Skip to main content

Microsoft: Office 365 Reporting

  • Updated

Microsoft Office 365 (O365) reporting data is email data that provides summary information about the processing of email messages that have passed through the Office 365 system for the organization in the last 30 days. Message trace in the Security & Compliance Center follows email messages as they travel through your Exchange Online organization. 

Data visibility 

Microsoft O365 reporting data allows you to determine if a message was received, rejected, deferred, or delivered by the service. It also shows what actions were taken on the message before it reached its final status. These logs also provide the following information:

  • Message size
  • Message ID
  • To IP
  • From IP
  • Date

Data application

When your Splunk deployment is ingesting Microsoft O365 Reporting data, you can use the data to achieve a number of objectives, such as the following:

Phishing email investigation

Your users report receiving a large number of phishing emails lately. To gather information about these messages so that you can create better filters on your network, run the following search:

sourcetype="ms:o365:reporting:messagetrace"
|stats VALUES(FromIP) VALUES(SenderAddress) VALUES(Size) Values(Subject) BY RecipientAddressConclusion

Configuration

The following sections provide information on configuring Splunk software to ingest this data source. To configure the device or software, we recommend that you leverage official Microsoft Office 365 resources.

Data ingestion

If your deployment is not already ingesting Microsoft O365 Reporting data, follow the Getting Data In guidance for Splunk Enterprise or the Onboarding and Forwarding Your Data guidance for Splunk Cloud.

The recommended index is mail. 

The source type is ms:o365:reporting:messagetrace

The supported input types are ms_o365_message_trace.

In addition, you will need the Microsoft Office 365 Reporting Add-on for Splunk. The add-on can be downloaded here and the add-on documentation can be accessed here. Read and follow the documentation carefully to understand all the essential information you need to work with this data source, including how to install the add-on, configure Microsoft Office 365, and configure Splunk. 

Sizing estimate

There is a large amount of variability in the volume of O365 logs. There are several areas that impact volumes:

  • Subscription type and Workloads (Apps) used
  • Size of organization
  • O365 adoption inside of the organization
  • Kinds of federation / ADsync / ExpressRoute

Message trace events tend to be about 650 bytes each, with multiple events per email. Management logs tend to be about 1200 bytes each, and Azure Audit logs tend to be north of 3000 bytes each.

The best way to size this information is to start ingesting it and then make necessary adjustments. 

Validation

Validate the input and confirm the data is being ingested by running the following search:

index=mail sourcetype=ms:o365:reporting:messagetrace

Related articles

Comments

0 comments

Please sign in to leave a comment.

The information provided in Splunk Lantern is intended for informational and educational purposes only. All information is provided in good faith, however, Splunk disclaims any and all representations and warranties, express and implied, regarding the information provided, including without limitation any warranties and representations regarding the completeness, adequacy or accuracy of the information. You agree to take full responsibility for the results arising from the use of the information provided.