Error Logs Ingestion API into Sentinel

Conrad, Steve 0

Logs ingestion API implementation no data is being ingested in Sentinel from the 3rd party Rest client. I enabled the DCR logs today the message being returned is 'Could not validate token because: InvalidAudience'.

Conrad, Steve 0 Reputation points

2024-10-04T02:53:10.3633333+00:00

Could the error be from I have another data source using the same DCR and token and the solution is create a 2nd DCR and 2nd App Registration.
Andrew Blumhardt 9,861 Reputation points Microsoft Employee

2024-10-09T11:29:13.6+00:00

This is hard to answer without more information. Could you share more information, possibly your token request code. I expect the token request is incorrect, or the token has issues. Maybe the app registration permissions have not been authorized.
Conrad, Steve 0 Reputation points

2024-10-09T13:26:20.12+00:00

It is very odd from the 3rd party app I can do a JSON array file test it successfully ingests the data over REST API/DCR. If I do a batch manually it ingests the data. However, when set to automatic ingestion over REST API/DCR immediately 401 error/''Invalid Audience. We tried changing the API version but did not make a difference. I do not understand sending manually successfully, but auto 401 unauthorized access.

I am assuming if manually transmission is successful than the DCE, DCR, App Registration & permissions, and Event fields match Sentinel and correct. Is there anything I can do get insight of the packets being sent from service/source to service destination? Do not know if you are open to it, but I could demo the issue to you in a Teams call. Another thought I wanted to run by you we have other transmissions using the same DCR configuration & token, but different table. Should I think about creating a separate DCR for this use case?
Givary-MSFT 33,001 Reputation points Microsoft Employee

2024-10-10T12:52:59.0166667+00:00

@Conrad, Steve It is indeed odd that the data is being ingested successfully when done manually or through a JSON array file test, but not when set to automatic ingestion over REST API/DCR.

Regarding your question about getting insight into the packets being sent from the service/source to the service destination, you can try using a network traffic analyzer tool such as Wireshark to capture and analyze the network traffic. This can help you identify any issues with the network traffic that may be causing the 401 unauthorized access error.

Regarding your question about creating a separate DCR for this use case, it may be worth considering if the other transmissions using the same DCR configuration and token are not affected by the same issue. However, before creating a separate DCR, you may want to investigate further to identify the root cause of the issue by creating a support ticket with our team, if in case you dont have the support contract feel free to share the Azure subscription id over the private message where we enable a support option for you.
Conrad, Steve 0 Reputation points

2024-10-10T14:05:21.9633333+00:00

We have a case open, but I also wanted to post the issue to the community to get feedback and see if someone has come across identical scenario.

The Source REST API allows Api versions: 2023-01-01,2021-11-01-preview, the DCR when I open it in Json view it displays 6 API versions, but I don’t see the same versions.

What does DCR do when the versions don’t match does it default to one of the versions listed or what is the behavior?

Thanks
Givary-MSFT 33,001 Reputation points Microsoft Employee

2024-10-11T09:34:12.3666667+00:00

@Conrad, Steve Please help us with the case number to track this issue internally.
Andrew Blumhardt 9,861 Reputation points Microsoft Employee

2024-10-11T12:08:47.3533333+00:00

I assume you are using an App Registration to create the key and permissions for you API call. I still think this might not be authorized or properly permissioned. When you run this manually, is it using the same key or credentials?
Benjamin Casazza 0 Reputation points

2024-10-22T15:41:45.0433333+00:00

I had the same error and fixed it by making a small change to my URI in use when getting the access token. I was originally using this URI to get the access token:
https://login.microsoftonline.com/<your tenant id>/oauth2/token

I fixed it by updating the access token URI to this:

https://login.microsoftonline.com/<your tenant id>/oauth2/v2.0/token
Conrad, Steve 0 Reputation points

2024-10-24T22:23:13.7+00:00

Thanks for everyone's responses after further analysis it was not App Registration nor DCR or DCE configuration it was due to Sentinel wasn't happy when the payload included the fields that contained __headers. Once we cleaned up invalid fields the data started ingesting in Sentinel's SecurityEvent Tables and the DCR errors stopped.

2 answers

Conrad, Steve 0 Reputation points

2024-10-11T14:24:47.3966667+00:00

Case number - TrackingID#2410040040004608

App Registration to create the key and permissions for you API call. The App Registration is configured using clientid and secret, which is used for several of the data sources connecting to the DCR.

What permissions are you referring to for me to verify?

Regards,
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Givary-MSFT 33,001 Reputation points Microsoft Employee

2024-10-28T09:39:42.61+00:00

@Conrad, Steve Apologies for the delay in resolving this and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your steps which you shared in case you'd like to "Accept " the answer.

Issue: Logs ingestion API implementation no data is being ingested in Sentinel from the 3rd party Rest client. I enabled the DCR logs today the message being returned is 'Could not validate token because: InvalidAudience'.

Resolution: @Conrad, Steve worked with our support team on this case - 2410040040004608
after further analysis it was not App Registration nor DCR or DCE configuration it was due to Sentinel wasn't happy when the payload included the fields that contained __headers. Once they cleaned up invalid fields the data started ingesting in Sentinel's SecurityEvent Tables and the DCR errors stopped.

If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Please sign in to rate this answer.
Conrad, Steve 0 Reputation points

2024-10-28T14:48:43.1133333+00:00

I cannot give MS the credit for the solution that was found with the help of a 3rd party vendor. However, I do appreciate the feedback I received from the community.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Error Logs Ingestion API into Sentinel

2 answers

Your answer