All Apps and Add-ons

Why does Splunk Add-on for Microsoft Office 365 has credential errors with only 1 input?

robayers
Explorer

I have the Splunk Add-on for Microsoft Office 365 app running and collecting all of the inputs successfully with t he exception of the Audit Logs input. I have it collecting logs from multiple O365 tenants, and all of them have  the same errors with  the  Audit Log Input.

The _internal  log has the errors indicating its an issue with the username and  credentials. This app doesn't using credentials, it uses keys.  The keys for the Azure app are valid, and not expired.  I can log in successfully to the tenant with the same credentials that are show in the error message.

The error is below and has been sanitized.

2022-03-30 09:10:08,938 level=DEBUG pid=8229 tid=MainThread logger=splunk_ta_o365.modinputs.graph_api.GraphApiConsumer pos=GraphApiConsumer.py:_ingest:79 | datainput=b'se_audit_log_signins' start_time=1648645805 | message="ingesting message " message=graphApiMessage(id='XXXXXXXX-YYYY-XXX5-YYYY-ZZZZZZZZ', update_time=datetime.datetime(2022, 3, 30, 13, 10, 8, 751629), data='{"id": "XXXXXXXX-aXX-4cXXX-XXXX-XXXXXXXX", "createdDateTime": "2022-03-29T14:44:07Z", "userDisplayName": "XXXX XXXX", "userPrincipalName": "XXXX@YYYY.com", "userId": "XXXXXXXXXXXXXXXXXX", "appId": "00000002-0000-0ff1-ce00-000000000000", "appDisplayName": "Office 365 Exchange Online", "ipAddress": "123.123.122.123", "clientAppUsed": "Reporting Web Services", "correlationId": "XXXXXXXX-YYYY-ZZZZ-QQQQQQQQ", "conditionalAccessStatus": "notApplied", "isInteractive": true, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Office 365 Exchange Online", "resourceId": "XXXXXXXX-0000-0XXX-XX00-000000000000", "status": {"errorCode": 50126, "failureReason": "Error validating credentials due to invalid username or password.", "additionalDetails": "The user didn\'t enter the right credentials. \\u00a0It\'s expected to see some number of these errors in your logs due to users making mistakes."}, "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "", "browser": "Python Requests 2.22", "isCompliant": false, "isManaged": false, "trustType": ""}, "location": {"city": "somewhere", "state": "XXXXXX", "countryOrRegion": "US", "geoCoordinates": {"altitude": null, "latitude": XX.XXXX, "longitude": -XX.XXXX}}, "appliedConditionalAccessPolicies": []}', key='XXXXXX-XXXX-XXXX-XX-XXXXXXXXX')

 

Any thoughts?  Its working for all other inputs.

Thanks, Robert

 

 

Labels (2)
0 Karma

robayers
Explorer

No Luck, all  permissions checked, secret key and expiration checked, still getting the errors.

0 Karma

robayers
Explorer

I've confirmed all of the above permissions are set correctly.

0 Karma

VatsalJagani
Champion

 Just make sure there is no manual code modification that has been done.

 

To make sure you have all the right files available from the Add-on:

Upgrade to the latest version (perform the upgrade even though you are already on the latest version) of the Add-on and reconfigure that particular input.

0 Karma

VatsalJagani
Champion

@robayers - This sounds weird error message, considering you are using the same account for all other inputs as well.

- Just make sure your credentials (Client ID and Client Secret) have not been expired on Azure App.

For the safeguard, I would just check whether Azure App that you are using for credentials has the right permissions or not.

Following are the permission required:

Office 365 Management APIs
(Application) ActivityFeed.Read
(Application) ServiceHealth.Read
(Application) ActivityFeed.ReadDlp (if collecting DLP data)

(Delegated) ActivityFeed.Read
(Delegated) ServiceHealth.Read
(Delegated) ActivityFeed.ReadDlp (if collecting DLP data)

Microsoft

Graph

(Application) AuditLog.Read.All
(Application) Policy.Read.All
(Application) Reports.Read.All
(Application) Directory.Read.All

 

Hope this helps!

0 Karma
Get Updates on the Splunk Community!

New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...