Troubleshooting
Problem
Cause
Resolving The Problem
1. How to retrieve the access token
- SSH to the QRadar console.
- Optional. If the Target Event Collector is a different host than the QRadar console, SSH to that QRadar host.
- Run the following command to pull the access token.
• Replace the <client secret>, <client ID>, and <tenant ID> with the corresponding information.
• In some cases, the URLs login.microsoftonline.com and manage.office.com are different. Confirm the URL with your Microsoft Office admin.curl -d "client_secret=<client secret>&resource=https://manage.office.com&client_id=<client_id>&grant_type=client_credentials" -X POST https://login.windows.net/<tenant id>/oauth2/token
Output example for correct credentials:{"token_type":"Bearer","expires_in":"3599","ext_expires_in":"3599","expires_on":"1591045524", "not_before":"1591041624","resource":"https://manage.office.com","access_token":"eyJ0exxxx"}
Note: The access token displayed in this example,eyJ0exxxx, is shortened.
- If you get the error code 7000215:
{"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'xxxx'.\r\nTrace ID: xxx\r\nCorrelation ID: 1324567890\r\n Timestamp: 2022-09-22 13:44:16Z","error_codes":[7000215],"timestamp":"2022-09-22 13:44:16Z", "trace_id":"xxx","correlation_id":"xxx","error_uri":"https://login.microsoftonline.com/error?code=7000215"}
Result
If the credentials are correct, the token is displayed in the output.
2. How to stop and start a subscription
curl -d "" -H "Authorization: Bearer <access token>" -X POST https://manage.office.com/api/v1.0/<tenant id>/activity/feed/subscriptions/start?contentType=Audit.AzureActiveDirectory
curl -d "" -H "Authorization: Bearer <access token>" -X POST https://manage.office.com/api/v1.0/<tenant id>/activity/feed/subscriptions/stop?contentType=Audit.AzureActiveDirectory
If you get the error Authorization has been denied:
{"Message":"Authorization has been denied for this request."}
This error is displayed when the administrator tries to start the subscription. Ensure the URLs used to pull the token are correct.
Result
The administrator is able to start or stop a subscription by using the access token.
3. How to retrieve events from the server
To retrieve events from Microsoft Office 365 by using the token, run the following command. Replace <access token> with the Access Token:
curl -d "" -H "Authorization: Bearer <access token>" -X GET https://manage.office.com/api/v1.0/<tenant id>/activity/feed/subscriptions/content?contentType=Audit.AzureActiveDirectory
- Exchange: contentType= Audit.Audit.Exchange
- SharePoint: contentType= Audit.SharePoint
- DLP.All: ContentType= DLP.All
If you get the error code AF10001:
{"error":{"code":"AF10001","message":"The permission set () sent in the request does not include the expected permission."}}
This error occurs when the events are retrieved and means that the permissions are not set correctly. In order for QRadar to pull events, the following permissions are required:
- Activity Feed
- ActivityFeed.Read
- ActivityFeed.ReadDlp
- ServiceHealth
- ServiceHealth.Read
Result
The administrator is able to pull events from Microsoft Office 365 by using the token. For more information, see Office 365 Management Activity API reference.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
29 June 2023
UID
ibm17000051