IBM Support

QRadar: Microsoft Graph Security API error - 'HTTP status not ok. Status code is 206.'



Microsoft™ Graph Security API log sources do not receive events and the protocol test tool lists the following: 'Error received from Microsoft Graph Security API HTTP status Not OK. Status code is 206.'


Event data is not returned when the Microsoft Graph Security API is queried. The initial error code 206 identifies a connection issue.  A secondary error message provides the security provider error message for the query. 


When QRadar® queries the Microsoft™ Graph Security API, the API queries for alerts from all configured security providers, regardless of any configured filters. Any security provider that fails to return data due to error 206 indicates a 'Partial Content' response from the API. A secondary error is provided after the 206 error to help identify the security provider that failed to connect. The administrator must resolve the secondary error to successfully query the Microsoft Graph Security API. 

Diagnosing The Problem

The secondary error message identifies the Microsoft Defender ATP security provider returned an HTTP 401(Unauthorized) error. Unauthorized error messages might indicate a license or a tenant permission issue with the user configured in the log source for the security provider.

image 3144

Format for warning messages
199 - "{Vendor2}/{Provider 2}/{HTTP error code}/{time}",
199 - "{Vendor4}/{Provider 4}/{HTTP error code}/{/{time}"

Error code references

Resolving The Problem

  • Administrators who experience issues collecting Microsoft Graph Security API events need to review the HTTP error codes to determine the problem. In some scenarios, the HTTP errors might be caused by temporary service disruptions with the Microsoft provider and the issue might resolve itself automatically when all providers are available. The next attempt to poll the Microsoft Graph Security API retrieves all data from the last successful query.
  • If the problem is related to tenant permissions, licensing, or extended service outages, the administrator can contact Microsoft Graph Security for support.

Notice: Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

Document Location


[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000GnfdAAC","label":"QRadar->Events->Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
05 May 2020