Troubleshooting
Problem
Microsoft™ Graph Security API log sources do not receive events and the protocol test tool lists the following: 'Error received from Microsoft Graph Security API HTTP status Not OK. Status code is 206.'
Symptom
Event data is not returned when the Microsoft Graph Security API is queried. The initial error code 206 identifies a connection issue. A secondary error message provides the security provider error message for the query.
Cause
When QRadar® queries the Microsoft™ Graph Security API, the API queries for alerts from all configured security providers, regardless of any configured filters. Any security provider that fails to return data due to error 206 indicates a 'Partial Content' response from the API. A secondary error is provided after the 206 error to help identify the security provider that failed to connect. The administrator must resolve the secondary error to successfully query the Microsoft Graph Security API.
Diagnosing The Problem
The secondary error message identifies the Microsoft Defender ATP security provider returned an HTTP 401(Unauthorized) error. Unauthorized error messages might indicate a license or a tenant permission issue with the user configured in the log source for the security provider.
Format for warning messages
199 - "{Vendor2}/{Provider 2}/{HTTP error code}/{time}",199 - "{Vendor4}/{Provider 4}/{HTTP error code}/{/{time}"Error code references
- List of HTTP Status Codes: https://docs.microsoft.com/en-us/graph/errors
- Microsoft Graph Security API errors: https://docs.microsoft.com/en-us/graph/api/resources/security-error-codes?view=graph-rest-1.0
Resolving The Problem
- Administrators who experience issues collecting Microsoft Graph Security API events need to review the HTTP error codes to determine the problem. In some scenarios, the HTTP errors might be caused by temporary service disruptions with the Microsoft provider and the issue might resolve itself automatically when all providers are available. The next attempt to poll the Microsoft Graph Security API retrieves all data from the last successful query.
- If the problem is related to tenant permissions, licensing, or extended service outages, the administrator can contact Microsoft Graph Security for support.
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000GnfdAAC","label":"QRadar->Events->Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
05 May 2020
UID
ibm16204097