Monitoring Splunk
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- Re: Splunk Add-on for 0365: Why am I receiving Inv...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Add-on for 0365: Why am I receiving Invalid Token?
jadengoho
Builder
02-27-2022
11:27 PM
Hi ,
Why are we receiving this kind of issue on "o365:cas:api"
while the others listed below are working as expected.
- o365:graph:api
- o365:management:activity
- o365:service:updateMessage
We didn't put a Cloud App Security Token in the tenant configuration since we already have the client secret, Tenant ID, Client Id, Tenant Subdomain and Tenant Data Center Is it needed for the "o365:cas:api" to work?
ERROR :
2022-02-28 07:02:42,801 level=ERROR pid=23110 tid=MainThread logger=splunk_ta_o365.modinputs.cloud_app_security pos=utils.py:wrapper:72 | datainput=b'at_rbi_cloud_microsoft_cloud_application_security_files' start_time=1646031762 | message="Data input was interrupted by an unhandled exception."
Traceback (most recent call last): File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunksdc/utils.py", line 70, in wrapper return func(*args, **kwargs) File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/cloud_app_security.py", line 184, in run return consumer.run() File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/modinputs/cloud_app_security.py", line 47, in run for message in reports.get(self._session): File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/common/portal.py", line 639, in get raise O365PortalError(response) splunk_ta_o365.common.portal.O365PortalError: 401:{"detail":"Invalid token"}
2022-02-28 07:02:42,801 level=ERROR pid=23110 tid=MainThread logger=splunk_ta_o365.common.portal pos=portal.py:__init__:50 | datainput=b'at_rbi_cloud_microsoft_cloud_application_security_files' start_time=1646031762 | message="failed to get error code" body=b'{"detail":"Invalid token"}'
Traceback (most recent call last):
File "/opt/splunk/etc/apps/splunk_ta_o365/bin/splunk_ta_o365/common/portal.py", line 44, in __init__
self._code = data['error']['code']- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rohit1793
Explorer
04-04-2022
04:40 AM
Hey @jadengoho ,
This is due to access issue ,After creating token/Tenant ID , That Token required the read permission of the API graph.
Below the excel sheet you can refer and ask the AD team to provide the read access to the token.
https://docs.google.com/spreadsheets/d/1YJAqNmcXZU-7O9CxVKupOkR6q2S8TXriMeLAUMYmMs4/edit#gid=0
One last things, if all the permission are up to mark check if the proxy is configured.
Rohit Joshi
Splunk Architect
Splunk Architect
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cbreitenstrom
Engager
08-29-2024
04:10 AM
Thank you @rohit1793, this spreadsheat is very helpfull!
Get Updates on the Splunk Community!
Detecting Brute Force Account Takeover Fraud with Splunk
This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...
Buttercup Games: Further Dashboarding Techniques (Part 9)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Buttercup Games: Further Dashboarding Techniques (Part 8)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
