All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why does Splunk Add-on for Microsoft Office 365 has credential errors with only 1 input?

robayers
Explorer
‎03-30-2022 06:48 AM

I have the Splunk Add-on for Microsoft Office 365 app running and collecting all of the inputs successfully with t he exception of the Audit Logs input. I have it collecting logs from multiple O365 tenants, and all of them have  the same errors with  the  Audit Log Input.

The _internal  log has the errors indicating its an issue with the username and  credentials. This app doesn't using credentials, it uses keys.  The keys for the Azure app are valid, and not expired.  I can log in successfully to the tenant with the same credentials that are show in the error message.

The error is below and has been sanitized.

2022-03-30 09:10:08,938 level=DEBUG pid=8229 tid=MainThread logger=splunk_ta_o365.modinputs.graph_api.GraphApiConsumer pos=GraphApiConsumer.py:_ingest:79 | datainput=b'se_audit_log_signins' start_time=1648645805 | message="ingesting message " message=graphApiMessage(id='XXXXXXXX-YYYY-XXX5-YYYY-ZZZZZZZZ', update_time=datetime.datetime(2022, 3, 30, 13, 10, 8, 751629), data='{"id": "XXXXXXXX-aXX-4cXXX-XXXX-XXXXXXXX", "createdDateTime": "2022-03-29T14:44:07Z", "userDisplayName": "XXXX XXXX", "userPrincipalName": "XXXX@YYYY.com", "userId": "XXXXXXXXXXXXXXXXXX", "appId": "00000002-0000-0ff1-ce00-000000000000", "appDisplayName": "Office 365 Exchange Online", "ipAddress": "123.123.122.123", "clientAppUsed": "Reporting Web Services", "correlationId": "XXXXXXXX-YYYY-ZZZZ-QQQQQQQQ", "conditionalAccessStatus": "notApplied", "isInteractive": true, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Office 365 Exchange Online", "resourceId": "XXXXXXXX-0000-0XXX-XX00-000000000000", "status": {"errorCode": 50126, "failureReason": "Error validating credentials due to invalid username or password.", "additionalDetails": "The user didn\'t enter the right credentials. \\u00a0It\'s expected to see some number of these errors in your logs due to users making mistakes."}, "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "", "browser": "Python Requests 2.22", "isCompliant": false, "isManaged": false, "trustType": ""}, "location": {"city": "somewhere", "state": "XXXXXX", "countryOrRegion": "US", "geoCoordinates": {"altitude": null, "latitude": XX.XXXX, "longitude": -XX.XXXX}}, "appliedConditionalAccessPolicies": []}', key='XXXXXX-XXXX-XXXX-XX-XXXXXXXXX')

 

Any thoughts?  Its working for all other inputs.

Thanks, Robert

 

 

Labels (2)
0 Karma
Reply

robayers
Explorer
‎03-30-2022 05:39 PM

No Luck, all  permissions checked, secret key and expiration checked, still getting the errors.

0 Karma
Reply

robayers
Explorer
‎03-30-2022 11:44 AM

I've confirmed all of the above permissions are set correctly.

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎03-30-2022 10:23 PM

 Just make sure there is no manual code modification that has been done.

 

To make sure you have all the right files available from the Add-on:

Upgrade to the latest version (perform the upgrade even though you are already on the latest version) of the Add-on and reconfigure that particular input.

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎03-30-2022 07:23 AM

@robayers - This sounds weird error message, considering you are using the same account for all other inputs as well.

- Just make sure your credentials (Client ID and Client Secret) have not been expired on Azure App.

For the safeguard, I would just check whether Azure App that you are using for credentials has the right permissions or not.

Following are the permission required:

Office 365 Management APIs
(Application) ActivityFeed.Read
(Application) ServiceHealth.Read
(Application) ActivityFeed.ReadDlp (if collecting DLP data)

(Delegated) ActivityFeed.Read
(Delegated) ServiceHealth.Read
(Delegated) ActivityFeed.ReadDlp (if collecting DLP data)

Microsoft

Graph

(Application) AuditLog.Read.All
(Application) Policy.Read.All
(Application) Reports.Read.All
(Application) Directory.Read.All

 

Hope this helps!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...