, response=self) requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$orderby=activityDateTime&$filter=activityDateTime+gt+2020-03-24T15:21:02.3519945Z+and+activityDateTime+le+2022-09-26T23:38:24.006432Z Microsoft Graph Permission: AuditLog.Read.All Device.Read.All Directory.Read.All Group.Read.All IdentityRiskEvent.Read.All User.Read User.Read.All Input configuration: Name = aad_audit Audit Sourcetype = azure:aad:audit azure_app_account = <my config account> endpoint = v1.0 environment = public index = azure interval = 86400 query_backoff_throttle = 420 query_window_size = 0 tenant_id = <my tenant ID> ... View more