Interactive sign-in events missed - query_backoff_throttle #90
Description
Hi Team,
We are troubleshooting an issue of missed interactive AAD sign-in events through this Splunk add-on.
We have a dual feed setup, where sign-in events go to both Splunk and an Azure Sentinel Log Analytics workspace. We have found some events to be missing in our Splunk index, which exist in the Log Analytics Workspace.
At this stage our assumption is that the issue is related to some events being delayed on the AAD side. E.g. when MFA authentication is required on some occasions we observed delays of 10 minutes and more using the Azure GUI between the event corresponding to the MFA prompt was logged and the successful sign-in event (event code 0).
To be fair these were manual tests, and as the issue is hard to validate, we don't have strong evidence that there is correlation between the delays and the events being missed.
How does this Splunk add-on handle cases where events may be available via the Azure API with some delay?
I am reading the default/recommended value for query_backoff_throttle is 420 seconds.
Is this setting responsible for handling delayed events?
How can we ensure that no events are missed by the Splunk add-on even if there are delayed events via the API?
Thank you.
Akos
Activity
Security-power commentedon Nov 20, 2024
Hello,
I have exactly the same issue. Some sign-ins logs are missing in Splunk and we also suspect it to be because of the latency of azure ingestion data (can take up to 1 hour to show on azure). Did you found any workaround?