Release history for the Splunk Add-on for Microsoft Office 365¶
The latest version of the Splunk Add-on for Microsoft Office 365 is version 4.6.0. See Release notes for the Splunk Add-on for Office 365 for the release notes of this latest version.
Version 4.5.2¶
Release notes for the Splunk Add-on for Microsoft Office 365¶
Version 4.5.2 of the Splunk Add-on for Microsoft Office 365 was released on September 16, 2024.
About this release¶
Version 4.5.2 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 9.1.x, 9.2.x, 9.3.x |
| CIM | 5.0.0 |
| Supported OS | Platform independent |
| Vendor products | Microsoft Office 365 |
New features¶
Version 4.5.2 of the Splunk Add-on for Microsoft Office 365 has the following new features:
- Security vulnerability bug fixes.
- Compatability with Python3.9.
Fixed Issues¶
Version 4.5.2 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.
Known issues¶
Version 4.5.2 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.
Third-party software attributions¶
Version 4.5.2 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.
Third-party software attributions for the Splunk Add-on for Microsoft Office 365
Version 4.5.1¶
Version 4.5.1 of the Splunk Add-on for Microsoft Office 365 was released on February 20, 2024.
About this release¶
Version 4.5.1 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 8.2.x, 9.0.x |
| CIM | 5.0.0 |
| Supported OS | Platform independent |
| Vendor products | Microsoft Office 365 |
New features¶
Version 4.5.1 of the Splunk Add-on for Microsoft Office 365 has the following new features:
- Added support for Request Timeout parameter in UI for Graph API - Audit Logs input.
- Enhanced the logic for handling API Token Error for Audit Logs input.
Fixed Issues¶
Version 4.5.1 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.
Known issues¶
Version 4.5.1 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.
Third-party software attributions¶
Version 4.5.1 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.
Third-party software attributions for the Splunk Add-on for Microsoft Office 365
Version 4.5.0¶
Version 4.5.0 of the Splunk Add-on for Microsoft Office 365 was released on January 24, 2024.
About this release¶
Version 4.5.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 8.2.x, 9.0.x |
| CIM | 5.0.0 |
| Supported OS | Platform independent |
| Vendor products | Microsoft Office 365 |
New features¶
Version 4.5.0 of the Splunk Add-on for Microsoft Office 365 has the following new features:
- CIM enhancements for MessageTrace Input :
- Provided CIM support of email data model for
o365:reporting:messagetracesourcetype. - Removed two fields
orig_srcandorig_recipient. - Added new fields such as
status_code,recipient_count,recipient_domain,src_user_domainas per email data model. - CIM enhancements for Management Activity Input :
- Modified
reason,user, anduser_idfield extractions which are mapped to authentication data model foro365:management:activitysourcetype.
Fixed Issues¶
Version 4.5.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.
Known issues¶
Version 4.5.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.
Third-party software attributions¶
Version 4.5.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.
Third-party software attributions for the Splunk Add-on for Microsoft Office 365
Version 4.4.0¶
Version 4.4.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 8.2.x, 9.0.x |
| CIM | 5.0.0 |
| Supported OS | Platform independent |
| Vendor products | Microsoft Office 365 |
New features¶
Version 4.4.0 of the Splunk Add-on for Microsoft Office 365 has the following new features:
- UI upgrades for compatibility with future versions of the Splunk software (Fast and intuitive UI with an improved look and feel).
- Tenant, Proxy & Logging tabs from Settings are moved under the Configuration tab. Removed Settings tab.
- Introduced Clone functionality for the Tenant and Inputs tab.
- Introduced more info functionality for the inputs in the UI inputs table.
- Fixed the data duplication issue in Message Trace Input in case of input interruption.
- Fixed the data collection issue caused by invalid skip token error in the graph API input.
Fixed Issues¶
Version 4.4.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.
Known issues¶
Version 4.4.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.
Third-party software attributions¶
Version 4.4.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.
Third-party software attributions for the Splunk Add-on for Microsoft Office 365
Version 4.3.0¶
Version 4.3.0 of the Splunk Add-on for Microsoft Office 365 was released on April 20th, 2023.
About this release¶
Version 4.3.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 8.2.x, 9.0.x |
| CIM | 5.0.0 |
| Supported OS | Platform independent |
| Vendor products | Microsoft Office 365 |
New features¶
Version 4.3.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.
- Improved data collection approach and checkpointing mechanism for management activity inputs for faster ingestion rates with lower memory usage.
- Added support for configurable Start date/time for management activity inputs.
- Optimized data collection and checkpointing mechanisms for Audit Logs and Service Health & Communications inputs with lower memory usage.
