Hi @subbarayudu,
When I faced the same problem, I could improve the collection rate to over 99% by modifying the API calls that collect events (Sign-ins and Audit Logs) as follows.
ex) When the delay time is 5 minutes
$SPLUNK_HOME/etc/apps/TA-MS-AAD/bin/input_module_MS_AAD_audit.py
50 event_source = "tenant_id:%s" % tenant_id
51 query_date = get_start_date(helper, check_point_key)
52 query_date_end = (datetime.datetime.utcnow() - datetime.timedelta(minutes=5)).strftime('%Y-%m-%dT%H:%M:%S.%fZ')
53 access_token = azauth.get_access_token(client_id, client_secret, tenant_id)
54
55 if(access_token):
56 url = "https://graph.microsoft.com/beta/auditLogs/directoryAudits?$orderby=activityDateTime&$filter=activityDateTime+gt+%s)+and+(activityDateTime+le+%s)" % (query_date, query_date_end)
57 audit_events = azutils.get_items(helper, access_token, url)
$SPLUNK_HOME/etc/apps/TA-MS-AAD/bin/input_module_MS_AAD_signins.py
52 event_source = "tenant_id:%s" % tenant_id
53 query_date = get_start_date(helper, check_point_key)
54 query_date_end = (datetime.datetime.utcnow() - datetime.timedelta(minutes=5)).strftime('%Y-%m-%dT%H:%M:%S.%fZ')
55 access_token = azauth.get_access_token(client_id, client_secret, tenant_id)
56
57 if(access_token):
58 url = "https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=(createdDateTime+gt+%s)+and+(createdDateTime+le+%s)" % (query_date, query_date_end)
59 sign_ins = azutils.get_items(helper, access_token, url)
There is no need to restart the Splunk service after fixing.
The corrected API call will be executed at the next collection timing, and events from the checkpoint up to 5 minutes before the acquisition timing will be collected.
If you want to check that the modified API call is being executed, you can check it from the DEBUG log of App.
ex) Sign-ins
2019-05-31 15:09:23,282 DEBUG pid=32155 tid=MainThread file=connectionpool.py:_make_request:400 | https://graph.microsoft.com:443 "GET /beta/auditLogs/signIns?$orderby=createdDateTime&$filter=(createdDateTime+gt+2019-05-31T05:58:52.8129242Z)+and+(createdDateTime+le+2019-05-31T06:04:22.013821Z) HTTP/1.1" 200 None
... View more