All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on for Microsoft Office 365 - Duplicate CAS Events

TrevorW2000
Explorer
‎10-11-2021 10:20 AM

We have Cloud App Security (CAS) Alerts set to be pulled at an interval of every 5 minutes. This was the default when we set it up. What we're finding is that the same alert is being pulled every 5 minutes. The alert ID and URL are both identical, so is all the content.

Here's the inputs.conf snippet:

[splunk_ta_o365_cloud_app_security://CAS_Alerts]
content_type = Alerts
index = o365
interval = 300

We're using the latest version of this app: https://splunkbase.splunk.com/app/4055/

From the log it does appear that the start time is incrementing, but something still isn't working as designed:

2021-10-11 11:57:29,339 level=INFO pid=30282 tid=MainThread logger=splunksdc.collector pos=collector.py:run:251 | | message="Modular input started."
2021-10-11 11:57:29,357 level=INFO pid=30282 tid=MainThread logger=splunk_ta_o365.common.settings pos=settings.py:load:36 | datainput=b'CAS_Alerts' start_time=1633971449 | message="Load proxy settings success." enabled=False host=b'' port=b'' username=b''
2021-10-11 11:57:29,386 level=INFO pid=30282 tid=MainThread logger=splunk_ta_o365.common.portal pos=portal.py:get_cas_token_by_psk:177 | datainput=b'CAS_Alerts' start_time=1633971449 | message="Acquire cloud application access token success."
2021-10-11 11:57:29,653 level=INFO pid=30282 tid=MainThread logger=splunk_ta_o365.modinputs.cloud_app_security pos=cloud_app_security.py:_create_consumer:139 | datainput=b'CAS_Alerts' start_time=1633971449 | message="Start retrieving Cloud Application Security messages." portal_url=b'<redacted>' portal_region=b'<redacted>'
2021-10-11 11:57:29,653 level=INFO pid=30282 tid=MainThread logger=splunk_ta_o365.modinputs.cloud_app_security pos=cloud_app_security.py:run:46 | datainput=b'CAS_Alerts' start_time=1633971449 | message="Start recording Cloud Application Security messages." source=b'https://<redacted>.portal.cloudappsecurity.com/api/v1/alerts/'
2021-10-11 11:57:29,653 level=INFO pid=30282 tid=MainThread logger=splunk_ta_o365.common.portal pos=portal.py:get:630 | datainput=b'CAS_Alerts' start_time=1633971449 | message="Calling Cloud Application Security API." url=b'https://<redacted>.portal.cloudappsecurity.com/api/v1/alerts/' params={'$filter': datetime.datetime(2021, 10, 11, 16, 57, 29, 653529)}
2021-10-11 11:57:50,766 level=INFO pid=30282 tid=MainThread logger=splunksdc.collector pos=collector.py:run:254 | | message="Modular input exited."
2021-10-11 12:02:26,129 level=INFO pid=31032 tid=MainThread logger=splunksdc.collector pos=collector.py:run:251 | | message="Modular input started."
2021-10-11 12:02:26,274 level=INFO pid=31032 tid=MainThread logger=splunk_ta_o365.common.settings pos=settings.py:load:36 | datainput=b'CAS_Alerts' start_time=1633971746 | message="Load proxy settings success." enabled=False host=b'' port=b'' username=b''
2021-10-11 12:02:26,303 level=INFO pid=31032 tid=MainThread logger=splunk_ta_o365.common.portal pos=portal.py:get_cas_token_by_psk:177 | datainput=b'CAS_Alerts' start_time=1633971746 | message="Acquire cloud application access token success."
2021-10-11 12:02:26,574 level=INFO pid=31032 tid=MainThread logger=splunk_ta_o365.modinputs.cloud_app_security pos=cloud_app_security.py:_create_consumer:139 | datainput=b'CAS_Alerts' start_time=1633971746 | message="Start retrieving Cloud Application Security messages." portal_url=b'<redacted>' portal_region=b'<redacted>'
2021-10-11 12:02:26,574 level=INFO pid=31032 tid=MainThread logger=splunk_ta_o365.modinputs.cloud_app_security pos=cloud_app_security.py:run:46 | datainput=b'CAS_Alerts' start_time=1633971746 | message="Start recording Cloud Application Security messages." source=b'https://<redacted>.portal.cloudappsecurity.com/api/v1/alerts/'
2021-10-11 12:02:26,574 level=INFO pid=31032 tid=MainThread logger=splunk_ta_o365.common.portal pos=portal.py:get:630 | datainput=b'CAS_Alerts' start_time=1633971746 | message="Calling Cloud Application Security API." url=b'https://<redacted>.portal.cloudappsecurity.com/api/v1/alerts/' params={'$filter': datetime.datetime(2021, 10, 11, 17, 2, 26, 574478)}
2021-10-11 12:02:48,135 level=INFO pid=31032 tid=MainThread logger=splunksdc.collector pos=collector.py:run:254 | | message="Modular input exited."

Labels (1)
Labels
Tags (3)
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...