All Apps and Add-ons

Microsoft 365 Defender Add-on for Splunk giving errors



I am upgrading from the older Add-On for Windows defender to Microsoft 365 Defender Add-on for Splunk.

The clientid, secret en tenant are all working fine in the old app.

When I install the new Microsoft 365 Defender Add-on for Splunk and use the same credentials I get the error:

2020-11-10 19:27:40,873 ERROR pid=77556 tid=MainThread | Get error when collecting events. Traceback (most recent call last): File "/opt/splunk/etc/apps/TA-MS_Defender/bin/ta_ms_defender/aob_py2/modinput_wrapper/", line 128, in stream_events self.collect_events(ew) File "/opt/splunk/etc/apps/TA-MS_Defender/bin/", line 76, in collect_events input_module.collect_events(self, ew) File "/opt/splunk/etc/apps/TA-MS_Defender/bin/", line 54, in collect_events access_token = azauth.get_access_token(client_id, client_secret, authorization_server_url, resource, helper) File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure/", line 21, in get_access_token raise e KeyError: 'access_token'

These Azure apps from Splunk are giving me a headache. I have the same with the Azure Add-On from Splunk. Why is Splunk making it so hard to upgrade reasonable straight forward apps?


Hi, I got it working after renewing the secrets at the MS side.


Hi @Azeemering,

After installation did you install an SSL certificate? If not then try to disable from SSL.verify=True to SSL.verify=False


If this helps your like will be appreciated 😀

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...