Has anyone installed and configured Microsoft O365 Email Add-on for Splunk?
I have a few concerns such as using a transport rule to bcc every single message sent through our tenant to a single account. During the day that is about 100k messages an hour. It's a lot all going to one account. We will almost certainly brush up against the 1.4 million daily limit mentioned in the app's description.
Just curious to see how this add-on has worked for others and any issues they've had/seen.
I've tried to get this app working for a small tenant but have been unsuccessful. Im getting secret errors in the log files. Can anyone help?
2021-04-25 23:26:01,469 ERROR pid=5900 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events.
Traceback (most recent call last):
File "F:\Splunk\etc\apps\TA_microsoft_o365_email_add_on_for_splunk\bin\ta_microsoft_o365_email_add_on_for_splunk\aob_py3\modinput_wrapper\base_modinput.py", line 128, in stream_events
File "F:\Splunk\etc\apps\TA_microsoft_o365_email_add_on_for_splunk\bin\o365_email.py", line 132, in collect_events
File "F:\Splunk\etc\apps\TA_microsoft_o365_email_add_on_for_splunk\bin\input_module_o365_email.py", line 185, in collect_events
access_token = _get_access_token(helper)
File "F:\Splunk\etc\apps\TA_microsoft_o365_email_add_on_for_splunk\bin\input_module_o365_email.py", line 64, in _get_access_token
CURRENT_TOKEN = access_token[ACCESS_TOKEN]
I've been messing around with this app for a few days and just got it working after seeing the same errors as you.
You'll want to make sure your API permissions are set correctly and admin consent is granted in Azure then double check your configuration and input settings in the app.
When adding the account under configuration in the app make sure you're using the Application (Client) ID found in the Overview section in Azure rather than the Client Secrets ID, this ended up being my issue.
Also check that your traffic isn't getting blocked somewhere in your network. I found another thread where someone mentioned that was their issue. I can't find it again but they said something about their firewall not liking the endpoint input option set to worldwide and they were able to get it to work by setting that to USGovGCCHigh so that may be worth trying.