Reporting

o365 Configuration

mailmetoramu
Explorer

Hello All,

Issue 1:

Looking at my configuration for O365 and we have everything enabled that we possibly can. I then checked the internal logs, and there is a message we are seeing pop up quite often which I will paste below. This indicates there may be a permissions issue in O365 that is not allowing us to pull certain events. The only documentation I can find on how to set that up is available here: https://docs.splunk.com/Documentation/AddOns/released/MSO365/ConfigureappinAzureAD

O365PortalError: 401:{"error":{"code":"AF10001","message":"The permission set () sent in the request does not include the expected permission."}}

Issue 2 :

Also we are supposed to get an alert on "MaliciousEmailSubmission"when a user submitted phishing or malware email, even we are not getting that alert too.

Please let me know what may be issue here.

Thanks,

Ramu.R

Labels (1)
Tags (1)
0 Karma

ehowardl3
Path Finder

Check your Azure Active Directory licensing level. Microsoft's Azure Active Directory licensing requires either a Premium P1 or Premium P2 license to be able to pull event information through the Office 365 Management API. Microsoft does not grant permission to use the API to enable subscriptions for Free or Basic licensing options. Further information about Azure Active Directory licensing is available at: https://azure.microsoft.com/en-us/pricing/details/active-directory/

0 Karma

robinettdonWY
Path Finder

I saw this post... https://answers.splunk.com/answers/712405/splunk-add-on-for-o365.html

That states the

O365PortalError: 401:{"error":{"code":"AF10001","message":"The permission set () sent in the request does not include the expected permission."}}

message is given if the optional DLP permissions are not granted.

I'm getting the same error and seeing no data. Right now I'm just trying to pull SharePoint Online audit data and have granted the following permissions.

Office 365 Management APIs (4)

ActivityFeed.Read  | Delegated |Read activity data for your organization | Yes |Granted for XXXX
ActivityReports.Read | Delegated | Read activity reports for your organization | Yes | Granted for XXXX 
ActivityReports.Read | Delegated | Read activity reports for your organization | Yes | Granted for XXXX
ServiceHealth.Read | Delegated | Read service health information for your organization | Yes | Granted for XXX

EDIT:
We fixed this and have data now; we missed applying the API permissions to the "Application Permissions" for the registered app and had only granted "Delegated Permissions"

mailmetoramu
Explorer

We currently have MS O365 EMS E3 License which includes Azure AD P1 licensing and enabled to all E3 licenses users.

0 Karma

robinettdonWY
Path Finder

I'm also seeing this issue. Since you use a Azure AD Registered App to grant access to the API and and P1 and P2 licenses are user account based; how would give a P1 license to a registered app?

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...