Facing issue with O365 Connector

Hi Team,

We have integrated O365 connector to our environment but we are not receiving logs.

We have gone through the troubleshooting steps given here " Office 365 - Troubleshooting Connectors" but it didn’t help.

Also, we have verified if the firewall or network is blocking the traffic to O365.

Please assist.

Regards,

Hello Sourav,
Thank you for joining DNIF community.

Can you share the following screenshot to understand the issue:

  1. O365 Connector configuration.
  2. latest log visible on console.
  3. logs available on o365 connector.
  4. verify adapter is recieving logs or not by taking tcpdump.

Regards.

Hey @Sourav - It’s difficult to understand the scenario and triage, without any supporting error or troubleshooting screenshots.

To understand better, could you share the following for better analysis:

  1. Notable events observed.
  2. Request/response headers post saving the configuration via browser dev tools.

Hi @Blackbird2Raven @Luffy ,

  1. We are not receiving logs on the console.
  2. There are no Notable events observed.

Please find request/response headers post saving the configuration via browser dev tools below.

" {“TStamp”:“2021-07-28T09:10:54”,“data”:{“client_key”:“4xxxx4-4xxx-4xxxd-8xx5-bxxxxx115”,“conn_uuid”:“5fxxxxxxxx17d”,“connector_name”:“Office 365”,“connector_type”:“Office 365 Connector”,“secret_key”:“22xxxx0-4xxb-4xx-xxxf-1xxxxxx”,“tenant_domain”:“xxxxx.onmicrosoft.com”,“tenant_id”:“6xxxx9-9xxa-4xx5-bxxx-0c40xxxx896”},“message”:“Successfully fetched the config”,“status”:“success”} "

Please find the adapter tcpdump screenshot below.

o365_tcpdump

Regards.

@Sourav - The details shared by you is incomplete in reference to checks suggested in previous posts. Kindly share screenshots of outcome of suggested checks as evidence to validate and assist you better.

Quoting few points with remarks below, for better clarity:

Share screenshot to confirm the same.

Share screenshot to confirm the same.

Share screenshot of the dev console to confirm if browser call/console errors are observed as well.

Syntax error is observed in the command executed :roll_eyes: Kindly correct the same. Below is a video “crash course on using tcpdump” :

Replace google.com with your tenant domain name and share the screenshot of ping command to verify if tenant domain is reachable:
ping google.com

Hi @Mashashi @Blackbird2Raven @Luffy ,

Please find the asked screenshots below.

Notable Event screenshot.

O365 Connector configuration screenshot.
o365_Config

Dev console screenshot


Adapter Tcpdump screenshot.
TCPdump_30_7

Regards.

Hello @Sourav,

Could you let us know if you have enabled/subscribed to any one of the below APIs on the O365 end:

  1. Audit.AzureActiveDirectory
  2. Audit.Exchange
  3. Audit.General
  4. Audit.SharePoint
  5. DLP.All

Hi @OoVie ,

We have enabled all the above APIs on the O365 end but still, we are unable to receive logs.

With the same configuration, we are able to get logs in Qradar.

Please assist.

Regards.