Troubleshooting
Problem
::ffff:XXX.XX.XXX.XXX [ecs-ec-ingress.ecs-ec-ingress] [GENERAL22303] com.q1labs.semsources.sources.office365restapi.api.query.Office365RESTAPIQueryBase: [ERROR] [NOT:0000003000][ XXX.XX.XXX.XXX /- -] [-/- -]Received a response status [400] from the Office 365 REST API. An attempt will be made to query for content at the next retry interval.
Response:
{"error":{"code":"AF20055","message":"Date range for requested content is invalid startTime:2019-02-06T09:14 endTime:2019-02-07T09:14."}}
Cause
Resolving The Problem
- Log in to the QRadar user Interface.
- Click Admin tab.
- Find the Log Source ID
- Option 1 Use the Log Source Management App
- Scroll to Apps > Log Source Management
- Locate the Office 365 Log Source not receiving events.
- The Log Source ID is listed in the APP
- The Log Source ID in this example is 362
- Option 2 Use the Log sources Icon
- Scroll to Data Sources > Log Sources icon
- Click the Office 365 not receiving events
- In the URL banner look for the Log Source ID.
- In this example the Log Source ID is 362
- Option 1 Use the Log Source Management App
- Using a SSH session log in to the Console as root user.
- Use the Log Source ID from step #3 to find the spconfig id by typing the command psql -U qradar -c "select spconfig from sensordevice where id =<Log Source ID>;" In this case the Log Source ID = 362 and the spconfig is 53.
[root@QRadar732Base ~]# psql -U qradar -c "select spconfig from sensordevice where id = 362;"
spconfig
----------
53 - Change directorys to /store/ec/office365restapi
cd /store/ec/office365restapi - Use the ls command locate the file with the identifier(spconfig) from step 5
-rw-r--r-- 1 root root 83 May 29 2018 configId-1403.properties
-rw-r--r-- 1 root root 320 Feb 13 12:48 configId-1404.properties
-rw-r--r-- 1 root root 358 Feb 13 12:48 configId-53.properties
-
Using vi editor open the config file.
vi configld-53.properties -
Locate were the time has fallen behind.
AzureADQueryLastQueryTime=2019-01-18T09\:51
ExchangeQueryLastQueryTime=2019-01-18T09\:51
ServiceCommunicationQueryLastQueryTime=2019-02-13T12\:52
DLPQueryLastQueryTime=2019-02-13T12\:52
SharePointQueryLastQueryTime=2019-01-18T09\:51
GeneralQueryLastQueryTime=2019-01-18T09\:51
-
Update the time so it matches the lines that have more current time.
-
Save the changes and exist vi by typing esc :wq
-
Toggle the Log Source from Enabled to Disabled and wait 1 minute.
-
Re-Enable the Log Source.
Note: You may need to do this several times before the Log Source shows success. -
Click Log Activity tab.
-
Click Add filter
-
From the drop-down menu choose Log Source [Indexed] > Equals > Select 'problem' Log Source > Add filter
-
Verify that events are being displayed in Log Activity.
You can now see your Office 365 events coming into QRadar.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
08 January 2021
UID
ibm10886703