NetWitness Azure graph security event source test connection fails with 403 Client Error
Article Number
000039833
Applies ToApplies To
RSA Product Set: RSA NetWitness Platform
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.X
Platform: CentOS
O/S Version: 7
IssueRSA Product/Service Type: Core Appliance
RSA Version/Condition: 11.X
Platform: CentOS
O/S Version: 7
Issue
Azure graph security Event source configured using Azure Security Alerts Configuration guide. Test connection fails with below error.
CauseAccess Denied Exception Received: 403 Client Error: Forbidden for url: https://graph.microsoft.com/v1.0/security/alerts?$filter=lastModifiedDateTime%20ge%202021-08-17T10:27:43Z%20and%20lastModifiedDateTime%20lt%202021-08-17T10:32:43Z&$orderby=lastModifiedDateTime&$count=true
Cause
This issue is due to an Incorrect permissions type on the Azure side as below.
ResolutionResolution
Please follow the below steps to get a successful test connection for Azure graph security.
- Login to Azure and change API permissions type from Delegated type to Application type.
- Then Do test connection in NetWitness Collector for the Event source which will be successful without error.
TagsTags (43)
- 11.x
- Appliance
- Bad Config
- Bad Configuration
- Break Fix
- Break Fix Issue
- Broken
- Config
- Configuration
- Configuration Help
- Configuration Issue
- Configuration Problem
- Configured Incorrectly
- Configuring Issue
- Configuring Problem
- Core Appliance
- Customer Support Article
- Incorrect Configuration
- Issue
- Issue Configuring
- Issues
- KB Article
- Knowledge Article
- Knowledge Base
- Log Collection
- Log Collector
- Misconfiguration
- Misconfigured
- NetWitness
- NetWitness Appliance
- NetWitness Platform
- NW
- NW Appliance
- NwLogCollector
- Problem
- RSA NetWitness
- RSA NetWitness Platform
- RSA Security Analytics
- Security Analytics
- Setup Issue
- SIEM
- Version 11
- Version 11.x