JasonConger
commented
1 year ago You should see authenticationDetails if you choose the "Beta" endpoint instead of the "v1.0" endpoint on the input.
Closed jasonadell closed 1 year ago
JasonConger
commented
1 year ago You should see authenticationDetails if you choose the "Beta" endpoint instead of the "v1.0" endpoint on the input.
We are trying to pull in User Authentication Methods into Splunk from Azure. We get all of the other sign-in information but not the Authentication method. In Azure AuthenticationMethod tells us if someone has used Windows Hello for Business to authenticate through Windows Sign-in. I see this line in the default props for the TA-MS-AAD:
FIELDALIAS-ms_aad_sign_in_authentication_authentication_method = authenticationDetails{}.authenticationMethod as authentication_method
We have also enabled the permissions for UserAuthenticationMethod.ReadAll in the necessary Azure app but we are not seeing the data in the azure index. We get all of the other sign-in information but not the authentication_method. There isn't even a NULL field. It just doesn't exist.
Am I doing something wrong or is what I am asking not possible.