All Apps and Add-ons

Getting errors when upgrading to Microsoft Azure Add-on version 2.1: "No logs ERROR401 Client Error", "ERROR ExecProcessor".

njytrde
Explorer

Hello all,

I recently upgraded the Microsoft Azure Add-on TA to version 2.1. Not only did it break the configuration, but there are also some added permissions that need to be applied on the Azure portal side. I worked with someone on our Windows AD team who has the necessary access but he did not see what is referenced below in the details of the Add-on.

https://splunkbase.splunk.com/app/3757/

Microsoft Azure Active Directory Sign-ins Microsoft Graph Read all audit log data
Windows Azure Active Directory "(Application) Read directory data

(Delegated) Read directory data"
Microsoft Azure Active Directory Users Microsoft Graph Read all audit log data
Windows Azure Active Directory "(Application) Read directory data

(Delegated) Read directory data"
Microsoft Azure Active Directory Audit Microsoft Graph Read all audit log data
Windows Azure Active Directory "(Application) Read directory data

(Delegated) Read directory data"

These are the errors in the internal logs. Any ideas?

04-28-2020 15:58:03.014 -0400

ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_audit.py" 

ERROR401 Client Error: Unauthorized for url: https://graph.microsoft.com/beta/auditLogs/directoryAudits?

$orderby=activityDateTime&$filter=activityDateTime+gt+2020-04-21T15:58:02.316173Z+and+activityDateTime+le+2020-04-28T19:51:02.559995Z
0 Karma
1 Solution

mwyman_splunk
Splunk Employee
Splunk Employee

I'm curious why it has "beta" instead of an api version, like v1.0, in the url that is returned in the error:

ERROR401 Client Error: Unauthorized for url: https://graph.microsoft.com/beta/

View solution in original post

0 Karma

mwyman_splunk
Splunk Employee
Splunk Employee

I'm curious why it has "beta" instead of an api version, like v1.0, in the url that is returned in the error:

ERROR401 Client Error: Unauthorized for url: https://graph.microsoft.com/beta/

0 Karma

njytrde
Explorer

So it turns out, the problem was, when I updated the TA version to 2.1 for Microsoft Azure Add-on for Splunk, the API permissions changed.

Once Directory.Read.All and AuditLog.Read.All was added for the application and delegation for the microsoft graph, the logs started ingesting normally again.

0 Karma

mwyman_splunk
Splunk Employee
Splunk Employee

I'm curious why it has "beta" instead of an api version, like v1.0, in the url that is returned in the error:

ERROR401 Client Error: Unauthorized for url: https://graph.microsoft.com/be

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...