All Apps and Add-ons

Why does Splunk Add-on for Microsoft Office 365 has credential errors with only 1 input?

robayers
Explorer

I have the Splunk Add-on for Microsoft Office 365 app running and collecting all of the inputs successfully with t he exception of the Audit Logs input. I have it collecting logs from multiple O365 tenants, and all of them have  the same errors with  the  Audit Log Input.

The _internal  log has the errors indicating its an issue with the username and  credentials. This app doesn't using credentials, it uses keys.  The keys for the Azure app are valid, and not expired.  I can log in successfully to the tenant with the same credentials that are show in the error message.

The error is below and has been sanitized.

2022-03-30 09:10:08,938 level=DEBUG pid=8229 tid=MainThread logger=splunk_ta_o365.modinputs.graph_api.GraphApiConsumer pos=GraphApiConsumer.py:_ingest:79 | datainput=b'se_audit_log_signins' start_time=1648645805 | message="ingesting message " message=graphApiMessage(id='XXXXXXXX-YYYY-XXX5-YYYY-ZZZZZZZZ', update_time=datetime.datetime(2022, 3, 30, 13, 10, 8, 751629), data='{"id": "XXXXXXXX-aXX-4cXXX-XXXX-XXXXXXXX", "createdDateTime": "2022-03-29T14:44:07Z", "userDisplayName": "XXXX XXXX", "userPrincipalName": "XXXX@YYYY.com", "userId": "XXXXXXXXXXXXXXXXXX", "appId": "00000002-0000-0ff1-ce00-000000000000", "appDisplayName": "Office 365 Exchange Online", "ipAddress": "123.123.122.123", "clientAppUsed": "Reporting Web Services", "correlationId": "XXXXXXXX-YYYY-ZZZZ-QQQQQQQQ", "conditionalAccessStatus": "notApplied", "isInteractive": true, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Office 365 Exchange Online", "resourceId": "XXXXXXXX-0000-0XXX-XX00-000000000000", "status": {"errorCode": 50126, "failureReason": "Error validating credentials due to invalid username or password.", "additionalDetails": "The user didn\'t enter the right credentials. \\u00a0It\'s expected to see some number of these errors in your logs due to users making mistakes."}, "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "", "browser": "Python Requests 2.22", "isCompliant": false, "isManaged": false, "trustType": ""}, "location": {"city": "somewhere", "state": "XXXXXX", "countryOrRegion": "US", "geoCoordinates": {"altitude": null, "latitude": XX.XXXX, "longitude": -XX.XXXX}}, "appliedConditionalAccessPolicies": []}', key='XXXXXX-XXXX-XXXX-XX-XXXXXXXXX')

 

Any thoughts?  Its working for all other inputs.

Thanks, Robert

 

 

Labels (2)
0 Karma

robayers
Explorer

No Luck, all  permissions checked, secret key and expiration checked, still getting the errors.

0 Karma

robayers
Explorer

I've confirmed all of the above permissions are set correctly.

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

 Just make sure there is no manual code modification that has been done.

 

To make sure you have all the right files available from the Add-on:

Upgrade to the latest version (perform the upgrade even though you are already on the latest version) of the Add-on and reconfigure that particular input.

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@robayers - This sounds weird error message, considering you are using the same account for all other inputs as well.

- Just make sure your credentials (Client ID and Client Secret) have not been expired on Azure App.

For the safeguard, I would just check whether Azure App that you are using for credentials has the right permissions or not.

Following are the permission required:

Office 365 Management APIs
(Application) ActivityFeed.Read
(Application) ServiceHealth.Read
(Application) ActivityFeed.ReadDlp (if collecting DLP data)

(Delegated) ActivityFeed.Read
(Delegated) ServiceHealth.Read
(Delegated) ActivityFeed.ReadDlp (if collecting DLP data)

Microsoft

Graph

(Application) AuditLog.Read.All
(Application) Policy.Read.All
(Application) Reports.Read.All
(Application) Directory.Read.All

 

Hope this helps!

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...