All Apps and Add-ons

Splunk Add-on for Microsoft Office 365 Graph API and CAS input does not work on Windows

melvinfuglem
Explorer

I am trying to collect data from Azure Graph, and CAS API using the Splunk Add-on for Microsoft Office 365 app. I tried this first on a windows server and got this error:

2022-02-03 11:34:12,218 level=INFO pid=7340 tid=MainThread logger=splunksdc.collector pos=collector.py:run:251 | | message="Modular input started."
2022-02-03 11:34:12,508 level=INFO pid=7340 tid=MainThread logger=splunk_ta_o365.common.settings pos=settings.py:load:36 | datainput=b'testsignins' start_time=1643884452 | message="Load proxy settings success." enabled=False host=b'' port=b'' username=b''
2022-02-03 11:34:12,802 level=INFO pid=7340 tid=MainThread logger=splunk_ta_o365.common.portal pos=portal.py:get_v2_token_by_psk:160 | datainput=b'testsignins' start_time=1643884452 | message="Acquire access token success." expires_on=1643888051.8024929
2022-02-03 11:34:13,806 level=DEBUG pid=7340 tid=MainThread logger=splunk_ta_o365.modinputs.graph_api pos=graph_api.py:run:102 | datainput=b'testsignins' start_time=1643884452 | message="Start Retrieving Graph Api Audit Messages." timestamp=1643884453.8066385 report=b'signIns'
2022-02-03 11:34:13,806 level=INFO pid=7340 tid=MainThread logger=splunk_ta_o365.common.portal pos=portal.py:get:462 | datainput=b'testsignins' start_time=1643884452 | message="Calling Microsoft Graph API." url=b'https://graph.microsoft.com/v1.0/auditLogs/signIns' params=None
2022-02-03 11:34:21,628 level=ERROR pid=7340 tid=MainThread logger=splunk_ta_o365.modinputs.graph_api pos=graph_api.py:run:118 | datainput=b'testsignins' start_time=1643884452 | message="Error retrieving Cloud Application Security messages." exception=Invalid format string
2022-02-03 11:34:21,628 level=ERROR pid=7340 tid=MainThread logger=splunk_ta_o365.modinputs.graph_api pos=utils.py:wrapper:72 | datainput=b'testsignins' start_time=1643884452 | message="Data input was interrupted by an unhandled exception."
Traceback (most recent call last):
File "C:\Program Files\Splunk\etc\apps\splunk_ta_o365\bin\splunksdc\utils.py", line 70, in wrapper
return func(*args, **kwargs)
File "C:\Program Files\Splunk\etc\apps\splunk_ta_o365\bin\splunk_ta_o365\modinputs\graph_api.py", line 235, in run
return consumer.run()
File "C:\Program Files\Splunk\etc\apps\splunk_ta_o365\bin\splunk_ta_o365\modinputs\graph_api.py", line 114, in run
self._ingest(message, source)
File "C:\Program Files\Splunk\etc\apps\splunk_ta_o365\bin\splunk_ta_o365\modinputs\graph_api.py", line 125, in _ingest
expiration = int(message.update_time.strftime('%s'))
ValueError: Invalid format string
2022-02-03 11:34:21,632 level=INFO pid=7340 tid=MainThread logger=splunksdc.collector pos=collector.py:run:254 | | message="Modular input exited."

Authenication seems to be working but it looks like it returns an unexpected string value it can't handle. I tested the azure app and CAS token using powershell and no issues. So last ditch effort was to try on another server. This happend to be a Linux server. When i set the app up there everything worked without issues. This made me think that the Graph and CAS inputs does not work on Windows servers since this was the only difference.  So i tested on an another windows server and got the same error. So I wondered if anyone else here has the same result as me, or has managed to get this running on a windows server? The app in splunk says it is platform independent, so it should run on windows to.

 

 

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...