All Apps and Add-ons

How to resolve Microsoft Graph Security Add-On for Splunk - KeyError: 'access_token'?

Lu1
Loves-to-Learn Everything

Hi,

I'm trying implement Microsoft Graph Security Add-On for Splunk. I'm using Splunk Enterprise Version v8.

2022-11-29 14:19:07,357 ERROR pid=17546 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-microsoft-graph-security-add-on-for-splunk/bin/ta_microsoft_graph_security_add_on_for_splunk/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-microsoft-graph-security-add-on-for-splunk/bin/microsoft_graph_security.py", line 72, in collect_events
input_module.collect_events(self, ew)
File "/opt/splunk/etc/apps/TA-microsoft-graph-security-add-on-for-splunk/bin/input_module_microsoft_graph_security.py", line 63, in collect_events
access_token = _get_access_token(helper)
File "/opt/splunk/etc/apps/TA-microsoft-graph-security-add-on-for-splunk/bin/input_module_microsoft_graph_security.py", line 39, in _get_access_token
return access_token[ACCESS_TOKEN]
KeyError: 'access_token'

Labels (3)
0 Karma

beaunewcomb
Communicator

We have tried every combination of credentials for this and still receiving the same token error as above.   Is it possible for someone to please map these in a clear way?  Do we do anything with the "SECRET ID" ?

GRAPH TA:

Username = (Client ID?)
Password = (Secret VALUE?)
Tenant ID = Tenant ID

0 Karma

ceejohn78
Loves-to-Learn Lots

I got mines to work. Assuming you have all the permission correct ensure you are using the correct "client/secret" in your Azure environment. The issue with these Microsoft add-on's is you have use the "value" ID instead of the "secret" which most documentation doesn't specify. 

0 Karma

xmeng
Loves-to-Learn Lots

Yes you are right. I just used the wrong ID. Many thanks for help!!

0 Karma

xmeng
Loves-to-Learn Lots

Hi ceejohn78,

Thank you for your reply. 

Do you mean for password field on Splunk, what I need is the secret value, not the secret ID?

Cheers,

 

 

 

0 Karma

mxyy31ruth
Loves-to-Learn Lots

Hello Lu1,

do you find a solution to this issue?

 

 

0 Karma

Lu1
Loves-to-Learn Everything

On every API call interval, debug shows in sequence:
540 DEBUG pid=5212 tid=MainThread file=retry.py:from_int:333 | Converted retries value: 3 -> Retry(total=3, connect=None, read=None, redirect=None, status=None)
541 DEBUG pid=5212 tid=MainThread file=retry.py:from_int:333 | Converted retries value: 3 -> Retry(total=3, connect=None, read=None, redirect=None, status=None)
542 DEBUG pid=5212 tid=MainThread file=connectionpool.py:_new_conn:975 | Starting new HTTPS connection (1): login.microsoftonline.com:443
281 DEBUG pid=5212 tid=MainThread file=connectionpool.py:_make_request:461 | https://login.microsoftonline.com:443 "POST /{Tenant ID}/oauth2/v2.0/token HTTP/1.1" 401 632

From Splunk to Proxy to CONNECT login.microsoftonline.com:443 returns 200

0 Karma

ceejohn78
Loves-to-Learn Lots

Following because I am getting the exact same error.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...