We have had Microsoft Azure Add-On 3.0.0 installed and running successfully.
This was resolved, and a new Secret was generated in the Azure AD Portal, and configured into the Azure Add-On in Splunk. But we are getting an error, seems to be token related. Have tried deleting and recreating the input, but doesn't seem to matter. The only thing changed was creating the new secret in the portal and then configuring the app to use it. It was previously working OK until the old secret expired.
2021-04-08 10:59:07,307 ERROR pid=3520 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_audit.py", line 84, in collect_events
input_module.collect_events(self, ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/input_module_MS_AAD_audit.py", line 61, in collect_events
access_token = azauth.get_graph_access_token(client_id, client_secret, tenant_id, helper)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/auth.py", line 18, in get_graph_access_token
raise e
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/auth.py", line 16, in get_graph_access_token
return _get_access_token(endpoint, helper, payload)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/auth.py", line 39, in _get_access_token
raise e
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/auth.py", line 37, in _get_access_token
return response['access_token']
KeyError: 'access_token'
It looks like we were missing some permissions (needed both Directory.Read.All and AuditLog.Read.All) but that only resolved not getting the audit logs. Sign-in logs are still a no-show, but looks like the error is now due to API query limits being hit:
HTTPError: 429 Client Error: Too Many Requests for url: https://graph.microsoft.com/beta/auditLogs/directoryAudits?$orderby=activityDateTime&$filter=activit...