All Apps and Add-ons

Why does Splunk Add-on for Microsoft Office 365 has credential errors with only 1 input?

robayers
Explorer

I have the Splunk Add-on for Microsoft Office 365 app running and collecting all of the inputs successfully with t he exception of the Audit Logs input. I have it collecting logs from multiple O365 tenants, and all of them have  the same errors with  the  Audit Log Input.

The _internal  log has the errors indicating its an issue with the username and  credentials. This app doesn't using credentials, it uses keys.  The keys for the Azure app are valid, and not expired.  I can log in successfully to the tenant with the same credentials that are show in the error message.

The error is below and has been sanitized.

2022-03-30 09:10:08,938 level=DEBUG pid=8229 tid=MainThread logger=splunk_ta_o365.modinputs.graph_api.GraphApiConsumer pos=GraphApiConsumer.py:_ingest:79 | datainput=b'se_audit_log_signins' start_time=1648645805 | message="ingesting message " message=graphApiMessage(id='XXXXXXXX-YYYY-XXX5-YYYY-ZZZZZZZZ', update_time=datetime.datetime(2022, 3, 30, 13, 10, 8, 751629), data='{"id": "XXXXXXXX-aXX-4cXXX-XXXX-XXXXXXXX", "createdDateTime": "2022-03-29T14:44:07Z", "userDisplayName": "XXXX XXXX", "userPrincipalName": "XXXX@YYYY.com", "userId": "XXXXXXXXXXXXXXXXXX", "appId": "00000002-0000-0ff1-ce00-000000000000", "appDisplayName": "Office 365 Exchange Online", "ipAddress": "123.123.122.123", "clientAppUsed": "Reporting Web Services", "correlationId": "XXXXXXXX-YYYY-ZZZZ-QQQQQQQQ", "conditionalAccessStatus": "notApplied", "isInteractive": true, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Office 365 Exchange Online", "resourceId": "XXXXXXXX-0000-0XXX-XX00-000000000000", "status": {"errorCode": 50126, "failureReason": "Error validating credentials due to invalid username or password.", "additionalDetails": "The user didn\'t enter the right credentials. \\u00a0It\'s expected to see some number of these errors in your logs due to users making mistakes."}, "deviceDetail": {"deviceId": "", "displayName": "", "operatingSystem": "", "browser": "Python Requests 2.22", "isCompliant": false, "isManaged": false, "trustType": ""}, "location": {"city": "somewhere", "state": "XXXXXX", "countryOrRegion": "US", "geoCoordinates": {"altitude": null, "latitude": XX.XXXX, "longitude": -XX.XXXX}}, "appliedConditionalAccessPolicies": []}', key='XXXXXX-XXXX-XXXX-XX-XXXXXXXXX')

 

Any thoughts?  Its working for all other inputs.

Thanks, Robert

 

 

Labels (2)
0 Karma

robayers
Explorer

No Luck, all  permissions checked, secret key and expiration checked, still getting the errors.

0 Karma

robayers
Explorer

I've confirmed all of the above permissions are set correctly.

0 Karma

VatsalJagani
Super Champion

 Just make sure there is no manual code modification that has been done.

 

To make sure you have all the right files available from the Add-on:

Upgrade to the latest version (perform the upgrade even though you are already on the latest version) of the Add-on and reconfigure that particular input.

0 Karma

VatsalJagani
Super Champion

@robayers - This sounds weird error message, considering you are using the same account for all other inputs as well.

- Just make sure your credentials (Client ID and Client Secret) have not been expired on Azure App.

For the safeguard, I would just check whether Azure App that you are using for credentials has the right permissions or not.

Following are the permission required:

Office 365 Management APIs
(Application) ActivityFeed.Read
(Application) ServiceHealth.Read
(Application) ActivityFeed.ReadDlp (if collecting DLP data)

(Delegated) ActivityFeed.Read
(Delegated) ServiceHealth.Read
(Delegated) ActivityFeed.ReadDlp (if collecting DLP data)

Microsoft

Graph

(Application) AuditLog.Read.All
(Application) Policy.Read.All
(Application) Reports.Read.All
(Application) Directory.Read.All

 

Hope this helps!

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...