It looks like there is nothing that you need to enable per the blog post, so I've updated my initial post. I would recommend that you keep an eye on this log source after 1 Oct just to make sure it does not error out.
------ updated text ------
QRadar calls our log source Microsoft Office 365 Message Trace, but Microsoft calls their feature Message Tracking. Per the blog post, there is nothing for customers to enable or request from Microsoft per this text:
"Reporting Web Service Endpoint
For those of you using the Reporting Web Service REST endpoint to get access to Message Tracking Logs and more, we're also announcing today that this service will continue to have basic auth enabled until Dec 31st for all customers, no opt-out or re-enablement is required. And, we're pleased to be able to provide the long-awaited guidance for this too right here."
-----
So, you should NOT be required to make any special requests at this time as our development teams for QRadar work with Microsoft on a protocol update to resolve the basic auth issues.
------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com------------------------------
Original Message:
Sent: Wed September 28, 2022 05:32 PM
From: Bruce Hutchinson
Subject: Important: Basic auth changes can impact Microsoft Office 365 Message Trace REST API (1 Oct 2022)
We are collecting message trace logs. I forwarded the link to my tenant admin.
What protocol should be selected.
Bruce Huthinson | Senior Network Security Analyst |Trinity Health
tel: 610 492 3718 | cell: 484 889 2442
Cybersecurity Questions & Requests: Ask Cybersecurity
For immediate assistance, please open a Service Now ticket or call the helpdesk @ 610 492 3839.
Confidentiality Notice:
This e-mail, including any attachments is the property of Trinity Health and is intended for the sole use of the intended recipient(s). It may contain information that is privileged and confidential. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please delete this message, and reply to the sender regarding the error in a separate email.
Original Message:
Sent: 9/27/2022 2:21:00 PM
From: Jonathan Pechta
Subject: RE: Important: Basic auth changes can impact Microsoft Office 365 Message Trace REST API (1 Oct 2022)
If there are questions about this change, let me know.
------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com
Original Message:
Sent: Tue September 27, 2022 02:07 PM
From: Jonathan Pechta
Subject: Important: Basic auth changes can impact Microsoft Office 365 Message Trace REST API (1 Oct 2022)
Hey all,
A quick note, but important notice that Microsoft is planning to disable basic auth for all Exchange Online users starting on 1 October 2022, which can impact Message Trace events for your Exchange log sources per APAR IJ38984.
If you collect and monitor Exchange message trace events with the Microsoft Office 365 Message Trace REST API or you previously requested an extension the first time Microsoft announced this change, you need to request a further extension per the linked Microsoft blog post. If you do not request an extension, Microsoft plans to disable Basic Auth options for Exchange events on random domains starting 1 Oct 2022.
What to do
Log in to the QRadar Console.
Click the Admin tab > Log Sources.
Review the Protocol Type list for Microsoft Office 365 Message Trace REST API.
Results
If you have Microsoft Office 365 Message Trace REST API protocols enabled, you need to request an extension from the Microsoft Exchange term per https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-deprecation-in-exchange-online-september/ba-p/3609437.
References
------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com
------------------------------