Getting Data In

microsoft azure add-on for Splunk is unable to pull ad risky sign-on logs

ashikuma
Explorer

microsoft azure add-on for Splunk is unable to pull ad risky sign-on logs

if we look for internal logs , getting below mentioned events frequently , didn't see any issue but still we are not seeing any data.

2019-12-23 14:44:18,779 DEBUG pid=28967 tid=MainThread file=connectionpool.py:new_conn:809 | Starting new HTTPS connection (1): graph.microsoft.com
2019-12-23 14:44:18,772 INFO pid=28967 tid=MainThread file=setup_util.py:log_info:114 | Proxy is not enabled!
2019-12-23 14:44:18,772 DEBUG pid=28967 tid=MainThread file=base_modinput.py:log_debug:286 | _Splunk
Getting proxy server.
2019-12-23 14:44:18,772 DEBUG pid=28967 tid=MainThread file=base_modinput.py:log_debug:286 | Splunk nextLink URL (@odata.nextLink): https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+...
2019-12-23 14:44:18,134 DEBUG pid=28967 tid=MainThread file=connectionpool.py:_make_request:400 | https://graph.microsoft.com:443 "GET /beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+gt+2019-12-22T14%3a42%3a44.517899Z+and+createdDateTime+le+2019-12-23T14%3a35%3a44.819576Z&$skiptoken=*****************************_16000 HTTP/1.1" 200 None

0 Karma

dave_null
Path Finder

1. Are you getting any logs at all from this app? Whether sign ins, users, directory audit, risk detections, or directory devices? 

2. Are you using the latest version of the app?

3. Are you using a proxy in your environment? I see from the message that it is not using a in the app, but if a proxy is blocking your internet access then this could make a problem.

4. Have you double-checked your Tenant ID, Client ID, and Client Secret (the latter two are for your App Registration which must have the required permissions https://docs.google.com/spreadsheets/d/1YJAqNmcXZU-7O9CxVKupOkR6q2S8TXriMeLAUMYmMs4/edit?usp=sharing

0 Karma

JimboSlice
Path Finder

OK so he added the permission, now seen this error on a one-off basis:

 

2021-04-09 13:56:10,464 ERROR pid=136881 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_user.py", line 76, in collect_events
input_module.collect_events(self, ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/input_module_MS_AAD_user.py", line 36, in collect_events
users_response = azutils.get_items_batch(helper, access_token, url)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/utils.py", line 55, in get_items_batch
raise e
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/utils.py", line 49, in get_items_batch
r.raise_for_status()
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/aob_py3/requests/models.py", line 940, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://graph.microsoft.com/beta/users/

0 Karma

JimboSlice
Path Finder

Hi Dave, thanks for the fast response.

I have been given the details from devops for logins, we still need to set permissions etc on the azure side, but expecting an error detailing this, when it does happen.

The version we're using is not the latest, its the one before as we're using it for eventhubs right now, so we cant bump it up.

We're running on S8 and dont use a proxy, proxy is disabled, we do however have URL whitelisting on our firewalls.

Can you please confirm the URLs that are used for obtaining AAD Users?

I've asked devops to check for anything on the azure side.

Thanks

J

0 Karma

JimboSlice
Path Finder

Hi, i have the same issue, what was your resolution?

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...