Re: microsoft azure add-on for Splunk is unable to...

ashikuma · ‎12-23-2019

microsoft azure add-on for Splunk is unable to pull ad risky sign-on logs

if we look for internal logs , getting below mentioned events frequently , didn't see any issue but still we are not seeing any data.

2019-12-23 14:44:18,779 DEBUG pid=28967 tid=MainThread file=connectionpool.py:new_conn:809 | Starting new HTTPS connection (1): graph.microsoft.com
2019-12-23 14:44:18,772 INFO pid=28967 tid=MainThread file=setup_util.py:log_info:114 | Proxy is not enabled!
2019-12-23 14:44:18,772 DEBUG pid=28967 tid=MainThread file=base_modinput.py:log_debug:286 | _Splunk Getting proxy server.
2019-12-23 14:44:18,772 DEBUG pid=28967 tid=MainThread file=base_modinput.py:log_debug:286 | Splunk nextLink URL (@odata.nextLink): https://graph.microsoft.com/beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+...
2019-12-23 14:44:18,134 DEBUG pid=28967 tid=MainThread file=connectionpool.py:_make_request:400 | https://graph.microsoft.com:443 "GET /beta/auditLogs/signIns?$orderby=createdDateTime&$filter=createdDateTime+gt+2019-12-22T14%3a42%3a44.517899Z+and+createdDateTime+le+2019-12-23T14%3a35%3a44.819576Z&$skiptoken=*****************************_16000 HTTP/1.1" 200 None

dave_null · ‎04-09-2021

1. Are you getting any logs at all from this app? Whether sign ins, users, directory audit, risk detections, or directory devices?

2. Are you using the latest version of the app?

3. Are you using a proxy in your environment? I see from the message that it is not using a in the app, but if a proxy is blocking your internet access then this could make a problem.

4. Have you double-checked your Tenant ID, Client ID, and Client Secret (the latter two are for your App Registration which must have the required permissions https://docs.google.com/spreadsheets/d/1YJAqNmcXZU-7O9CxVKupOkR6q2S8TXriMeLAUMYmMs4/edit?usp=sharing )

JimboSlice · ‎04-09-2021

OK so he added the permission, now seen this error on a one-off basis:

2021-04-09 13:56:10,464 ERROR pid=136881 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events
self.collect_events(ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/MS_AAD_user.py", line 76, in collect_events
input_module.collect_events(self, ew)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/input_module_MS_AAD_user.py", line 36, in collect_events
users_response = azutils.get_items_batch(helper, access_token, url)
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/utils.py", line 55, in get_items_batch
raise e
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_azure_utils/utils.py", line 49, in get_items_batch
r.raise_for_status()
File "/opt/splunk/etc/apps/TA-MS-AAD/bin/ta_ms_aad/aob_py3/requests/models.py", line 940, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://graph.microsoft.com/beta/users/

JimboSlice · ‎04-09-2021

Hi Dave, thanks for the fast response.

I have been given the details from devops for logins, we still need to set permissions etc on the azure side, but expecting an error detailing this, when it does happen.

The version we're using is not the latest, its the one before as we're using it for eventhubs right now, so we cant bump it up.

We're running on S8 and dont use a proxy, proxy is disabled, we do however have URL whitelisting on our firewalls.

Can you please confirm the URLs that are used for obtaining AAD Users?

I've asked devops to check for anything on the azure side.

Thanks

J

JimboSlice · ‎04-09-2021

Hi, i have the same issue, what was your resolution?

microsoft azure add-on for Splunk is unable to pull ad risky sign-on logs

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases