IBM Security QRadar

 View Only
Expand all | Collapse all

Important: Basic auth changes can impact Microsoft Office 365 Message Trace REST API (1 Oct 2022)

  • 1.  Important: Basic auth changes can impact Microsoft Office 365 Message Trace REST API (1 Oct 2022)

    Posted Tue September 27, 2022 02:07 PM
    Edited by Jonathan Pechta Thu September 29, 2022 01:19 PM

    Hey all,

    A quick note, but important notice that Microsoft is planning to disable basic auth for all Exchange Online users starting on 1 October 2022, which can impact Message Trace events for your Exchange log sources per APAR IJ38984.

    If you collect and monitor Exchange message trace events with the Office 365 Message Trace REST API or you previously requested an extension the first time Microsoft announced this change, you need to request a further extension per the linked Microsoft blog post. If you do not request an extension, Microsoft plans to disable Basic Auth options for Exchange events on random domains starting 1 Oct 2022.

    What to do

    1. Log in to the QRadar Console.

    2. Click the Admin tab > Log Sources.

    3. Review the Protocol Type list for Office 365 Message Trace REST API.


      Results
      If you have Office 365 Message Trace REST API protocols enabled, you should monitor after Oct 1 to ensure the log source does not error out. QRadar calls our log source Microsoft Office 365 Message Trace, but Microsoft calls their feature Message Tracking. Per the blog post, there is nothing for customers to enable or request from Microsoft per this text: 
      "Reporting Web Service Endpoint
      For those of you using the Reporting Web Service REST endpoint to get access to Message Tracking Logs and more, we're also announcing today that this service will continue to have basic auth enabled until Dec 31st for all customers, no opt-out or re-enablement is required. And, we're pleased to be able to provide the long-awaited guidance for this too right here."

      https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-deprecation-in-exchange-online-september/ba-p/3609437.

    References



    ------------------------------
    Jonathan Pechta
    QRadar Support Content Lead
    Support forums: ibm.biz/qradarforums
    jonathan.pechta1@ibm.com
    ------------------------------


  • 2.  RE: Important: Basic auth changes can impact Microsoft Office 365 Message Trace REST API (1 Oct 2022)

    Posted Tue September 27, 2022 02:21 PM
    If there are questions about this change, let me know.

    ------------------------------
    Jonathan Pechta
    QRadar Support Content Lead
    Support forums: ibm.biz/qradarforums
    jonathan.pechta1@ibm.com
    ------------------------------



  • 3.  RE: Important: Basic auth changes can impact Microsoft Office 365 Message Trace REST API (1 Oct 2022)

    Posted Wed September 28, 2022 03:18 AM
    Hi Jonathan, 

    thanks for that notification. I looked into it because i found the Error "Office365RESTAPIQueryBase: [ERROR]" in one of my installation. I did what you recommended but the the entry in the protocol Type lists "Office 365 REST API" instead of "Microsoft Office 365 Message Trace REST API". So did i ran into a different problem or is it maybe the same?

    Best Regards

    Martin

    ------------------------------
    Martin Schmitt
    ------------------------------



  • 4.  RE: Important: Basic auth changes can impact Microsoft Office 365 Message Trace REST API (1 Oct 2022)

    Posted Wed September 28, 2022 11:43 AM
    Edited by Jonathan Pechta Wed September 28, 2022 11:59 AM

    @Martin Schmitt This protocol is specifically related to the ​Office 365 Message Trace REST API. I accidentally included the vendor name. I updated my initial post to include a screen capture of what to look for in the Log Source Management app.

    There are two protocols for Office 365:
    • Office 365 Message Trace REST API (Office365MessageTraceRESTAPIService in the logs/debug) <-- This protocol uses basic auth, which Microsoft plans to end. If you do not log in and request a one-time extension, then you might not be able to collect events.
    • Microsoft Office 365 REST API (Office365RESTAPI in the logs/debug) <-- Not impacted by this issue.

