Would it be possibe to configure the TA to ship the userAgent field? Because when I compare with another TA [Splunk Add-on for Microsoft Office 365] [hxxps://splunkbase.splunk.com/app/4055], the userAgent field is present. It could be this is a technological limitation and it has nothing to do with the TA but I just want to confirm here.
When I compare the same raw log of the two TAs, this is how they differ.
Would it be possibe to configure the TA to ship the userAgent field? Because when I compare with another TA [Splunk Add-on for Microsoft Office 365] [hxxps://splunkbase.splunk.com/app/4055], the userAgent field is present. It could be this is a technological limitation and it has nothing to do with the TA but I just want to confirm here.
When I compare the same raw log of the two TAs, this is how they differ.
Splunk Add on for Microsoft Azure
"additionalDetails": null} "appDisplayName": "Microsoft Azure PowerShell" "appId": "1950a258-227b-4e31-a9cf-717495945fc2" "appliedConditionalAccessPolicies": []} "browser": "" "clientAppUsed": "Mobile Apps and Desktop clients" "conditionalAccessStatus": "notApplied" "correlationId": "94fb6cfc-503d-430e-9f55-7da0c4749622" "countryOrRegion": "CH" "createdDateTime": "2024-01-22T09:49:28Z" "deviceDetail": {"deviceId": "" "displayName": "" "failureReason": "Other." "geoCoordinates": {"altitude": null "ipAddress": "20.203.193.162" "isCompliant": false "isInteractive": true "isManaged": false "latitude": 47.37417 "location": {"city": "Zuerich" "longitude": 8.53695}} "operatingSystem": "Windows" "resourceDisplayName": "Windows Azure Service Management API" "resourceId": "797f4846-ba00-4fd7-ba43-dac1f8f63013" "riskDetail": "none" "riskEventTypes": [] "riskEventTypes_v2": [] "riskLevelAggregated": "none" "riskLevelDuringSignIn": "none" "riskState": "none" "state": "Zuerich" "status": {"errorCode": 0 "trustType": ""} "userDisplayName": "test_user" "userId": "0592b152-07cd-4ebe-a78c-ae48b9fee455" "userPrincipalName": "test_user@kse5sandbox.onmicrosoft.com" {"id": "3199c44f-04f0-4db9-88e8-9333f5a25d00"Splunk Add-on for Microsoft Office 365
"Actor": [{"ID": "0592b152-07cd-4ebe-a78c-ae48b9fee455" "ActorContextId": "2536c2cd-2c37-4f47-a66f-28d8362a8bf6" "ActorIpAddress": "20.203.193.162" "ApplicationId": "00000002-0000-0ff1-ce00-000000000000" "AzureActiveDirectoryEventType": 1 "ClientIP": "20.203.193.162" "DeviceProperties": [{"Name": "OS" "ErrorNumber": "399218"} "ExtendedProperties": [{"Name": "ResultStatusDetail" "Id": "3199c44f-04f0-4db9-88e8-933321a35d00" "InterSystemsId": "054cbda5-2cc1-bdfe-a80c-f8c9ed8a0f16" "IntraSystemId": "3199c44f-04f0-4db9-88e8-933321a35d00" "ModifiedProperties": [] "ObjectId": "00000002-0000-0ff1-ce00-000000000000" "Operation": "UserLoginFailed" "OrganizationId": "2536c2cd-2c37-4f47-a66f-28d8362a8bf6" "RecordType": 15 "ResultStatus": "Success" "SupportTicketId": "" "Target": [{"ID": "00000002-0000-0ff1-ce00-000000000000" "TargetContextId": "2536c2cd-2c37-4f47-a66f-28d8362a8bf6" "Type": 0} "Type": 0}] "Type": 5}] "UserId": "test_user@kse5sandbox.onmicrosoft.com" "UserKey": "0592b152-07cd-4ebe-a78c-ae48b9fee455" "UserType": 0 "Value": "1"} "Value": "Edge"}] "Value": "Login:login"}] "Value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML "Value": "Success"} "Value": "Windows10"} "Version": 1 "Workload": "AzureActiveDirectory" like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.56"} {"ID": "test_user@kse5sandbox.onmicrosoft.com" {"Name": "BrowserType" {"Name": "RequestType" {"Name": "UserAgent" {"Name": "UserAuthenticationMethod" {"CreationTime": "2024-01-22T09:49:29"