IBM Security QRadar

 View Only
  • 1.  Error - Testing SSL connection to manage.office.com:443

    Posted Mon May 02, 2022 03:42 AM
      |   view attached
    Getting an error while adding O365 as a log source. The connection is getting failed -

    • Error: Unable to connect to host [manage.office.com] on port [443]: java.net.SocketException: Connection reset


    ------------------------------
    Akash Bhardwaj
    ------------------------------


  • 2.  RE: Error - Testing SSL connection to manage.office.com:443

    Posted Tue May 03, 2022 12:55 AM
    Hi Akash


    Could you please check and follow this ?

    QRadar: Test connectivity to set up an Office365 log source
    https://www.ibm.com/support/pages/qradar-test-connectivity-set-office365-log-source


    ------------------------------
    Brian Kwak
    ------------------------------



  • 3.  RE: Error - Testing SSL connection to manage.office.com:443

    Posted Wed May 04, 2022 02:32 AM
    Do I need to run these commands on O365 or on Qradar?

    ------------------------------
    Akash Bhardwaj
    ------------------------------



  • 4.  RE: Error - Testing SSL connection to manage.office.com:443

    Posted Tue May 03, 2022 03:06 AM

    As far as I remember we had to add related certs to /opt/qradar/conf/trusted_certificates in DER format

    login.windows.net_443.DER

    manage.office.com_443.DER



    ------------------------------
    Vladx(x)
    ------------------------------



  • 5.  RE: Error - Testing SSL connection to manage.office.com:443

    Posted Wed May 04, 2022 02:32 AM
    Do I need to update these files in Qradar?

    ------------------------------
    Akash Bhardwaj
    ------------------------------



  • 6.  RE: Error - Testing SSL connection to manage.office.com:443

    Posted Wed May 04, 2022 03:04 AM
    Yes, you should install these certs on the qradar EP which will conect to O365

    ------------------------------
    Vladx(x)
    ------------------------------



  • 7.  RE: Error - Testing SSL connection to manage.office.com:443

    Posted Thu May 05, 2022 03:34 PM

    HI need to update the cert files on the machine you selected on the Log Source config.

    On the office 365 you should have something like this. That it's the name of the machine that will run the polling to grab the logs from office365, and that machine will need the certs.





    There's a tool on QRadar called getcert.sh that will do the magic.
    So you will need to go to the box (the machine identified before) and run something like this:

    [root@qradar trusted_certificates]# cd /opt/qradar/conf/trusted_certificates/
    [root@qradar trusted_certificates]# /opt/qradar/bin/getcert.sh manage.office.com
    Pulling Certificate from [https://manage.office.com:443]
    depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
    verify return:1
    depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
    verify return:1
    depth=0 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = manage.office.com
    verify return:1
    DONE
    Wrote file [/opt/qradar/conf/trusted_certificates/manage.office.com_443.crt]
    [root@qradar trusted_certificates]# /opt/qradar/bin/getcert.sh login.windows.net
    Pulling Certificate from [https://login.windows.net:443]
    depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
    verify return:1
    depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
    verify return:1
    depth=0 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = graph.windows.net
    verify return:1
    DONE
    Wrote file [/opt/qradar/conf/trusted_certificates/login.windows.net_443.crt]
    [root@qradar trusted_certificates]# ls -ltr |tail -2
    -rw-r--r-- 1 root root 2480 May 5 15:17 manage.office.com_443.crt
    -rw-r--r-- 1 root root 6034 May 5 15:17 login.windows.net_443.crt


    Hope that works for you



    ------------------------------
    Juan Paulo
    IBM
    Santiago
    ------------------------------