All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to resolve Microsoft Graph Security Add-On for Splunk - KeyError: 'access_token'?

Lu1
Loves-to-Learn Everything
‎11-28-2022 10:34 PM

Hi,

I'm trying implement Microsoft Graph Security Add-On for Splunk. I'm using Splunk Enterprise Version v8.

2022-11-29 14:19:07,357 ERROR pid=17546 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-microsoft-graph-security-add-on-for-splunk/bin/ta_microsoft_graph_security_add_on_for_splunk/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-microsoft-graph-security-add-on-for-splunk/bin/microsoft_graph_security.py", line 72, in collect_events
input_module.collect_events(self, ew)
File "/opt/splunk/etc/apps/TA-microsoft-graph-security-add-on-for-splunk/bin/input_module_microsoft_graph_security.py", line 63, in collect_events
access_token = _get_access_token(helper)
File "/opt/splunk/etc/apps/TA-microsoft-graph-security-add-on-for-splunk/bin/input_module_microsoft_graph_security.py", line 39, in _get_access_token
return access_token[ACCESS_TOKEN]
KeyError: 'access_token'

Labels (3)
0 Karma
Reply

beaunewcomb
Communicator
‎03-27-2023 09:23 AM

We have tried every combination of credentials for this and still receiving the same token error as above.   Is it possible for someone to please map these in a clear way?  Do we do anything with the "SECRET ID" ?

GRAPH TA:

Username = (Client ID?)
Password = (Secret VALUE?)
Tenant ID = Tenant ID

0 Karma
Reply

ceejohn78
Loves-to-Learn Lots
‎02-23-2023 08:42 AM

I got mines to work. Assuming you have all the permission correct ensure you are using the correct "client/secret" in your Azure environment. The issue with these Microsoft add-on's is you have use the "value" ID instead of the "secret" which most documentation doesn't specify. 

0 Karma
Reply

xmeng
Loves-to-Learn Lots
‎02-24-2023 04:52 AM

Yes you are right. I just used the wrong ID. Many thanks for help!!

0 Karma
Reply

xmeng
Loves-to-Learn Lots
‎02-24-2023 04:23 AM

Hi ceejohn78,

Thank you for your reply. 

Do you mean for password field on Splunk, what I need is the secret value, not the secret ID?

Cheers,

 

 

 

0 Karma
Reply

mxyy31ruth
Loves-to-Learn Lots
‎02-23-2023 08:04 AM

Hello Lu1,

do you find a solution to this issue?

 

 

0 Karma
Reply

Lu1
Loves-to-Learn Everything
‎11-29-2022 10:20 PM

On every API call interval, debug shows in sequence:
540 DEBUG pid=5212 tid=MainThread file=retry.py:from_int:333 | Converted retries value: 3 -> Retry(total=3, connect=None, read=None, redirect=None, status=None)
541 DEBUG pid=5212 tid=MainThread file=retry.py:from_int:333 | Converted retries value: 3 -> Retry(total=3, connect=None, read=None, redirect=None, status=None)
542 DEBUG pid=5212 tid=MainThread file=connectionpool.py:_new_conn:975 | Starting new HTTPS connection (1): login.microsoftonline.com:443
281 DEBUG pid=5212 tid=MainThread file=connectionpool.py:_make_request:461 | https://login.microsoftonline.com:443 "POST /{Tenant ID}/oauth2/v2.0/token HTTP/1.1" 401 632

From Splunk to Proxy to CONNECT login.microsoftonline.com:443 returns 200

0 Karma
Reply

ceejohn78
Loves-to-Learn Lots
‎11-30-2022 02:31 PM

Following because I am getting the exact same error.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...