Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

microsoft azure add-on for Splunk is unable to pull ad risky sign-on logs

ashikuma
Explorer
‎12-23-2019 06:52 AM

microsoft azure add-on for Splunk is unable to pull ad risky sign-on logs

if we look for internal logs , getting below mentioned events frequently , didn't see any issue but still we are not seeing any data.

2019-12-23 14:44:18,779 DEBUG pid=28967 tid=MainThread file=connectionpool.py:new_conn:809 | Starting new HTTPS connection (1): graph.microsoft.com
2019-12-23 14:44:18,772 INFO pid=28967 tid=MainThread file=setup_util.py:log_info:114 | Proxy is not enabled!
2019-12-23 14:44:18,772 DEBUG pid=28967 tid=MainThread file=base_modinput.py:log_debug:286 | _Splunk Getting proxy server.
2019-12-23 14:44:18,772 DEBUG pid=28967 tid=MainThread file=base_modinput.py:log_debug:286 | Splunk nextLink URL (@odata.nextLink): https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+...
2019-12-23 14:44:18,134 DEBUG pid=28967 tid=MainThread file=connectionpool.py:_make_request:400 | https://graph.microsoft.com:443 "GET /beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+gt+2019-12-22T14%3a42%3a44.517899Z+and+createdDateTime+le+2019-12-23T14%3a35%3a44.819576Z&$skiptoken=*****************************_16000 HTTP/1.1" 200 None

0 Karma
Reply

dave_null
Path Finder
‎04-09-2021 05:47 AM

1. Are you getting any logs at all from this app? Whether sign ins, users, directory audit, risk detections, or directory devices? 

2. Are you using the latest version of the app?

3. Are you using a proxy in your environment? I see from the message that it is not using a in the app, but if a proxy is blocking your internet access then this could make a problem.

4. Have you double-checked your Tenant ID, Client ID, and Client Secret (the latter two are for your App Registration which must have the required permissions https://docs.google.com/spreadsheets/d/1YJAqNmcXZU-7O9CxVKupOkR6q2S8TXriMeLAUMYmMs4/edit?usp=sharing

0 Karma
Reply

JimboSlice
Path Finder
‎04-09-2021 06:02 AM

OK so he added the permission, now seen this error on a one-off basis:

 

2021-04-09 13:56:10,464 ERROR pid=136881 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_user.py", line 76, in collect_events
input_module.collect_events(self, ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/input_module_MS_AAD_user.py", line 36, in collect_events
users_response = azutils.get_items_batch(helper, access_token, url)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/utils.py", line 55, in get_items_batch
raise e
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/utils.py", line 49, in get_items_batch
r.raise_for_status()
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/aob_py3/requests/models.py", line 940, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://graph.microsoft.com/beta/users/

0 Karma
Reply

JimboSlice
Path Finder
‎04-09-2021 05:51 AM

Hi Dave, thanks for the fast response.

I have been given the details from devops for logins, we still need to set permissions etc on the azure side, but expecting an error detailing this, when it does happen.

The version we're using is not the latest, its the one before as we're using it for eventhubs right now, so we cant bump it up.

We're running on S8 and dont use a proxy, proxy is disabled, we do however have URL whitelisting on our firewalls.

Can you please confirm the URLs that are used for obtaining AAD Users?

I've asked devops to check for anything on the azure side.

Thanks

J

0 Karma
Reply

JimboSlice
Path Finder
‎04-09-2021 05:31 AM

Hi, i have the same issue, what was your resolution?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...