Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- Splunk Add-on for 0365: Why am I receiving Invalid...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Add-on for 0365: Why am I receiving Invalid Token?
Hi ,
Why are we receiving this kind of issue on "o365:cas:api"
while the others listed below are working as expected.
- o365:graph:api
- o365:management:activity
- o365:service:updateMessage
We didn't put a Cloud App Security Token in the tenant configuration since we already have the client secret, Tenant ID, Client Id, Tenant Subdomain and Tenant Data Center Is it needed for the "o365:cas:api" to work?
ERROR :
2022-02-28 07:02:42,801 level=ERROR pid=23110 tid=MainThread logger=splunk_ta_o365.modinputs.cloud_app_security pos=utils.py:wrapper:72 | datainput=b'at_rbi_cloud_microsoft_cloud_application_security_files' start_time=1646031762 | message="Data input was interrupted by an unhandled exception."
Traceback (most recent call last): File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunksdc/utils.py", line 70, in wrapper return func(*args, **kwargs) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/cloud_app_security.py", line 184, in run return consumer.run() File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/cloud_app_security.py", line 47, in run for message in reports.get(self._session): File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/common/portal.py", line 639, in get raise O365PortalError(response) splunk_ta_o365.common.portal.O365PortalError: 401:{"detail":"Invalid token"}
2022-02-28 07:02:42,801 level=ERROR pid=23110 tid=MainThread logger=splunk_ta_o365.common.portal pos=portal.py:__init__:50 | datainput=b'at_rbi_cloud_microsoft_cloud_application_security_files' start_time=1646031762 | message="failed to get error code" body=b'{"detail":"Invalid token"}'
Traceback (most recent call last):
File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/common/portal.py", line 44, in __init__
self._code = data['error']['code']- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @jadengoho ,
This is due to access issue ,After creating token/Tenant ID , That Token required the read permission of the API graph.
Below the excel sheet you can refer and ask the AD team to provide the read access to the token.
https://docs.google.com/spreadsheets/d/1YJAqNmcXZU-7O9CxVKupOkR6q2S8TXriMeLAUMYmMs4/edit#gid=0
One last things, if all the permission are up to mark check if the proxy is configured.
Splunk Architect
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Rohit,
Any chance I can get access to this sheet please? Seems to fails when I request viewer access.
Much appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you @rohit1793, this spreadsheat is very helpfull!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
