Troubleshooting
Problem
When you are to connecting to Office 365, these messages might be seen:
Unable to start a content subscription. Terminating query thread for [Audit.SharePoint]
Unable to start a content subscription. Terminating query thread for [Audit.Exchange]
Access token error
Resolving The Problem
- Verify that Office 365 DSMs and Protocols are up to date from FixCentral
- The "Automatically Acquire Server Certificate(s)" option was removed from the UI and the protocol validates certificates differently now so a copy of the certificates is no longer needed.
- Toggle the log source off and on. If you receive an http error 400 or 500, then those errors are related to your Office 365 account in Azure.
To get the access token, or to check whether you are able to pull the token manually run these commands:
1.) Define the variables client_id , tenant_id and client_secret:
client_id=<enter the client id value>
tenant_id=<enter the tenant id value>
client_secret=<enter the client secret value>
2.) To get the access token, type the command ( if no proxy used ):
curl -d "client_secret=$client_secret&resource=https://manage.office.com&client_id=$client_id&grant_type=client_credentials" -X POST https://login.microsoftonline.com/$tenant_id/oauth2/token
If you are using a proxy, type the command:
curl --proxy https://proxy_ip:port -d "client_secret=$client_secret>&resource=https://manage.office.com&client_id=$client_id&grant_type=client_credentials" -X POST https://login.microsoftonline.com/$tenant_id/oauth2/token
3.) To stop the subscription, type the command ( if no proxy used ):
curl -d "" -H "Authorization: Bearer <access token>" -X POST https://manage.office.com/api/v1.0/$tenant_id/activity/feed/subscriptions/stop?contentType=Audit.AzureActiveDirectory
If you are using a proxy, type the command:
curl --proxy https://proxy_ip:port -d "" -H "Authorization: Bearer <access token>" -X POST https://manage.office.com/api/v1.0/$tenant_id/activity/feed/subscriptions/stop?contentType=Audit.AzureActiveDirectory
4.) After the subscription is stopped, run following command to start the subscription ( if no proxy used ):
curl -d "" -H "Authorization: Bearer <access token>" -X POST https://manage.office.com/api/v1.0/$tenant_id/activity/feed/subscriptions/start?contentType=Audit.AzureActiveDirectory
If you are using a proxy, type the command:
curl --proxy https://proxy_ip:port -d "" -H "Authorization: Bearer <access token>" -X POST https://manage.office.com/api/v1.0/$tenant_id/activity/feed/subscriptions/start?contentType=Audit.AzureActiveDirectory
5.) Used this command to retrieve the events to QRadar ( if no proxy used ):
curl -d "" -H "Authorization: Bearer <access token>" -X GET https://manage.office.com/api/v1.0/$tenant_id/activity/feed/subscriptions/content?contentType=Audit.AzureActiveDirectory
If you are using a proxy, type the command:
curl --proxy https://proxy_ip:port -d "" -H "Authorization: Bearer <access token>" -X GET https://manage.office.com/api/v1.0/$tenant_id/activity/feed/subscriptions/content?contentType=Audit.AzureActiveDirectory
If you get an error similar to the one displayed, the Client Secret is expired.
{"error":"invalid_client","error_description":"Example0002: Error validating credentials. Example0012: Invalid client secret is provided
6.) Obtain a new Client Secret from Microsoft®.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
23 July 2024
UID
ibm10887081