Re: Microsoft 365 Defender Add-on for Splunk givin...

rafeeq · ‎08-19-2021

Getting Following error after Installing & Configuring the Microsoft 365 Defender Add-on HF with Splunk version 8.0.6. Need suuport to fix this below error

Error:-

08-20-2021 01:00:04.803 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" ERROR'access_token'
08-20-2021 01:00:04.766 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" KeyError: 'access_token'
08-20-2021 01:00:04.766 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" return response['access_token']
08-20-2021 01:00:04.766 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/auth.py", line 18, in get_access_token
08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" raise e
08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/auth.py", line 21, in get_access_token
08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" access_token = azauth.get_access_token(client_id, client_secret, authorization_server_url, resource, helper)
08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" File "/opt/splunk/etc/apps/TA-MS_Defender/bin/input_module_microsoft_defender_atp_alerts.py", line 53, in collect_events
08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" input_module.collect_events(self, ew)
08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" File "/opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py", line 76, in collect_events
08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" self.collect_events(ew)
08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" File "/opt/splunk/etc/apps/TA-MS_Defender/bin/ta_ms_defender/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events
08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" Traceback (most recent call last):
... 2 lines omitted ...
File "/opt/splunk/etc/apps/TA-MS_Defender/bin/ta_ms_defender/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events
... 1 line omitted ...
File "/opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py", line 76, in collect_events
... 1 line omitted ...
File "/opt/splunk/etc/apps/TA-MS_Defender/bin/input_module_microsoft_defender_atp_alerts.py", line 53, in collect_events
... 1 line omitted ...
File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/auth.py", line 21, in get_access_token
... 1 line omitted ...
File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/auth.py", line 18, in get_access_token
Show all 13 lines
08-20-2021 01:00:04.302 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_365_defender_incidents.py" ERROR'access_token'
08-20-2021 01:00:04.263 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_365_defender_incidents.py" KeyError: 'access_token'
08-20-2021 01:00:04.263 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_365_defender_incidents.py" return response['access_token']
08-20-2021 01:00:04.263 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_365_defender_incidents.py" File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/auth.py", line 18, in get_access_token
08-20-2021 01:00:04.263 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_365_defender_incidents.py" raise e
08-20-2021 01:00:04.263 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_365_defender_incidents.py" File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/auth.py", line 21, in get_access_token

VijaySrrie · ‎12-15-2021

Hi @rafeeq @pkohn117

Why we need this add-on? We have a requirement to ingest MCAS logs into splunk (salesforce logs flows into MCAS and those logs from MCAS to be ingested into splunk) Can I use the above add-on to achieve this?

Or should I use Syslog collectors to ingest MCAS logs into splunk?

venkatasri · ‎12-15-2021

Hi @VijaySrrie

You should probably rely on syslog /Splunk TCP/UDP.

This add-on assumes you are onboarding the data either using a syslog collector that outputs to a file or using the built-in Splunk TCP/UDP listener (I would highly recommend the former)

read here - https://splunkbase.splunk.com/app/5278/

--

An upvote would be appreciated if this reply helps!

pkohn117 · ‎11-22-2021

Your integration token is not configured correctly.

Microsoft 365 Defender Add-on for Splunk giving errors

configuration

installation

troubleshooting

.conf25 Global Broadcast: Don’t Miss a Moment

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025

Are you a member of the Splunk Community?