Getting Data In

How can I authenticate (Basic HTTP) a workflow action?


I am collecting O365 email logs using Microsoft's MessageTrace api. There is another api called MessageTraceDetail, which uses two fields from an email event (MessageTraceId and RecipientAddress). I was able to build to a workflow action that calls the api using the two criteria from an event, it works great, but it asks for authentication (username and password) to O365. Once I log in, it displays the results fine, in json. Is there any way to securely bake in those credentials in a conf so that the user doesn't need to input credentials?

API:$format=json&... eq '$RecipientAddress$' and MessageTraceId eq guid'$MessageTraceId$'

0 Karma


The Office 365 Reporting web service uses basic authentication. Which means that you have to send a Authorization header with your request. The header value is "Basic base64encode(username:password)", look up basic authentication and you will see examples.

I don't see a way to send this header using workflow actions. If you don't write your own python scripts, you should check out:
Splunk REST API Modular Input app -
REST storage/passwords Manager for Splunk -

If you want to index messagetrace and messagetracedetail data, you need to request the trace data, take the values from the trace and put them in the tracedetail request. You can set this up to run all the time and index all mail trace and tracedetail events.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...