All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to resolve Microsoft Graph Security Add-On for Splunk - KeyError: 'access_token'?

Lu1
Loves-to-Learn Everything
‎11-28-2022 10:34 PM

Hi,

I'm trying implement Microsoft Graph Security Add-On for Splunk. I'm using Splunk Enterprise Version v8.

2022-11-29 14:19:07,357 ERROR pid=17546 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-microsoft-graph-security-add-on-for-splunk/bin/ta_microsoft_graph_security_add_on_for_splunk/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-microsoft-graph-security-add-on-for-splunk/bin/microsoft_graph_security.py", line 72, in collect_events
input_module.collect_events(self, ew)
File "/opt/splunk/etc/apps/TA-microsoft-graph-security-add-on-for-splunk/bin/input_module_microsoft_graph_security.py", line 63, in collect_events
access_token = _get_access_token(helper)
File "/opt/splunk/etc/apps/TA-microsoft-graph-security-add-on-for-splunk/bin/input_module_microsoft_graph_security.py", line 39, in _get_access_token
return access_token[ACCESS_TOKEN]
KeyError: 'access_token'

Labels (3)
0 Karma
Reply

ceejohn78
Loves-to-Learn Lots
a month ago

I got mines to work. Assuming you have all the permission correct ensure you are using the correct "client/secret" in your Azure environment. The issue with these Microsoft add-on's is you have use the "value" ID instead of the "secret" which most documentation doesn't specify. 

0 Karma
Reply

xmeng
Loves-to-Learn Lots
4 weeks ago

Yes you are right. I just used the wrong ID. Many thanks for help!!

0 Karma
Reply

xmeng
Loves-to-Learn Lots
a month ago

Hi ceejohn78,

Thank you for your reply. 

Do you mean for password field on Splunk, what I need is the secret value, not the secret ID?

Cheers,

 

 

 

0 Karma
Reply

mxyy31ruth
Loves-to-Learn Lots
a month ago

Hello Lu1,

do you find a solution to this issue?

 

 

0 Karma
Reply

Lu1
Loves-to-Learn Everything
‎11-29-2022 10:20 PM

On every API call interval, debug shows in sequence:
540 DEBUG pid=5212 tid=MainThread file=retry.py:from_int:333 | Converted retries value: 3 -> Retry(total=3, connect=None, read=None, redirect=None, status=None)
541 DEBUG pid=5212 tid=MainThread file=retry.py:from_int:333 | Converted retries value: 3 -> Retry(total=3, connect=None, read=None, redirect=None, status=None)
542 DEBUG pid=5212 tid=MainThread file=connectionpool.py:_new_conn:975 | Starting new HTTPS connection (1): login.microsoftonline.com:443
281 DEBUG pid=5212 tid=MainThread file=connectionpool.py:_make_request:461 | https://login.microsoftonline.com:443 "POST /{Tenant ID}/oauth2/v2.0/token HTTP/1.1" 401 632

From Splunk to Proxy to CONNECT login.microsoftonline.com:443 returns 200

0 Karma
Reply

ceejohn78
Loves-to-Learn Lots
‎11-30-2022 02:31 PM

Following because I am getting the exact same error.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...