Hi,
I'm trying implement Microsoft Graph Security Add-On for Splunk. I'm using Splunk Enterprise Version v8.
2022-11-29 14:19:07,357 ERROR pid=17546 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-microsoft-graph-security-add-on-for-splunk/bin/ta_microsoft_graph_security_add_on_for_splunk/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-microsoft-graph-security-add-on-for-splunk/bin/microsoft_graph_security.py", line 72, in collect_events
input_module.collect_events(self, ew)
File "/opt/splunk/etc/apps/TA-microsoft-graph-security-add-on-for-splunk/bin/input_module_microsoft_graph_security.py", line 63, in collect_events
access_token = _get_access_token(helper)
File "/opt/splunk/etc/apps/TA-microsoft-graph-security-add-on-for-splunk/bin/input_module_microsoft_graph_security.py", line 39, in _get_access_token
return access_token[ACCESS_TOKEN]
KeyError: 'access_token'
We have tried every combination of credentials for this and still receiving the same token error as above. Is it possible for someone to please map these in a clear way? Do we do anything with the "SECRET ID" ?
GRAPH TA:
Username = (Client ID?)
Password = (Secret VALUE?)
Tenant ID = Tenant ID
I got mines to work. Assuming you have all the permission correct ensure you are using the correct "client/secret" in your Azure environment. The issue with these Microsoft add-on's is you have use the "value" ID instead of the "secret" which most documentation doesn't specify.
Yes you are right. I just used the wrong ID. Many thanks for help!!
Hi ceejohn78,
Thank you for your reply.
Do you mean for password field on Splunk, what I need is the secret value, not the secret ID?
Cheers,
Hello Lu1,
do you find a solution to this issue?
On every API call interval, debug shows in sequence:
540 DEBUG pid=5212 tid=MainThread file=retry.py:from_int:333 | Converted retries value: 3 -> Retry(total=3, connect=None, read=None, redirect=None, status=None)
541 DEBUG pid=5212 tid=MainThread file=retry.py:from_int:333 | Converted retries value: 3 -> Retry(total=3, connect=None, read=None, redirect=None, status=None)
542 DEBUG pid=5212 tid=MainThread file=connectionpool.py:_new_conn:975 | Starting new HTTPS connection (1): login.microsoftonline.com:443
281 DEBUG pid=5212 tid=MainThread file=connectionpool.py:_make_request:461 | https://login.microsoftonline.com:443 "POST /{Tenant ID}/oauth2/v2.0/token HTTP/1.1" 401 632
From Splunk to Proxy to CONNECT login.microsoftonline.com:443 returns 200
Following because I am getting the exact same error.