Solved: Microsoft Cloud Service Add on - Not able to on bo...

kachoy · ‎06-03-2018

Hi

I need some assistances here.
I need to onboard the O365 Management API and Azure Audit data from Azure.
I am using Splunk Add On for Microsoft Cloud Server.
I followed the guide from this URL https://www.splunk.com/blog/2017/07/27/splunking-microsoft-cloud-data-part-1.html.
I able to onboard O365 Management API data but not the Azure Audit Data.
The error that I got from the log file is

"AuthenticationError: , ConnectionError: HTTPSConnectionPool(host='login.microsoftonline.com', port=443): Max retries exceeded with url: /cd99fef8-1cd3-4a2a-9bdf-15531181d65e/oauth2/token (Caused by NewConnectionError(': Failed to establish a new connection: [Errno 111] Connection refused',))"

It seem like the authentication issue, but I have no clue what permission that I need to assign in Azure. Can anyone provide me some advices?

Thanks

splunkapprentic · ‎08-17-2018

If you are using a proxy connection make sure that it's working and you've white-listed the Azure domains as the initial http request is done on login.microsoftonline.com but is just a redirect to www.office.com/login

Here are some domains to consider to white-list in your proxy server:
https://microsoft.com/

https://windows.net/
https://office.com/
https://microsoftonline.com/
https://azure.com/

View solution in original post

splunkapprentic · ‎08-17-2018

If you are using a proxy connection make sure that it's working and you've white-listed the Azure domains as the initial http request is done on login.microsoftonline.com but is just a redirect to www.office.com/login

Here are some domains to consider to white-list in your proxy server:
https://microsoft.com/

https://windows.net/
https://office.com/
https://microsoftonline.com/
https://azure.com/

jconger · ‎06-05-2018

For the Office 365 and Azure Audit integration to work, you need an Azure AD Application. I like to think of an Azure AD Application as a user or service account for simplicity. You can use one application for both O365 and Azure, or you can use separate applications.

For the Azure Audit input, you need to give the Azure AD application read permission to your Azure subscription(s). This is step 13 in the blog post mentioned above. Technically, this is called creating a Service Principal, but for simplicity, I think of it as giving a user or service account access to a network resource.

Judging from the error message above, it looks like either the Azure AD application was not granted read permissions on the subscription(s), or there is a network issue. Some more detail from the following search may help:

index=_internal sourcetype="mscs:azure:audit:log"

fatemabw · ‎11-05-2018

I am also getting the same error.
I verified that the above domains are allowed through our proxy server, and O365 logs are successfully getting pulled but Azure Audit logs are not.
Are there any other settings in the App for proxy, that need to be set for Azure Audit Input to work?

lmorillogonzazl · ‎11-27-2018

I have the same error with the Azure Audit logs, do you already solve this issue?.

Microsoft Cloud Service Add on - Not able to on board Azure Audit Data

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms