IBM Support

QRadar: Microsoft Graph Security API error 400: 'Invalid ODATA query filter'

Troubleshooting


Problem

Microsoft™ Graph Security API protocol connections do not receive events and the warning message in the Log Source Management app test tool reports: 'Error received from Microsoft Graph Security API HTTP status Not OK. Status code is 400. Error Description: 'Invalid ODATA query filter'

Symptom

Event data is not returned when the Microsoft Graph Security API is queried. The initial error code 400 identifies malformed or invalid filter being applied to the Graph Security API Alerts query.

Cause

When QRadar® queries the Microsoft™ Graph Security API, the API query attempts to get the information requested in the ODATA filter parameters. If any of the filter parameters are incorrect or blank, then API request fails and a 400 error is generated to indicate a bad ODATA query parameter.

Diagnosing The Problem

The secondary error message identifies the query includes an incorrect filter value and returns an HTTP 400 (Bad Request) error. Bad Request error messages might indicate the filter in the query does not include a supported value or possibly includes a typographical error for a field within the query.
image 3148

Microsoft Graph Security API references

Resolving The Problem

Administrators can use the Log Source Management application to verify the filter parameters that generate the ODATA filter errors. 

Procedure
  1. Log in to the QRadar Console as an administrator.
  2. Click the Admin tab.
  3. Select Apps > QRadar Log Source Management.
  4. Click the QRadar Log Source Management icon.
  5. Locate the log source configured to use the Microsoft Graph Security API protocol.
  6. Click the Test tab.
  7. Click Start Test.
  8. Expand the Testing Query conditions to validate the filter used in the query.image 3151
  9. Review the query string for invalid or incorrectly typed $filter parameters.
  10. Edit the Event Filter field in the protocol configuration to correct any incorrect filter values or remove $filter= from the text box.
    image 3153
    Some common filter examples:
    severity eq 'high'
    provider eq 'Windows Defender ATP'
    severity eq 'high' and provider eq 'Azure Security Center'
  11. Save the filter changes.

    Results
    The administrator can repeat this procedure to verify that events are retrieved with the test function included in the Log Source Management app.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000GnfdAAC","label":"QRadar->Events->Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
06 May 2020

UID

ibm16204112