We have gone through several weeks of trying to setup a solution to ingest sign-in logs. After finally getting what we believe to be the proper API permissions and Subscription roles we are having mixed results with ingest.
The current API permissions are;
API / Permissions name Type
Azure Active Directory Graph (3)
Directory.Read.All Delegated
Directory.Read.All Application
User.Read Delegated
Azure Service Management (1)
user_impersonation Delegated
Microsoft Graph (4)
AuditLog.Read.All Application
SecurityActions.Read.All Delegated
SecurityEvents.Read.All Delegated
User.Read Delegated
All required Admin consents have been granted.
Some functions of Microsoft Azure Add on for Splunk are working as advertised. We are getting AD Users and Azure Security Center Tasks, so the add on is communicating with Azure.
The whole reason we set installed this add on is to retrieve Azure AD sign-in logs, and that is not going as well. Initially we were getting the HTTPError 429 for too many requests. We configured longer polling times and that error seems to have stopped. However now we get a mix of HTTPError 401unauthorized and HTTPError 400 Bad Request, specifically for sign-ins.
Sample logs are below
2020-01-22 07:55:18,899 ERROR pid=3367 tid=MainThread file=base_modinput.py:log_error:307 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/modinput_wrapper/base_modinput.py", line 127, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_signins.py", line 84, in collect_events
input_module.collect_events(self, ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/input_module_MS_AAD_signins.py", line 77, in collect_events
sign_ins = azutils.get_items(helper, access_token, url)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/utils.py", line 33, in get_items
raise e
HTTPError: 400 Client Error: Bad Request for url: https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+gt+2020-01-21T07%3a55%3a01.756644Z+and+createdDateTime+le+2020-01-22T13%3a48%3a02.158588Z&$skiptoken=
2020-01-22 06:30:01,054 ERROR pid=1518 tid=MainThread file=base_modinput.py:log_error:307 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/modinput_wrapper/base_modinput.py", line 127, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_signins.py", line 84, in collect_events
input_module.collect_events(self, ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/input_module_MS_AAD_signins.py", line 77, in collect_events
sign_ins = azutils.get_items(helper, access_token, url)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/utils.py", line 33, in get_items
raise e
HTTPError: 401 Client Error: Unauthorized for url: https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+gt+2020-01-21T03%3a31%3a20.218014Z+and+createdDateTime+le+2020-01-22T09%3a24%3a20.574883Z&$skiptoken=
We are looking for guidance or insight on why some aspects of the add on work while others fail.
... View more