search

jorritfolmer / TA-dmarc

Add-on for ingesting DMARC aggregate reports into Splunk
https://splunkbase.splunk.com/app/3752
15 stars 8 forks source link

Office 365 Azure configuration #47

Open diogofgm opened 1 year ago

diogofgm commented 1 year ago

I'm trying to setup an input for OAuth2 to connect to an Office 365 email account without success.

I'm using the user and password for the account and in the input I'm using the right tenant in the OAuth2 authority.

Errors I'm getting from splunk:

2023-02-10 17:22:13,325 ERROR pid=21961 tid=MainThread file=base_modinput.py:log_error:309 | get_dmarc_messages: No access token found for client ID: dmarc.report.failures@REDACTED.XXX - result {'error': 'unauthorized_client', 'error_description': "AADSTS700016: Application with identifier 'dmarc.report.failures' was not found in the directory 'REDACTED'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.\r\nTrace ID: xxxxxxxx-xxxx-xxxx-xxxx-7c5069335800\r\nCorrelation ID: xxxxxxxx-xxxx-xxxx-xxxx-ae9665091ecd\r\nTimestamp: 2023-02-10 17:22:13Z", 'error_codes': [700016], 'timestamp': '2023-02-10 17:22:13Z', 'trace_id': 'xxxxxxxx-xxxx-xxxx-xxxx-7c5069335800', 'correlation_id': 'xxxxxxxx-xxxx-xxxx-xxxx-ae9665091ecd', 'error_uri': 'https://login.microsoftonline.com/error?code=700016'}

Followed by:

2023-02-10 17:22:13,328 ERROR pid=21961 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events. Traceback (most recent call last): File "/opt/splunk/etc/apps/TA-dmarc/bin/ta_dmarc/aob_py3/modinput_wrapper/base_modinput.py", line 128, in stream_events self.collect_events(ew) File "/opt/splunk/etc/apps/TA-dmarc/bin/dmarc_imap_oauth2.py", line 104, in collect_events input_module.collect_events(self, ew) File "/opt/splunk/etc/apps/TA-dmarc/bin/input_module_dmarc_imap_oauth2.py", line 93, in collect_events filelist = i2d.process_incoming() File "/opt/splunk/etc/apps/TA-dmarc/bin/dmarc/imap2dir.py", line 344, in process_incoming messages = self.get_dmarc_messages() File "/opt/splunk/etc/apps/TA-dmarc/bin/dmarc/imap2dir.py", line 161, in get_dmarc_messages info = self.server.select_folder(self.opt_imap_mailbox) File "/opt/splunk/etc/apps/TA-dmarc/bin/imapclient/imapclient.py", line 763, in select_folder self._command_and_check('select', self._normalise_folder(folder), readonly) File "/opt/splunk/etc/apps/TA-dmarc/bin/imapclient/imapclient.py", line 1666, in _command_and_check typ, data = meth(args) File "/opt/splunk/lib/python3.7/imaplib.py", line 745, in select typ, dat = self._simple_command(name, mailbox) File "/opt/splunk/lib/python3.7/imaplib.py", line 1196, in _simple_command return self._command_complete(name, self._command(name, args)) File "/opt/splunk/lib/python3.7/imaplib.py", line 944, in _command ', '.join(Commands[name]))) imaplib.IMAP4.error: command SELECT illegal in state NONAUTH, only allowed in states AUTH, SELECTED

What configurations do I need to do on the azure side to properly setup this up?

hkelley commented 1 year ago

The OAuth2 input uses client ID and secret (from an Azure service principal), not username and password.

diogofgm commented 1 year ago

Yes, I've used a client id and secret in the account configuration but I get a login failed message in the splunk logs. There is probably something missing in the azure app configuration. I'll update if I get some progress with this.

hkelley commented 1 year ago

I'd start by checking the Azure AD sign-in logs for your service principal. There were definitely a few setup steps when I set mine up. If memory serves, this was the page that helped me.

https://www.limilabs.com/blog/oauth2-client-credential-flow-office365-exchange-imap-pop3-smtp