Microsoft Office 365 (O365) reporting data is email data that provides summary information about the processing of email messages that have passed through the Office 365 system for the organization in the last 30 days. Message trace in the Security & Compliance Center follows email messages as they travel through your Exchange Online organization.
Microsoft O365 reporting data allows you to determine if a message was received, rejected, deferred, or delivered by the service. It also shows what actions were taken on the message before it reached its final status. These logs also provide the following information:
- Message size
- Message ID
- To IP
- From IP
When your Splunk deployment is ingesting Microsoft O365 Reporting data, you can use the data to achieve a number of objectives, such as the following:
Phishing email investigation
Your users report receiving a large number of phishing emails lately. To gather information about these messages so that you can create better filters on your network, run the following search:
|stats VALUES(FromIP) VALUES(SenderAddress) VALUES(Size) Values(Subject) BY RecipientAddressConclusion
The following sections provide information on configuring Splunk software to ingest this data source. To configure the device or software, we recommend that you leverage official Microsoft Office 365 resources.
If your deployment is not already ingesting Microsoft O365 Reporting data, follow the Getting Data In guidance for Splunk Enterprise or the Onboarding and Forwarding Your Data guidance for Splunk Cloud.
The recommended index is mail.
The source type is ms:o365:reporting:messagetrace.
The supported input types are ms_o365_message_trace.
In addition, you will need the Microsoft Office 365 Reporting Add-on for Splunk. The add-on can be downloaded here and the add-on documentation can be accessed here. Read and follow the documentation carefully to understand all the essential information you need to work with this data source, including how to install the add-on, configure Microsoft Office 365, and configure Splunk.
There is a large amount of variability in the volume of O365 logs. There are several areas that impact volumes:
- Subscription type and Workloads (Apps) used
- Size of organization
- O365 adoption inside of the organization
- Kinds of federation / ADsync / ExpressRoute
Message trace events tend to be about 650 bytes each, with multiple events per email. Management logs tend to be about 1200 bytes each, and Azure Audit logs tend to be north of 3000 bytes each.
The best way to size this information is to start ingesting it and then make necessary adjustments.
Validate the input and confirm the data is being ingested by running the following search: