All Apps and Add-ons

Microsoft 365 Defender Add-on for Splunk giving errors



I am upgrading from the older Add-On for Windows defender to Microsoft 365 Defender Add-on for Splunk.

The clientid, secret en tenant are all working fine in the old app.

When I install the new Microsoft 365 Defender Add-on for Splunk and use the same credentials I get the error:

2020-11-10 19:27:40,873 ERROR pid=77556 tid=MainThread | Get error when collecting events. Traceback (most recent call last): File "/opt/splunk/etc/apps/TA-MS_Defender/bin/ta_ms_defender/aob_py2/modinput_wrapper/", line 128, in stream_events self.collect_events(ew) File "/opt/splunk/etc/apps/TA-MS_Defender/bin/", line 76, in collect_events input_module.collect_events(self, ew) File "/opt/splunk/etc/apps/TA-MS_Defender/bin/", line 54, in collect_events access_token = azauth.get_access_token(client_id, client_secret, authorization_server_url, resource, helper) File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure/", line 21, in get_access_token raise e KeyError: 'access_token'

These Azure apps from Splunk are giving me a headache. I have the same with the Azure Add-On from Splunk. Why is Splunk making it so hard to upgrade reasonable straight forward apps?


Hi, I got it working after renewing the secrets at the MS side.


Hi @Azeemering,

After installation did you install an SSL certificate? If not then try to disable from SSL.verify=True to SSL.verify=False


If this helps your like will be appreciated 😀

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!