Azure AD Identity Protection logs "azure:aad:identity_protection:risk*" - add-on stopped pulling logs from August 10th

[linsmeyerh]

Hi Team,

I noticed in 2 customers of mine that the Azure Identity Protection logs (risk detection|user) stopped being pulled and never recovered since August 10th.

Has anyone spotted or been aware of any changes from Microsoft that could have affected this TA from pulling the logs?

No changes were performed by the customer on the Azure management side and all other Azure inputs configured working as expected. I wasn't able to retrieve any specifics from Splunk internal logs to assist.

Is anything planned for the next release to cover this possible issue?

Thank you.

[linsmeyerh]

..question answered by Microsoft. There are new Graph API permissions to be assigned to allow reading and viewing!

No issues from the Splunk TA side, and closing this git issue.

Thank you.