All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Microsoft 365 Defender Add-on for Splunk giving errors

rafeeq
Loves-to-Learn Lots
‎08-19-2021 06:09 PM

Getting Following error after Installing & Configuring the Microsoft 365 Defender Add-on HF with Splunk version 8.0.6. Need suuport to fix this below error

Error:-

08-20-2021 01:00:04.803 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" ERROR'access_token'
08-20-2021 01:00:04.766 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" KeyError: 'access_token'
08-20-2021 01:00:04.766 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" return response['access_token']
08-20-2021 01:00:04.766 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/auth.py", line 18, in get_access_token
08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" raise e
08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/auth.py", line 21, in get_access_token
08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" access_token = azauth.get_access_token(client_id, client_secret, authorization_server_url, resource, helper)
08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" File "/opt/splunk/etc/apps/TA-MS_Defender/bin/input_module_microsoft_defender_atp_alerts.py", line 53, in collect_events
08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" input_module.collect_events(self, ew)
08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" File "/opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py", line 76, in collect_events
08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" self.collect_events(ew)
08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" File "/opt/splunk/etc/apps/TA-MS_Defender/bin/ta_ms_defender/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events
08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" Traceback (most recent call last):
... 2 lines omitted ...
File "/opt/splunk/etc/apps/TA-MS_Defender/bin/ta_ms_defender/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events
... 1 line omitted ...
File "/opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py", line 76, in collect_events
... 1 line omitted ...
File "/opt/splunk/etc/apps/TA-MS_Defender/bin/input_module_microsoft_defender_atp_alerts.py", line 53, in collect_events
... 1 line omitted ...
File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/auth.py", line 21, in get_access_token
... 1 line omitted ...
File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/auth.py", line 18, in get_access_token
Show all 13 lines
08-20-2021 01:00:04.302 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_365_defender_incidents.py" ERROR'access_token'
08-20-2021 01:00:04.263 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_365_defender_incidents.py" KeyError: 'access_token'
08-20-2021 01:00:04.263 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_365_defender_incidents.py" return response['access_token']
08-20-2021 01:00:04.263 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_365_defender_incidents.py" File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/auth.py", line 18, in get_access_token
08-20-2021 01:00:04.263 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_365_defender_incidents.py" raise e
08-20-2021 01:00:04.263 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_365_defender_incidents.py" File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/auth.py", line 21, in get_access_token

Labels (3)
0 Karma
Reply

VijaySrrie
Builder
‎12-15-2021 07:28 PM

Hi @rafeeq @pkohn117 

Why we need this add-on? We have a requirement to ingest MCAS logs into splunk (salesforce logs flows into MCAS and those logs from MCAS to be ingested into splunk) Can I use the above add-on to achieve this?

Or should I use Syslog collectors to ingest MCAS logs into splunk?

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎12-15-2021 07:59 PM

Hi @VijaySrrie 

You should probably rely on syslog  /Splunk TCP/UDP. 

This add-on assumes you are onboarding the data either using a syslog collector that outputs to a file or using the built-in Splunk TCP/UDP listener (I would highly recommend the former)

read here - https://splunkbase.splunk.com/app/5278/

--

An upvote would be appreciated if this reply helps!

0 Karma
Reply

pkohn117
Explorer
‎11-22-2021 09:58 AM

Your integration token is not configured correctly.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...