IBM Support

QRadar: Office 365 displays error "Unable to start a content subscription"



When you are to connecting to Office 365, these messages might be seen:

Unable to start a content subscription.  Terminating query thread for [Audit.SharePoint]
Unable to start a content subscription.  Terminating query thread for [Audit.Exchange]
Access token error


Resolving The Problem

  1. Verify that Office 365 DSMs and Protocols are up to date from FixCentral
  2. The "Automatically Acquire Server Certificate(s)" option was removed from the UI and the protocol validates certificates differently now so a copy of the certificates is not needed anymore.
  3. Toggle the log source off and on. If you receive an http error 400 or 500, then those errors are related to your Office 365 account in Azure. 

To get the access token, or to check whether you are able to pull the token manually run these commands:

  1. To get the access token, type the command:
    curl -d "client_secret=<client secret>&resource=<client id>&grant_type=client_credentials" -X POST<tenant id>/oauth2/token
  2. To stop the subscription, type the command:
    curl -d "" -H "Authorization: Bearer (access token)" -X POST<tenant id>/activity/feed/subscriptions/stop?contentType=Audit.AzureActiveDirectory
  3. After the subscription is stopped, run following command to start the subscription
    curl -d "" -H "Authorization: Bearer <access token>" -X POST<tenant id>/activity/feed/subscriptions/start?contentType=Audit.AzureActiveDirectory
  4. Used this command to retrieve the events to QRadar.
    curl -d "" -H "Authorization: Bearer <access token>" -X GET<tenant id>/activity/feed/subscriptions/content?contentType=Audit.AzureActiveDirectory
    If you get an error similar to the one displayed, the Client Secret is expired.
    {"error":"invalid_client","error_description":"Example0002: Error validating credentials. Example0012: Invalid client secret is provided
  5. Obtain a new Client Secret from Microsoft®.

Document Location


[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
22 September 2022