Re: Microsoft 365 Defender Add-on for Splunk givin...

rafeeq · ‎08-19-2021

Getting Following error after Installing & Configuring the Microsoft 365 Defender Add-on HF with Splunk version 8.0.6. Need suuport to fix this below error

Error:-

08-20-2021 01:00:04.803 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" ERROR'access_token'
08-20-2021 01:00:04.766 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" KeyError: 'access_token'
08-20-2021 01:00:04.766 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" return response['access_token']
08-20-2021 01:00:04.766 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/auth.py", line 18, in get_access_token
08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" raise e
08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/auth.py", line 21, in get_access_token
08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" access_token = azauth.get_access_token(client_id, client_secret, authorization_server_url, resource, helper)
08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" File "/opt/splunk/etc/apps/TA-MS_Defender/bin/input_module_microsoft_defender_atp_alerts.py", line 53, in collect_events
08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" input_module.collect_events(self, ew)
08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" File "/opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py", line 76, in collect_events
08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" self.collect_events(ew)
08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" File "/opt/splunk/etc/apps/TA-MS_Defender/bin/ta_ms_defender/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events
08-20-2021 01:00:04.765 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py" Traceback (most recent call last):
... 2 lines omitted ...
File "/opt/splunk/etc/apps/TA-MS_Defender/bin/ta_ms_defender/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events
... 1 line omitted ...
File "/opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_defender_atp_alerts.py", line 76, in collect_events
... 1 line omitted ...
File "/opt/splunk/etc/apps/TA-MS_Defender/bin/input_module_microsoft_defender_atp_alerts.py", line 53, in collect_events
... 1 line omitted ...
File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/auth.py", line 21, in get_access_token
... 1 line omitted ...
File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/auth.py", line 18, in get_access_token
Show all 13 lines
08-20-2021 01:00:04.302 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_365_defender_incidents.py" ERROR'access_token'
08-20-2021 01:00:04.263 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_365_defender_incidents.py" KeyError: 'access_token'
08-20-2021 01:00:04.263 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_365_defender_incidents.py" return response['access_token']
08-20-2021 01:00:04.263 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_365_defender_incidents.py" File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/auth.py", line 18, in get_access_token
08-20-2021 01:00:04.263 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_365_defender_incidents.py" raise e
08-20-2021 01:00:04.263 +0000 ERROR ExecProcessor - message from "/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/TA-MS_Defender/bin/microsoft_365_defender_incidents.py" File "/opt/splunk/etc/apps/TA-MS_Defender/bin/azure_util/auth.py", line 21, in get_access_token

VijaySrrie · ‎12-15-2021

Hi @rafeeq @pkohn117

Why we need this add-on? We have a requirement to ingest MCAS logs into splunk (salesforce logs flows into MCAS and those logs from MCAS to be ingested into splunk) Can I use the above add-on to achieve this?

Or should I use Syslog collectors to ingest MCAS logs into splunk?

venkatasri · ‎12-15-2021

Hi @VijaySrrie

You should probably rely on syslog /Splunk TCP/UDP.

This add-on assumes you are onboarding the data either using a syslog collector that outputs to a file or using the built-in Splunk TCP/UDP listener (I would highly recommend the former)

read here - https://splunkbase.splunk.com/app/5278/

--

An upvote would be appreciated if this reply helps!

pkohn117 · ‎11-22-2021

Your integration token is not configured correctly.

Microsoft 365 Defender Add-on for Splunk giving errors

configuration

installation

troubleshooting

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?