    There is also a Reddit thread on this issue here: https://www.reddit.com/r/QRadar/comments/xpnq5d/important_basic_auth_changes_can_impact_microsoft/

    ------------------------------
    Jonathan Pechta
    QRadar Support Content Lead
    Support forums: ibm.biz/qradarforums
    jonathan.pechta1@ibm.com
    ------------------------------



  • 5.  RE: Important: Basic auth changes can impact Microsoft Office 365 Message Trace REST API (1 Oct 2022)

    Posted Thu September 29, 2022 02:26 AM
    Hi Jonathan,

    thanks for clarification. So i have a different problem. Any other recommendation apart from opening a support ticket when receiving the error "Unable to obtain a valid access token. An attempt will be made again at the next retry interval."?

    Best Regards

    Martin

    ------------------------------
    Martin Schmitt
    ------------------------------



  • 6.  RE: Important: Basic auth changes can impact Microsoft Office 365 Message Trace REST API (1 Oct 2022)

    Posted Wed September 28, 2022 05:32 PM

     

    We are collecting message trace logs. I forwarded the link to my tenant admin.

    What protocol should be selected.

     

     

     

     

     

     

    Bruce Huthinson | Senior Network Security Analyst |Trinity Health

    tel: 610 492 3718 | cell: 484 889 2442

    Cybersecurity Questions & Requests: Ask Cybersecurity

    For immediate assistance, please open a Service Now ticket or call the helpdesk @ 610 492 3839.

     

     


    Confidentiality Notice:
    This e-mail, including any attachments is the property of Trinity Health and is intended for the sole use of the intended recipient(s). It may contain information that is privileged and confidential.  Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please delete this message, and reply to the sender regarding the error in a separate email.





  • 7.  RE: Important: Basic auth changes can impact Microsoft Office 365 Message Trace REST API (1 Oct 2022)

    Posted Thu September 29, 2022 01:23 PM

    It looks like there is nothing that you need to enable per the blog post, so I've updated my initial post. I would recommend that you keep an eye on this log source after 1 Oct just to make sure it does not error out.

    ------ updated text ------
    QRadar calls our log source Microsoft Office 365 Message Trace, but Microsoft calls their feature Message Tracking. Per the blog post, there is nothing for customers to enable or request from Microsoft per this text: 

    "Reporting Web Service Endpoint
    For those of you using the Reporting Web Service REST endpoint to get access to Message Tracking Logs and more, we're also announcing today that this service will continue to have basic auth enabled until Dec 31st for all customers, no opt-out or re-enablement is required. And, we're pleased to be able to provide the long-awaited guidance for this too right here."
    -----

    So, you should NOT be required to make any special requests at this time as our development teams for QRadar work with Microsoft on a protocol update to resolve the basic auth issues.



    ------------------------------
    Jonathan Pechta
    QRadar Support Content Lead
    Support forums: ibm.biz/qradarforums
    jonathan.pechta1@ibm.com
    ------------------------------



  • 8.  RE: Important: Basic auth changes can impact Microsoft Office 365 Message Trace REST API (1 Oct 2022)

    Posted Fri September 30, 2022 09:23 AM

    Hi Jonathan,

    Thanks for the update.

    One time re-enablement will enabled the basic auth use until end of December 2022. During the first week of calendar year 2023, those protocols will be disabled for basic auth use permanently from Microsoft, and there will be no possibility of using basic auth after that.

    What is the plan going forward before end of Dec 2022?

    Thank you.

    Best regards,

    JK



    ------------------------------
    Jun Kin Ng
    ------------------------------



  • 9.  RE: Important: Basic auth changes can impact Microsoft Office 365 Message Trace REST API (1 Oct 2022)

    Posted Fri September 30, 2022 11:42 AM

    Our QRadar integration team is working on a protocol update for the Office 365 Message Trace protocol with Microsoft to resolve this issue. The goal is to issue an update to the existing protocol to support the new authentication requirements set by Microsoft.

    There is a new protocol in process that is planned to resolve this issue before Microsoft permanently disables basic auth in Jan 2023. 



    ------------------------------
    Jonathan Pechta
    QRadar Support Content Lead
    Support forums: ibm.biz/qradarforums
    jonathan.pechta1@ibm.com
    ------------------------------