When trying to set up a new Microsoft Graph API log source, the following error appears:
failed api response - http status: 403 Forbidden code: UnknownError or Internal Server Error
How can I fix this?
First, check to see that you are not accidentally using the Client Secret ID instead of the actual secret value. Microsoft uses the term “Secret ID” for the client secret, but the token generation process requires the actual secret value instead. If you have confirmed that this is not the case, please continue with the following resolution steps:
Start by checking the following parameters:
Verify if the credentials have expired or been changed. This is the first parameter to investigate.
Refer to the documentation's Prerequisites section, which recommends using an application-only authentication token. Make sure the token being used satisfies this requirement.
Confirm that the token has both Delegated permissions with SecurityEvents.Read.All and Application permissions with SecurityEvents.Read.All
Detailed instructions for this process can be found at Step 1: Create an Azure AD application in the documentation.
Ensure that an admin has granted permissions (authorized) to the App Registration. Note that the person creating the App Registration may not always be the same person adding the data source to Panther.
Additionally, if you want to receive logs from a restricted user instead of the admin account, follow these additional steps:
Create a new user with the Security Reader role.
In the app registration, add the security user as an owner.
Recreate the Microsoft Graph Log Source, follow these steps:
Input the necessary credentials and proceed until the following screen is displayed.
Ensure that you log in using the credentials of the security user.
Note: If running into an Internal Server Error after Granting Access, please retry copying and pasting the Client ID and Secret.
This issue might occur when an admin has not granted permissions to the App Registration. The individual creating the App Registration is not always the same individual adding the data source to panther.