Splunk SOAR (f.k.a. Phantom)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Phantom MS Graph API for office 365

aiyede
Engager
‎10-05-2021 03:34 AM

Hi there, we are trying to configure MS Graph API for Office 365 to process emails from mailboxes. Created an Azure Enterprise Application and gave required api access to the application. Administrator has done the consent in the Azure portal. However when we try to connect to the app, it’s still asking to do the ‘test connection’ and asked admin consent. Is this a bug? And is there a way to use the phantom app without this consent being done via app (instead to be done in Azure portal)? thanks 

Labels (1)
Labels
Reply

Iñigo
Explorer
‎02-17-2023 07:50 AM

Is there any update about this behaviour?
We have had an application generated, given adequate permissions in Azure Portal and had an admin give their consent. No matter what, the app doesn't connect.

We oberved that, the Azure application was granted "Application" type permissions by the admin (as required for our needs) but, during the test connectivity process, the SOAR's Graph app asks for "Delegated" type permissions. There is no place in the asset settings to define the permission type the app is asking for and, in our context, "Delegated" isn't acceptable.

Also, even while the admin has already given consent to the Azure app, the consent is asked once again throught the login portal.  @lluebeck_splunk The token is written into the asset internal state file, but these files get frequently corrupted in many apps, so constant connectivity tests are needed.
@enfinality57 We are getting this error on a daily basis: "Error occurred while loading the state file due to its unexpected format. Resetting the state file with the default format." and token information gets lost.

From what I see in the source code this state file corruption happens in several connectors.

These kind of errors should rise some kind of alert or appear somewhere in the system health given their impact on functionality, or at least be documented so external monitoring can be setup to take care of them.

0 Karma
Reply

lluebeck_splunk
Splunk Employee
Splunk Employee
‎11-12-2021 12:09 AM

To answer your question: No this is the intended way to get this connection verified and established. By doing so a token will be generated and some information will be written to a phantom internal state file.

0 Karma
Reply

enfinality57
Engager
‎11-16-2021 10:20 AM

So if this is the intended method of the MS Graph API, does this have to be done once a day? once a week? Or every time you want to use the app within phantom? What if you have a playbook using this APP daily automatically? 

Reply
Get Updates on the Splunk Community!

Platform Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestIntroducing Splunk Edge Processor, simplified data ...

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...