Hi
I need some assistances here.
I need to onboard the O365 Management API and Azure Audit data from Azure.
I am using Splunk Add On for Microsoft Cloud Server.
I followed the guide from this URL https://www.splunk.com/blog/2017/07/27/splunking-microsoft-cloud-data-part-1.html.
I able to onboard O365 Management API data but not the Azure Audit Data.
The error that I got from the log file is
"AuthenticationError: , ConnectionError: HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /cd99fef8-1cd3-4a2a-9bdf-15531181d65e/oauth2/token (Caused by NewConnectionError(': Failed to establish a new connection: [Errno 111] Connection refused',))"
It seem like the authentication issue, but I have no clue what permission that I need to assign in Azure. Can anyone provide me some advices?
Thanks
If you are using a proxy connection make sure that it's working and you've white-listed the Azure domains as the initial http request is done on login.microsoftonline.com but is just a redirect to www.office.com/login
Here are some domains to consider to white-list in your proxy server:
https://microsoft.com/
https://windows.net/
https://office.com/
https://microsoftonline.com/
https://azure.com/
If you are using a proxy connection make sure that it's working and you've white-listed the Azure domains as the initial http request is done on login.microsoftonline.com but is just a redirect to www.office.com/login
Here are some domains to consider to white-list in your proxy server:
https://microsoft.com/
https://windows.net/
https://office.com/
https://microsoftonline.com/
https://azure.com/
For the Office 365 and Azure Audit integration to work, you need an Azure AD Application. I like to think of an Azure AD Application as a user or service account for simplicity. You can use one application for both O365 and Azure, or you can use separate applications.
For the Azure Audit input, you need to give the Azure AD application read permission to your Azure subscription(s). This is step 13 in the blog post mentioned above. Technically, this is called creating a Service Principal, but for simplicity, I think of it as giving a user or service account access to a network resource.
Judging from the error message above, it looks like either the Azure AD application was not granted read permissions on the subscription(s), or there is a network issue. Some more detail from the following search may help:
index=_internal sourcetype="mscs:azure:audit:log"
I am also getting the same error.
I verified that the above domains are allowed through our proxy server, and O365 logs are successfully getting pulled but Azure Audit logs are not.
Are there any other settings in the App for proxy, that need to be set for Azure Audit Input to work?
I have the same error with the Azure Audit logs, do you already solve this issue?.