JasonConger
commented
1 year ago The endpoint variable should be retrieved from the input https://github.com/splunk/splunk-add-on-microsoft-azure/blob/16e30b976271056646c7b543422b99ec1b61d155/package/bin/MS_AAD_device.py#L94
Are you creating the inputs via the UI or by editing inputs.conf? If directly editing inputs.conf, make sure you specify the endpoint value. For example:
[MS_AAD_device://aad_device]
azure_app_account = azure
device_sourcetype = azure:aad:device
endpoint = v1.0
environment = public
index = azure
interval = 86400
tenant_id = *****
From the most recent version, but all of my devices have aged out (90+days), so this has been an issue for a few versions.
Line 104 of the “MS_AAD_device.py” file is calling the wrong URL for the Graph API. url = graph_base_url + "/%s/devices" % endpoint
The variable highlighted above is putting “None” into the URL and failing. The valid values for that API call are “v1.0” or “beta”
“https:/graph.microsoft.com/v1.0/devices” or “https:/graph.microsoft.com/beta/devices” produces the expected results.