To return expected results, you can:
Reduce the number of search terms.
Each term you use focuses the search further.
Check your spelling.
A single misspelled or incorrectly typed term can change your result.
Try substituting synonyms for your original terms.
For example, instead of searching for "java classes", try "java training"
Did you search for an IBM acquired or sold product ?
If so, follow the appropriate link below to find the content you need.
In some cases, when you work with Microsoft Office 365 log source, it goes to error state with the error message:
"Unable to obtain a valid access token. An attempt will be made again at the next retry interval."
This article provides information and commands to test the log source configuration.
This section contains the step to test the credentials (
client secret
,
client ID
, and
tenant ID
) to pull the access token.
SSH to the QRadar console.
Optional. If the Target Event Collector is a different host than the QRadar console, SSH to that QRadar host.
Run the following command to pull the access token.
• Replace the
<client secret>
,
<client ID>
, and
<tenant ID>
with the corresponding information.
• In some cases, the URLs
login.microsoftonline.com
and
manage.office.com
are different. Confirm the URL with your Microsoft Office admin.
curl -d "client_secret=<client secret>&resource=https://manage.office.com&client_id=<client_id>&grant_type=client_credentials" -X POST https://login.windows.net/<tenant id>/oauth2/token
Output example for correct credentials:
{"token_type":"Bearer","expires_in":"3599","ext_expires_in":"3599","expires_on":"1591045524",
"not_before":"1591041624","resource":"https://manage.office.com","access_token":"eyJ0exxxx"}
Note
: The access token displayed in this example,
eyJ0exxxx
, is shortened.
If you get the error
code 7000215:
{"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided.
Ensure the secret being sent in the request is the client secret value, not the client secret
ID, for a secret added to app 'xxxx'.\r\nTrace ID: xxx\r\nCorrelation ID: 1324567890\r\n
Timestamp: 2022-09-22 13:44:16Z","error_codes":[7000215],"timestamp":"2022-09-22 13:44:16Z",
"trace_id":"xxx","correlation_id":"xxx","error_uri":"https://login.microsoftonline.com/error?code=7000215"}
T
his error is usually displayed when the administrator tries to pull the Access Token. The message refers to wrong credentials (Client ID or Client Secret ID). Confirm the right Client ID and or Client Secret ID is used in the command.
curl -d "" -H "Authorization: Bearer <access token>" -X GET https://manage.office.com/api/v1.0/<tenant id>/activity/feed/subscriptions/content?contentType=Audit.AzureActiveDirectory
Notes:
The administrator can change the content type based on the events configured in Microsoft Office 365:
Exchange: contentType= Audit.Audit.Exchange
SharePoint: contentType= Audit.SharePoint
DLP.All: ContentType= DLP.All
If you get the error
code AF10001:
{"error":{"code":"AF10001","message":"The permission set () sent in the request does not include the expected permission."}}
This error occurs when the events are retrieved and means that the permissions are not set correctly. In order for QRadar to pull events, the following permissions are required:
Activity Feed
ActivityFeed.Read
ActivityFeed.ReadDlp
ServiceHealth
ServiceHealth.Read
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