- Fixed the data duplication issue for Mailbox, Office 365, OneDrive, SharePoint, Teams and Yammer.
- Migrated to KVstore checkpoint for Audit Logs and Service Health & Communications, Mailbox, Office 365, OneDrive, SharePoint, Teams and Yammer from the current file-based checkpoint mechanism.
Fixed Issues¶
Version 4.3.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.
Known issues¶
Version 4.3.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.
Third-party software attributions¶
Version 4.3.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.
Third-party software attributions for the Splunk Add-on for Microsoft Office 365
Version 4.2.1¶
Note
After upgrading the Splunk Add-on for Microsoft Office 365 from 4.0.0 and higher to version 4.2.0 or higher, your Splunk platform deployment might receive duplicate events for a maximum of 7 days, due to a change in checkpoint logic. Duplicate events will stop ingesting after 7 days.
Note
Versions 4.2.0 and higher of the Splunk Add-on for Microsoft Office 365 contain changes to the checkpoint mechanism for the Management activity input. See the Upgrade Steps section of the Upgrade topic in this manual.
Version 4.2.1 of the Splunk Add-on for Microsoft Office 365 was released on December 22nd, 2022.
About this release¶
Version 4.2.1 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 8.1.x, 8.2.x, 9.0.0 |
| CIM | 5.0.0 |
| Supported OS | Platform independent |
| Vendor products | Microsoft Office 365 |
New features¶
Version 4.2.1 of the Splunk Add-on for Microsoft Office 365 has the following new features.
- Fixed a bug related to getting 401 authorization errors for Management Activity inputs.
Note
Versions 4.2.0 and later of this add-on use app key value store (KV store) collection functionality for checkpoints, in order to improve efficiency and optimize structuring. Versions 4.1.0 and earlier of the Splunk Add-on for Microsoft Office 365 used file-based checkpointing for the Management activity API input, which caused high memory issues for users. KV store accelerations improve search performance by making searches that contain accelerated fields return faster. As a result, KV store will consume system memory when your input is running. If your Splunk platform deployment uses a lot of KV store, you must to scale up your Splunk platform deployment, so that the KV store functionality can run without any errors.
Fixed Issues¶
Version 4.2.1 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.
Known issues¶
Version 4.2.1 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues:
- Customers will experience a delay in event ingestion in v4.2.x due to KVstore performance on cloud architecture.
Third-party software attributions¶
Version 4.2.1 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.
Third-party software attributions for the Splunk Add-on for Microsoft Office 365
Version 4.2.0¶
Note
After upgrading the Splunk Add-on for Microsoft Office 365 from 4.0.0 and higher to version 4.2.0 or higher, your Splunk platform deployment might receive duplicate events for a maximum of 7 days, due to a change in checkpoint logic. Duplicate events will stop ingesting after 7 days.
Note
Version 4.2.0 of the Splunk Add-on for Microsoft Office 365 contains changes to the checkpoint mechanism for the Management activity input.
See the Upgrade Steps section of the Upgrade topic in this manual.
Version 4.2.0 of the Splunk Add-on for Microsoft Office 365 was released on October 22nd, 2022.
About this release¶
Version 4.2.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 8.1.x, 8.2.x, 9.0.0 |
| CIM | 5.0.0 |
| Supported OS | Platform independent |
| Vendor products | Microsoft Office 365 |
New features¶
Version 4.2.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.
- Added support of Message Trace to collect Message Trace data from Microsoft Office 365.
- Optimized Memory utilization for the Management Activity Input.
- Improved user experience by adding validations
Fixed Issues¶
Version 4.2.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.
Known issues¶
Version 4.2.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.
Third-party software attributions¶
Version 4.2.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.
Third-party software attributions for the Splunk Add-on for Microsoft Office 365
Version 4.1.0¶
Version 4.1.0 of the Splunk Add-on for Microsoft Office 365 was released on July 28th, 2022.
About this release¶
Version 4.1.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 8.1.x, 8.2.x, 9.0.0 |
| CIM | 5.0.0 |
| Supported OS | Platform independent |
| Vendor products | Microsoft Office 365 |
New features¶
Version 4.1.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.
- For Management Activity Input, migrated from legacy authentication AADL to MSAL.
- Enhancements and improved user experience in Tenant configuration.
- Security fix for Cloud App Security. This requires upgrading to version 4.1.0 and higher of this add-on. See the upgrade topic in this manual.
- Duplicate events fix for
Cloud App SecurityandManagement Activity:
Note
After upgrading the Splunk Add-on for Microsoft Office 365 to version 4.1.0, due to a change in checkpoint logic, your Splunk platform deployment might receive duplicate events for a maximum of 7 days. Duplicate events will stop ingesting after 7 days. You may observe a rise in the usage of your deployment’s memory/CPU resources.
