Office 365 REST API protocol configuration options
The Office 365 REST API protocol for IBM® Security QRadar® is an active outbound protocol.
The following table describes the protocol-specific parameters for the Office 365 REST API protocol:
Parameter | Value |
---|---|
Protocol Configuration | Office 365 REST API |
Log Source Identifier |
Type a unique name for the log source. The Log Source Identifier can be any valid value and does not need to reference a specific server. It can also be the same value as the Log Source Name. If you have more than one configured Office 365 REST API log source, ensure that you give each one a unique name. |
Client ID | In your application configuration of Azure Active Directory, this parameter is under Client ID. |
Client Secret | In your application configuration of Azure Active Directory, this parameter is under Value. |
Tenant ID | Used for Azure AD authentication. |
Event Filter |
The type of audit events to retrieve from Microsoft Office.
|
Use Proxy |
For QRadar to access the Office 365 Management APIs, all traffic for the log source travels through configured proxies. Configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, keep the Proxy Username and Proxy Password fields empty. |
EPS Throttle |
The maximum number of events per second that QRadar ingests. If your data source exceeds the EPS throttle, data collection is delayed. Data is still collected and then it is ingested when the data source stops exceeding the EPS throttle. The default is 5000. |
Show Advanced Options | Show optional advanced options for event collection. The Advanced Options values are in effect whether they are shown or not. |
Management Activity API URL | Specify the Office 365 Management Activity API URL. Default is https://manage.office.com. |
Azure AD Sign-in URL | Specify the Azure AD sign-in URL. Default is https://login.microsoftonline.com. |