All Apps and Add-ons

How to resolve Microsoft Graph Security Add-On for Splunk - KeyError: 'access_token'?

Lu1
Loves-to-Learn Everything

Hi,

I'm trying implement Microsoft Graph Security Add-On for Splunk. I'm using Splunk Enterprise Version v8.

2022-11-29 14:19:07,357 ERROR pid=17546 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-microsoft-graph-security-add-on-for-splunk/bin/ta_microsoft_graph_security_add_on_for_splunk/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-microsoft-graph-security-add-on-for-splunk/bin/microsoft_graph_security.py", line 72, in collect_events
input_module.collect_events(self, ew)
File "/opt/splunk/etc/apps/TA-microsoft-graph-security-add-on-for-splunk/bin/input_module_microsoft_graph_security.py", line 63, in collect_events
access_token = _get_access_token(helper)
File "/opt/splunk/etc/apps/TA-microsoft-graph-security-add-on-for-splunk/bin/input_module_microsoft_graph_security.py", line 39, in _get_access_token
return access_token[ACCESS_TOKEN]
KeyError: 'access_token'

Labels (3)
0 Karma

beaunewcomb
Communicator

We have tried every combination of credentials for this and still receiving the same token error as above.   Is it possible for someone to please map these in a clear way?  Do we do anything with the "SECRET ID" ?

GRAPH TA:

Username = (Client ID?)
Password = (Secret VALUE?)
Tenant ID = Tenant ID

0 Karma

ceejohn78
Loves-to-Learn Lots

I got mines to work. Assuming you have all the permission correct ensure you are using the correct "client/secret" in your Azure environment. The issue with these Microsoft add-on's is you have use the "value" ID instead of the "secret" which most documentation doesn't specify. 

0 Karma

xmeng
Loves-to-Learn Lots

Yes you are right. I just used the wrong ID. Many thanks for help!!

0 Karma

xmeng
Loves-to-Learn Lots

Hi ceejohn78,

Thank you for your reply. 

Do you mean for password field on Splunk, what I need is the secret value, not the secret ID?

Cheers,

 

 

 

0 Karma

mxyy31ruth
Loves-to-Learn Lots

Hello Lu1,

do you find a solution to this issue?

 

 

0 Karma

Lu1
Loves-to-Learn Everything

On every API call interval, debug shows in sequence:
540 DEBUG pid=5212 tid=MainThread file=retry.py:from_int:333 | Converted retries value: 3 -> Retry(total=3, connect=None, read=None, redirect=None, status=None)
541 DEBUG pid=5212 tid=MainThread file=retry.py:from_int:333 | Converted retries value: 3 -> Retry(total=3, connect=None, read=None, redirect=None, status=None)
542 DEBUG pid=5212 tid=MainThread file=connectionpool.py:_new_conn:975 | Starting new HTTPS connection (1): login.microsoftonline.com:443
281 DEBUG pid=5212 tid=MainThread file=connectionpool.py:_make_request:461 | https://login.microsoftonline.com:443 "POST /{Tenant ID}/oauth2/v2.0/token HTTP/1.1" 401 632

From Splunk to Proxy to CONNECT login.microsoftonline.com:443 returns 200

0 Karma

ceejohn78
Loves-to-Learn Lots

Following because I am getting the exact same error.

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...