Fixed Issues¶
Version 4.1.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.
Known issues¶
Version 4.1.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.
Third-party software attributions¶
Version 4.1.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.
Third-party software attributions for the Splunk Add-on for Microsoft Office 365
Version 4.0.0¶
Version 4.0.0 of the Splunk Add-on for Microsoft Office 365 was released on May 18, 2022.
About this release¶
Version 4.0.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 8.0.x, 8.1.x, 8.2.x |
| CIM | 5.0.0 |
| Supported OS | Platform independent |
| Vendor products | Microsoft Office 365 |
Note
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New features¶
Version 4.0.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.
- Enhanced CIM support for below listed workloads of sourcetype
o365:management:activity. - AzureActiveDirectory - Exchange - SecurityComplianceCenter - SharePoint - OneDrive - MicrosoftTeams - MicrosoftForms - Yammer - SkypeForBusiness - Fixed Timestamp extractions issue for the
o365:management:activitysourcetype. - Fixed CIM tagging issues for the Authentication events of
o365:management:activity sourcetype.
CIM field changes¶
Splunk Add-On for Microsoft Office 365 version 4.0.0 includes updated Common Information Model even tagging for o365:management:activity
sourcetype events. These changes were made to more accurately match the nature of the events with the appropriate data model fields. Any search
content that executes against the Common Information Model fields mapped to o365:management:activity events must be updated. Utilize this table
of event field changes to inform updates to your search content.
See the following tables for information on field changes between 3.0.0 and 4.0.0 :
| Source-type | Workload | Operation | Fields added | Fields removed |
|---|---|---|---|---|
['o365:management:activity'] |
AzureActiveDirectory | Add EligibleRoleAssignement to RoleDefinition., Add contact., Add policy., Finish applying group based license to users., Set directory feature on tenant., Set group license., Start applying group based license to users., Update service principal. | change_type, object_id, tenant_id, object_category, action, result | |
['o365:management:activity'] |
Add application., Add device., Add group., Add member to group., Add member to role., Add user., Delete user., Update application., Update device., Update group., Update user. | tenant_id, result | ||
['o365:management:activity'] |
Add eligible member to role., Disable account., Remove member from role. | change_type, src_user_type, object_id, src_user, tenant_id, object_category, action, result | user_type | |
['o365:management:activity'] |
Add owner to application. | tenant_id, result | object_id | |
['o365:management:activity'] |
Add owner to group., Remove member from group., Remove service principal. | src_user_type, object_id, src_user, tenant_id, result | user_type | |
['o365:management:activity'] |
Add role definition., Create company settings, Delete application., Delete contact., Delete role definition., Hard Delete group., Restore Group., pdate company settings, Update policy. | change_type, object_attrs, object_id, tenant_id, object_category, action, result | ||
['o365:management:activity'] |
Add service principal. | tenant_id, result, src_user_type | user_type | |
['o365:management:activity'] |
Add unverified domain. | change_type, object, tenant_id, object_category, action, result | ||
['o365:management:activity'] |
Change user password., Reset user password. | tenant_id, result, src_user_type, object_id | user_type | |
['o365:management:activity'] |
Delete group. | tenant_id, result, object_id | ||
['o365:management:activity'] |
Remove eligible member from role., Remove owner from application., Remove owner from group., Update StsRefreshTokenValidFrom Timestamp. | change_type, object_attrs, src_user_type, object_id, src_user, tenant_id, object_category, action, result | user_type | |
['o365:management:activity'] |
Remove unverified domain. | change_type, object, object_attrs, tenant_id, object_category, action, result | ||
['o365:management:activity'] |
Restore user. | change_type, object_attrs, src_user_type, object_id, tenant_id, object_category, action, result | user_type | |
['o365:management:activity'] |
Set user manager. | change_type, src_user_type, object_id, tenant_id, object_category, action, result | user_type | |
['o365:management:activity'] |
UserLoggedIn, UserLoginFailed | tenant_id | object | |
['o365:management:activity'] |
Verify domain. | object, tenant_id, result | action, object_attrs, change_type, object_category | |
