IBM Support

QRadar: Office365 Rest API Date range for requested content is invalid startTime

Troubleshooting


Problem

Office 365 fails to collect events. Reviewing the logs a message similar to this is displayed

 ::ffff:XXX.XX.XXX.XXX [ecs-ec-ingress.ecs-ec-ingress] [GENERAL22303] com.q1labs.semsources.sources.office365restapi.api.query.Office365RESTAPIQueryBase: [ERROR] [NOT:0000003000][ XXX.XX.XXX.XXX /- -] [-/- -]Received a response status [400] from the Office 365 REST API. An attempt will be made to query for content at the next retry interval.
Response:
{"error":{"code":"AF20055","message":"Date range for requested content is invalid startTime:2019-02-06T09:14 endTime:2019-02-07T09:14."}}

Cause

The configld file for the log source has an invalid start time.

Resolving The Problem

  1. Log in to the QRadar user Interface.
  2. Click Admin tab.
  3. Find the Log Source ID
    1. Option 1 Use the Log Source Management App
      1. Scroll to Apps > Log Source Management
      2. Locate the Office 365 Log Source not receiving events.
      3. The Log Source ID is listed in the APP
        image-20190614130633-5
      4. The Log Source ID in this example is 362
         
    2. Option 2 Use the Log sources Icon
      1. Scroll to Data Sources > Log Sources icon
      2. Click the Office 365 not receiving events
      3. In the URL banner look for the Log Source ID.
        image-20190614130005-3
      4. In this example the Log Source ID is 362
  4. Using a SSH session log in to the Console as root user.
  5. Use the Log Source ID from step #3 to find the spconfig id by typing the command psql -U qradar -c "select spconfig from sensordevice where id =<Log Source ID>;"  In this case the Log Source ID = 362 and the spconfig is 53.
     
    [root@QRadar732Base ~]# psql -U qradar -c "select spconfig from sensordevice where id = 362;"
     spconfig
    ----------
           53
  6. Change directorys to /store/ec/office365restapi
    cd /store/ec/office365restapi
  7. Use the ls command locate the file with the identifier(spconfig) from step 5

    -rw-r--r-- 1 root root  83 May 29  2018 configId-1403.properties

    -rw-r--r-- 1 root root 320 Feb 13 12:48 configId-1404.properties

    -rw-r--r-- 1 root root 358 Feb 13 12:48 configId-53.properties

  8. Using vi editor open the config file.
    vi configld-53.properties

  9. Locate were the time has fallen behind.

    AzureADQueryLastQueryTime=2019-01-18T09\:51

    ExchangeQueryLastQueryTime=2019-01-18T09\:51

    ServiceCommunicationQueryLastQueryTime=2019-02-13T12\:52

    DLPQueryLastQueryTime=2019-02-13T12\:52

    SharePointQueryLastQueryTime=2019-01-18T09\:51

    GeneralQueryLastQueryTime=2019-01-18T09\:51
     

  10. Update the time so it matches the lines that have more current time.

  11. Save the changes and exist vi by typing esc :wq

  12. Toggle the Log Source from Enabled to Disabled and wait 1 minute.

  13. Re-Enable the Log Source.
    Note: You may need to do this several times before the Log Source shows success.

  14. Click Log Activity tab.

  15. Click Add filter

  16. From the drop-down menu choose Log Source [Indexed] > Equals > Select 'problem' Log Source > Add filter

  17. Verify that events are being displayed in Log Activity.

Results

You can now see your Office 365 events coming into QRadar.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"DSMs","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
08 January 2021

UID

ibm10886703

Page Feedback