Microsoft Office 365 integration datetime error AF20055 #13833
Replies: 2 comments 1 reply
-
|
This may be related to a bug in the Integration - There is a discussion about it in the Elastic Slack. Looking into it further. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the reply and the heads up. I appreciate it. Would you mind sending the link to the discussion on the Elastic Stack forum? |
Beta Was this translation helpful? Give feedback.
-
|
@tsmith-spscc 2.4.130 was just released, with the latest Elastic updates. I would suggest upgrading and testing to see if you still have this issue: https://blog.securityonion.net/2025/03/security-onion-24130-now-available.html |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Version
2.4.100
Installation Method
Security Onion ISO image
Description
configuration
Installation Type
Distributed
Location
on-prem with Internet access
Hardware Specs
Exceeds minimum requirements
CPU
24
RAM
192
Storage for /
1 TB
Storage for /nsm
40 TB
Network Traffic Collection
span port
Network Traffic Speeds
1Gbps to 10Gbps
Status
Yes, all services on all nodes are running OK
Salt Status
No, there are no failures
Logs
No, there are no additional clues
Detail
I have enabled the Microsoft Office 365 Elastic Fleet integration on my Security Onion instance, but it is not functioning correctly. The audit logs sent from Office 365 are all the same error log, with error code AF20055. The error message supplied by Office 365 is as follows:
Start time and end time must both be specified (or both omitted) and must be less than or equal to 24 hours apart, with the start time prior to end time and start time no more than 7 days in the past. StartTime:2024-10-09T12:49:01.129432969Z, EndTime:2024-10-09T13:49:00.129432969ZThe time stamps associated with the logs pulled from Office 365 are off compared to my SO servers and also UTC time. For instance, the date stamp associated with the error shown above is listed as
Oct 16, 2024 @ 05:44:02.353in Kibana. This correlates to my local time of 12:44:02:353 and UTC time 19:44:02:353. I do not know where the 05:44:02:353 time stamp is coming from. The time is correct on all of my Security Onion servers and they are pointing at the default NTP servers of 0.pool.ntp.org and 1.pool.ntp.org.I did have problems with NTP when I first built this instance of Security Onion - see my previous posts here about the forward node not synchronizing. However, that issue has been resolved.
Additionally, I have tried adjusting the initial interval for fetching logs in the Microsoft Office 365 integration to values significantly less than seven days (as suggested by the error message, above), but that had no effect on the problem. The default initial interval value for the Microsoft Office 365 integration is 167H 55M, which is still less than 7 days, if only by 5 minutes.
Any help is appreciated. Thanks.
Guidelines
Beta Was this translation helpful? Give feedback.
All reactions