Office 365 REST API protocol configuration options

The Office 365 REST API protocol for IBM® Security QRadar® is an active outbound protocol.

The following table describes the protocol-specific parameters for the Office 365 REST API protocol:

Table 1. Office 365 REST API protocol log source parameters
Parameter	Value
Protocol Configuration	Office 365 REST API
Log Source Identifier	Type a unique name for the log source. The Log Source Identifier can be any valid value and does not need to reference a specific server. It can also be the same value as the Log Source Name. If you have more than one configured Office 365 REST API log source, ensure that you give each one a unique name.
Client ID	In your application configuration of Azure Active Directory, this parameter is under Client ID.
Authentication Method	Client Secret: Standard Client Secret based authentication. Client Certificate: Self signed Certificate based authentication.
Client Secret	In your application configuration of Azure Active Directory, this parameter is under Value. Note: Select Authentication Method > Client Secret to make the Client Secret parameter available.
Client Certificate	Specify the self signed .pfx certificate path. Note: Select Authentication Method > Client Certificate to make the Client Certificate parameter available. For more information, see Creating self-signed certificates and keys for Office 365 REST API protocol.
Client Certificate Password	Specify the .pfx certificate password. Note: Select Authentication Method > Client Certificate to make the Client Certificate Password parameter available.
Tenant ID	Used for Azure AD authentication.
Event Filter	The type of audit events to retrieve from Microsoft Office. Azure Active Directory Exchange SharePoint General DLP
Use Proxy	For QRadar to access the Office 365 Management APIs, all traffic for the log source travels through configured proxies. Configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, keep the Proxy Username and Proxy Password fields empty.
EPS Throttle	The maximum number of events per second that QRadar ingests. If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle. The default is 5000.
Show Advanced Options	Show optional advanced options for event collection. The Advanced Options values are in effect whether they are shown or not.
Management Activity API URL	Specify the Office 365 Management Activity API URL. Default is https://manage.office.com.
Azure AD Sign-in URL	Specify the Azure AD sign-in URL. Default is https://login.microsoftonline.com.