Hello,
I am upgrading from the older Add-On for Windows defender to Microsoft 365 Defender Add-on for Splunk.
The clientid, secret en tenant are all working fine in the old app.
When I install the new Microsoft 365 Defender Add-on for Splunk and use the same credentials I get the error:
2020-11-10 19:27:40,873 ERROR pid=77556 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events. Traceback (most recent call last): File "/opt/splunk/etc/apps/TA-MS_Defender/bin/ta_ms_defender/aob_py2/modinput_wrapper/base_modinput.py", line 128, in stream_events self.collect_events(ew) File "/opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py", line 76, in collect_events input_module.collect_events(self, ew) File "/opt/splunk/etc/apps/TA-MS_Defender/bin/input_module_microsoft_defender_atp_alerts.py", line 54, in collect_events access_token = azauth.get_access_token(client_id, client_secret, authorization_server_url, resource, helper) File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure/auth.py", line 21, in get_access_token raise e KeyError: 'access_token'
These Azure apps from Splunk are giving me a headache. I have the same with the Azure Add-On from Splunk. Why is Splunk making it so hard to upgrade reasonable straight forward apps?
Hi, I got it working after renewing the secrets at the MS side.
Hi @Azeemering,
After installation did you install an SSL certificate? If not then try to disable from SSL.verify=True to SSL.verify=False
--------------------------------------------------------
If this helps your like will be appreciated 😀