Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on for 0365: Why am I receiving Invalid Token?

jadengoho
Builder
‎02-27-2022 11:27 PM

Hi , 
Why are we receiving this kind of issue on "o365:cas:api"
while the others listed below are working as expected.

  • o365:graph:api
  • o365:management:activity
  • o365:service:updateMessage

We didn't put a Cloud App Security Token in the tenant configuration since we already have the client secret, Tenant ID, Client Id, Tenant Subdomain and Tenant Data Center Is it needed for the "o365:cas:api" to work?

ERROR :

2022-02-28 07:02:42,801 level=ERROR pid=23110 tid=MainThread logger=splunk_ta_o365.modinputs.cloud_app_security pos=utils.py:wrapper:72 | datainput=b'at_rbi_cloud_microsoft_cloud_application_security_files' start_time=1646031762 | message="Data input was interrupted by an unhandled exception."
Traceback (most recent call last): File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunksdc/utils.py", line 70, in wrapper return func(*args, **kwargs) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/cloud_app_security.py", line 184, in run return consumer.run() File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/cloud_app_security.py", line 47, in run for message in reports.get(self._session): File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/common/portal.py", line 639, in get raise O365PortalError(response) splunk_ta_o365.common.portal.O365PortalError: 401:{"detail":"Invalid token"}

2022-02-28 07:02:42,801 level=ERROR pid=23110 tid=MainThread logger=splunk_ta_o365.common.portal pos=portal.py:__init__:50 | datainput=b'at_rbi_cloud_microsoft_cloud_application_security_files' start_time=1646031762 | message="failed to get error code" body=b'{"detail":"Invalid token"}'
Traceback (most recent call last):
File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/common/portal.py", line 44, in __init__
self._code = data['error']['code']
0 Karma
Reply

rohit1793
SplunkTrust
SplunkTrust
‎04-04-2022 04:40 AM

Hey @jadengoho , 

This is due to access issue ,After creating token/Tenant ID , That Token required the read permission of the API graph. 

Below the excel sheet you can refer and ask the AD team to provide the read access to the token. 

https://docs.google.com/spreadsheets/d/1YJAqNmcXZU-7O9CxVKupOkR6q2S8TXriMeLAUMYmMs4/edit#gid=0

One last things, if all the permission are up to mark check if the proxy is configured.

Rohit Joshi
Splunk Architect
Reply

cbreitenstrom
Engager
‎08-29-2024 04:10 AM

Thank you @rohit1793, this spreadsheat is very helpfull!

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...