Splunk SOAR (f.k.a. Phantom)

Phantom MS Graph API for office 365

aiyede
Engager

Hi there, we are trying to configure MS Graph API for Office 365 to process emails from mailboxes. Created an Azure Enterprise Application and gave required api access to the application. Administrator has done the consent in the Azure portal. However when we try to connect to the app, it’s still asking to do the ‘test connection’ and asked admin consent. Is this a bug? And is there a way to use the phantom app without this consent being done via app (instead to be done in Azure portal)? thanks 

Labels (1)

Iñigo
Explorer

Is there any update about this behaviour?
We have had an application generated, given adequate permissions in Azure Portal and had an admin give their consent. No matter what, the app doesn't connect.

We oberved that, the Azure application was granted "Application" type permissions by the admin (as required for our needs) but, during the test connectivity process, the SOAR's Graph app asks for "Delegated" type permissions. There is no place in the asset settings to define the permission type the app is asking for and, in our context, "Delegated" isn't acceptable.

Also, even while the admin has already given consent to the Azure app, the consent is asked once again throught the login portal.  @lluebeck_splunk The token is written into the asset internal state file, but these files get frequently corrupted in many apps, so constant connectivity tests are needed.
@enfinality57 We are getting this error on a daily basis: "Error occurred while loading the state file due to its unexpected format. Resetting the state file with the default format." and token information gets lost.

From what I see in the source code this state file corruption happens in several connectors.

These kind of errors should rise some kind of alert or appear somewhere in the system health given their impact on functionality, or at least be documented so external monitoring can be setup to take care of them.

0 Karma

lluebeck_splunk
Splunk Employee
Splunk Employee

To answer your question: No this is the intended way to get this connection verified and established. By doing so a token will be generated and some information will be written to a phantom internal state file.

0 Karma

enfinality57
Engager

So if this is the intended method of the MS Graph API, does this have to be done once a day? once a week? Or every time you want to use the app within phantom? What if you have a playbook using this APP daily automatically? 

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...