All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why does Splunk Add-on for Microsoft Office 365 has credential errors with only 1 input?

robayers
Explorer
‎03-30-2022 06:48 AM

I have the Splunk Add-on for Microsoft Office 365 app running and collecting all of the inputs successfully with t he exception of the Audit Logs input. I have it collecting logs from multiple O365 tenants, and all of them have  the same errors with  the  Audit Log Input.

The _internal  log has the errors indicating its an issue with the username and  credentials. This app doesn't using credentials, it uses keys.  The keys for the Azure app are valid, and not expired.  I can log in successfully to the tenant with the same credentials that are show in the error message.

The error is below and has been sanitized.

2022-03-30 09:10:08,938 level=DEBUG pid=8229 tid=MainThread logger=splunk_ta_o365.modinputs.graph_api.GraphApiConsumer pos=GraphApiConsumer.py:_ingest:79 | datainput=b'se_audit_log_signins' start_time=1648645805 | message="ingesting message " message=graphApiMessage(id='XXXXXXXX-YYYY-XXX5-YYYY-ZZZZZZZZ', update_time=datetime.datetime(2022, 3, 30, 13, 10, 8, 751629), data='{"id": "XXXXXXXX-aXX-4cXXX-XXXX-XXXXXXXX", "createdDateTime": "2022-03-29T14:44:07Z", "userDisplayName": "XXXX XXXX", "userPrincipalName": "XXXX@YYYY.com", "userId": "XXXXXXXXXXXXXXXXXX", "appId": "00000002-0000-0ff1-ce00-000000000000", "appDisplayName": "Office 365 Exchange Online", "ipAddress": "123.123.122.123", "clientAppUsed": "Reporting Web Services", "correlationId": "XXXXXXXX-YYYY-ZZZZ-QQQQQQQQ", "conditionalAccessStatus": "notApplied", "isInteractive": true, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Office 365 Exchange Online", "resourceId": "XXXXXXXX-0000-0XXX-XX00-000000000000", "status": {"errorCode": 50126, "failureReason": "Error validating credentials due to invalid username or password.", "additionalDetails": "The user didn\'t enter the right credentials. \\u00a0It\'s expected to see some number of these errors in your logs due to users making mistakes."}, "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "", "browser": "Python Requests 2.22", "isCompliant": false, "isManaged": false, "trustType": ""}, "location": {"city": "somewhere", "state": "XXXXXX", "countryOrRegion": "US", "geoCoordinates": {"altitude": null, "latitude": XX.XXXX, "longitude": -XX.XXXX}}, "appliedConditionalAccessPolicies": []}', key='XXXXXX-XXXX-XXXX-XX-XXXXXXXXX')

 

Any thoughts?  Its working for all other inputs.

Thanks, Robert

 

 

Labels (2)
0 Karma
Reply

robayers
Explorer
‎03-30-2022 05:39 PM

No Luck, all  permissions checked, secret key and expiration checked, still getting the errors.

0 Karma
Reply

robayers
Explorer
‎03-30-2022 11:44 AM

I've confirmed all of the above permissions are set correctly.

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎03-30-2022 10:23 PM

 Just make sure there is no manual code modification that has been done.

 

To make sure you have all the right files available from the Add-on:

Upgrade to the latest version (perform the upgrade even though you are already on the latest version) of the Add-on and reconfigure that particular input.

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎03-30-2022 07:23 AM

@robayers - This sounds weird error message, considering you are using the same account for all other inputs as well.

- Just make sure your credentials (Client ID and Client Secret) have not been expired on Azure App.

For the safeguard, I would just check whether Azure App that you are using for credentials has the right permissions or not.

Following are the permission required:

Office 365 Management APIs
(Application) ActivityFeed.Read
(Application) ServiceHealth.Read
(Application) ActivityFeed.ReadDlp (if collecting DLP data)

(Delegated) ActivityFeed.Read
(Delegated) ServiceHealth.Read
(Delegated) ActivityFeed.ReadDlp (if collecting DLP data)

Microsoft

Graph

(Application) AuditLog.Read.All
(Application) Policy.Read.All
(Application) Reports.Read.All
(Application) Directory.Read.All

 

Hope this helps!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...