Open hkelley opened 10 months ago
What do you see in Microsoft Graph Explorer?
https://graph.microsoft.com/v1.0/auditLogs/signIns
Oftentimes, the beta
endpoint returns more data => https://graph.microsoft.com/beta/auditLogs/signIns
. If the beta
endpoint has the data you're looking for, select the beta
endpoint in the Splunk input dropdown.
The non-beta endpoint returns these values whether I use Get-MgAuditLogSignIn (see example in original note) or https://developer.microsoft.com/en-us/graph/graph-explorer (pic below).
Using the add-on, we don't see any
riskyIPAddress
values in the indexedriskEventTypes_v2
fields of Splunk events.I have searched back over our entire index and don't get any hits for this:
even though I can find events that should match when I query Graph directly:
An example of a Graph-fetched log:
and the same event logged in Splunk. Note the difference in the RiskEventTypesV2 field values