2.01 signins worked for 12 hours and then stop wit...

jptousignant · ‎11-12-2019

Hello,

the version 2.01 is the only one I installed. I configured signins and audit and the data started flowing. 12 hours after, signin source started returning 403 forbiden while audit source continued to work.

tried to figure out what the problem was. Decided to wipe everything off and to start from scratch to configure only signins logs and it stills not work.

I have no clue where to go from here, anyone with similar experiences ?

Not sure where to look for help. Here's the full error:

2019-11-12 18:02:58,198 ERROR pid=66637 tid=MainThread file=base_modinput.py:log_error:307 | Get error when collecting events.
Traceback (most recent call last):
  File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/modinput_wrapper/base_modinput.py", line 127, in stream_events
    self.collect_events(ew)
  File "/opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_signins.py", line 84, in collect_events
    input_module.collect_events(self, ew)
  File "/opt/splunk/etc/apps/TA-MS-AAD/bin/input_module_MS_AAD_signins.py", line 77, in collect_events
    sign_ins = azutils.get_items(helper, access_token, url)
  File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/utils.py", line 33, in get_items
    raise e
HTTPError: 403 Client Error: Forbidden for url: https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+...

jptousignant · ‎12-22-2019

The same issue came back after a week without change to the setup.

jptousignant · ‎12-18-2019

Update to 2.02 fixed the problem.

2.01 signins worked for 12 hours and then stop with 403 forbiden errors.

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases