0

I am having an issue with getting OMS setup.  I am the owner of the subscription.  I can see the squaredup app was created, the SPN was created, and squaredup-oms-plugin shows reader access to the OMS workspace shown in Azure portal.  The only thing is if I go into the OMS Portal it doesn’t show up as a user there (I am guessing since it is an app service?).

Anyways, if I add the following query:

Type=SecurityEvent EventID=4624 AND (LogonTypeName=”10 – RemoteInteractive”) | select TimeGenerated, Computer, Account

 

The OMS tile in SquaredUp shows:

Query contains excessive number of logical terms; consider revising query or replacing AND/OR with comma-separated values.

 

It seems like it isn’t working.  I tried a couple of other queries and got the same results (yes the queries work in OMS).

 

There are only 2 things that I can see that might be an issue, #1 I don’t see the squaredup app in Azure AD.  If I do a Get SPN on the app though it does have an SPN and has Reader Role access to the resource group.  #2, If I look into the OMS portal->Settings->Users I don’t see the app there but that might be normal.

 

My OMS workspace has been upgraded to the new language.  I have tried both the legacy and the new query in the OMS tile.

Jelly answered