IBM Support

QRadar: Basic auth changes can impact Microsoft Office 365 Message Trace REST API log sources (IJ38984)

News


Abstract

Administrators who collect message trace events for Microsoft Exchange online need to be aware of a protocol change that can impact your ability to collect Microsoft Exchange Online message trace events. As Microsoft is deprecating basic authentication on 31 December 2022, a new protocol for QRadar needs to be developed and released to continue to collect events from the Reporting Web Services API offered by Microsoft.

Content

Microsoft extended basic authentication for all Exchange Online users until 31 December 2022. Administrators can confirm whether log sources are configured to collect message trace events in QRadar with the Microsoft Office 365 Message Trace REST API protocol. A protocol update is required in the future to continue to collect these events due to API changes from the vendor to remove basic authentication. Microsoft provided an extension for all users of the Reporting Web Service Endpoint, which QRadar uses to collect Office 365 message trace events. A known issue APAR IJ38984 is open for the vendor change to authentication, which requires a protocol update to resolve.
Procedure
Administrators can confirm whether they collect message trace events for Exchange Online from the Log Source Management app. As a future protocol update is required to resolve security changes from Microsoft.
 
  1. Log in to the QRadar Console.
  2. Click the Admin tab > Log Sources.
  3. Review the Protocol Type list for Office 365 Message Trace REST API.


    Results
    If you have Office 365 Message Trace REST API protocols enabled, QRadar Support recommends you subscribe to APAR IJ38984. An updated protocol for QRadar is expected to release before 31 December 2022 to resolve this issue in the long term to support Microsoft API changes. As more information is available, this technical note includes a change list to inform users of updates and corrections.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSKMKU","label":"IBM QRadar on Cloud"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
14 October 2022

UID

ibm16829197