Getting Data In

Add-on for MS Office 365 question

adamblock2
Path Finder

I am in the process of trying to configure a Tenant in this add-on.  Some of the required values are available in the Azure AD integration application.  There are a number of others that I have not been able to find values for.

The first 3 items I have values for, the last 3 I do not.  Assistance with this would be appreciated.

  • Tenant ID is the Directory ID from Azure Active Directory.
  • Client ID is the Application ID from the registered application within the Azure Active Directory.
  • Client Secret is the registered application key for the corresponding application.
  • Cloud Application Security Token is the registered application key for the corresponding tenant.
  • Tenant Subdomain is the first component of the Cloud App Security Portal URL. For example, https://<tenant_subdomain>.<tenant_datacenter>.portal.cloudappsecurity.com.
  • Tenant Data Center is the second component of the Cloud App Security Portal URL. For example, https://<tenant_subdomain>.<tenant_datacenter>.portal.cloudappsecurity.com.
     
     
Labels (1)
0 Karma

marcluescher
Explorer

I am exactly in the same situation.

To get a token for value 4 we followed the following steps and used curl to get a token, unfortunately that token does not pass Splunk addon validation but passed ms validation as valid token .

https://docs.microsoft.com/en-us/defender-cloud-apps/api-authentication

We then tested the token with jwt.ms and it comes back as valid with proper roles.

For step 5 and 6 we used our assigned cloudapps url

like https://tenant.portal.cloudappsecurity.com .

 

But still no luck. Since the app is Splunk built I hope they can help here.

 

 

Tags (1)
0 Karma

adamblock2
Path Finder

We recently had a conversation with a MS support engineer who suggested that since we are just reading the logs, the Cloud Application Security Token, Tenant Subdomain,  and Tenant Data Center values may not be required.

I have not had an opportunity to test this yet, but I would suggest giving that a try.

0 Karma

aplackemeier
Observer

I believe the last 3 are only needed in a multi tenant situation. Ran across this when ours expired and we had to update. 

https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant

Submit a ticket to support asking them to update and clarify the documentation. That is the only way it will get changed. 

0 Karma

marcluescher
Explorer

its the same outcome with or without those URL's is the token validation part which seems either broken or needs something different.

I wish they had a better documentation for this new requirement of a secret and cloud token.

 

Many customers will run into this once the secrets expire.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!