All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

missing fields in sign-ins events after upgrading Microsoft Azure add-on for Splunk to 3.1.1

fed_kerr
Explorer
‎03-16-2021 05:50 AM

After upgrading the Microsoft Azure add-on for Splunk from ver. 3.0.1 to 3.1.1, I noticed that some important details are missing in the sign-ins events collected through the  "Microsoft Azure Active Directory Sign-ins" input.

For example, the whole authenticationDetails section is no longer visualized.

the event from ver. 3.0.1 add-on contains:

.....
appId: xxxxxxx-xxxxx-xxxx-xxxxx-xxxxxxxxx
appliedConditionalAccessPolicies: [ [+]
]
authenticationDetails: [ [+]
]
authenticationMethodsUsed: [ [+]
]
authenticationProcessingDetails: [ [+]
]
authenticationRequirement: multiFactorAuthentication
authenticationRequirementPolicies: [ [+]
]
clientAppUsed: Browser
....

while the events from ver 3.1.1, doesn't:
appId: xxxxxxx-xxxxx-xxxx-xxxxx-xxxxxxxxx
appliedConditionalAccessPolicies: [ [+]
]
clientAppUsed: Browser
....

Also some other information like  userAgent or userType are missing.

Did someone of you experience the same issue?

Labels (2)
Labels
0 Karma
Reply

ivarny
Path Finder
‎04-09-2021 02:03 AM

Awsome, that was a quick fix, thanks for the quick response "Fed_Kerr"!

0 Karma
Reply

ivarny
Path Finder
‎04-09-2021 01:32 AM

We also see this issue after upgrade to 3.1.1.
Did you find any resolution to the problem?

Cloud being so important and these log sources are really important, so it's strange that this is an unsupported app from Splunk.

0 Karma
Reply

fed_kerr
Explorer
‎04-09-2021 01:47 AM

I saw that in this new version there is a new setting  called "Endpoint"  for some inputs  such as "MS Azure Active Directory Sign-ins" or "AD Users". I tried to set it to "beta" instead of v1.0 and all missing fields got collected.

I'm assuming that since it's called beta it is under testing, but, hopefully, with the next version update, they will make it official.

Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...