['o365:management:activity'] |
SharePoint | All | tenant_id | |
['o365:management:activity'] |
AddAnAppNewListCreateButtonClick, LaunchPowerApp | object | ||
['o365:management:activity'] |
AddedToGroup | src_user_type | object_id | |
['o365:management:activity'] |
AnonymousLinkCreated, AnonymousLinkUpdated, CommentsDisabled, FileDeletedFirstStageRecycleBin, FileRecycled, FileTranscriptRequested, FolderDeletedFirstStageRecycleBin, FolderRecycled, FolderRenamed, FolderRestored, ListDeleted, ListItemRecycled, ListItemRestored, ListRestored, SiteDesignInvoked, SiteLocksChanged | action, object_category | ||
['o365:management:activity'] |
AppStoreStorefrontLaunchAppStorePage, AppStoreStorefrontShowAppDetailsPage, SharingInheritanceBroken | object, object_id | ||
['o365:management:activity'] |
CommentCreated | object_attrs, object, change_type | ||
['o365:management:activity'] |
CompanyLinkCreated, FileDeleted, FileModified, FileModifiedExtended, FileMoved, FolderCreated, FolderDeleted, FolderModified, SharingSet | change_type, object_attrs, object_id | ||
['o365:management:activity'] |
DLPRuleMatch | object_category, category, dlp_type, severity, src_user, action | object_id | |
['o365:management:activity'] |
FileAccessed, FileAccessedExtended, FileCheckOutDiscarded, FileCheckedIn, FileCopied, FilePreviewed, FileRenamed, FileRestored, FileVersionsAllDeleted, PageViewed, PageViewedExtended, SecureLinkCreated, SharingRevoked | object_id | ||
['o365:management:activity'] |
FileUploaded | object_size | change_type, object_attrs, object_id | |
['o365:management:activity'] |
FolderCopied, FolderMoved | action, object_category | object | |
['o365:management:activity'] |
HubSiteRegistered, HubSiteUnregistered, ListContentTypeDeleted, ListContentTypeUpdated, ListViewCreated, PermissionLevelRemoved, SecureLinkUpdated, SiteContentTypeCreated, SiteDeleted, SiteIBModeSet, SiteRenameScheduled | object_category, change_type, object_attrs, action | ||
['o365:management:activity'] |
ListColumnCreated, ListColumnUpdated, ListCreated, ListUpdated | object_attrs, change_type | ||
['o365:management:activity'] |
ListColumnDeleted, ListItemCreated | action, object_category, object_attrs | ||
['o365:management:activity'] |
RemovedFromSecureLink, RemovedFromSiteCollection | object_category, change_type, object_attrs, src_user, action, src_user_type | user_type | |
['o365:management:activity'] |
SearchQueryPerformed | action, object_category | object_path, object | |
['o365:management:activity'] |
OneDrive | All | tenant_id, result, action, object_category | |
['o365:management:activity'] |
AddedToGroup, GroupAdded, PermissionLevelAdded, SiteCollectionCreated, SharingPolicyChanged, ShortcutAdded, SiteCollectionAdminRemoved, SiteCollectionAdminAdded, SiteCollectionQuotaModified | change_type | ||
['o365:management:activity'] |
AddedToGroup, AnonymousLinkCreated, GroupAdded, PermissionLevelAdded, SiteCollectionCreated, ShortcutAdded, SiteCollectionAdminRemoved, SiteCollectionQuotaModified | object_attrs | ||
['o365:management:activity'] |
AddedToGroup | src_user, src_user_type | user_type | |
['o365:management:activity'] |
AnonymousLinkCreated, PermissionLevelAdded, SiteCollectionCreated, ListColumnCreated, ListItemCreated, SharingPolicyChanged | object_path | ||
['o365:management:activity'] |
DLPRuleMatch, DLPRuleUndo | dlp_type, category, severity, src_user, object_path | ||
['o365:management:activity'] |
FileDownloaded, FileModified, FileModifiedExtended | object_size | ||
['o365:management:activity'] |
GroupAdded, ListColumnCreated, ListItemCreated, ListCreated, ListViewed, SharingInheritanceBroken | object_id | ||
['o365:management:activity'] |
PermissionLevelAdded, SiteCollectionCreated, SearchQueryPerformed, SharingPolicyChanged, SiteCollectionQuotaModified | object_id | object | |
['o365:management:activity'] |
SiteLocksChanged | object_id | object, object_attrs | |
['o365:management:activity'] |
Exchange | All | tenant_id, result, object_id | |
['o365:management:activity'] |
Add-RecipientPermission, New-MailContact, New-Mailbox, Remove-MailContact, Remove-RoleGroupMember, Set-AdminAuditLogConfig, Set-Mailbox, Set-User | object_category, src_user_type, object_attrs, change_type, action, src_user | user_type | |
['o365:management:activity'] |
AddFolderPermissions, ModifyFolderPermissions | object_category, object_attrs, dest, change_type, user_agent, dest_name, action, object, client_info_str | ||
['o365:management:activity'] |
Create, Update | object_category, owner_id, parent_object, owner, object_path, dest, object, user_agent, object_size, action, owner_email, dest_name, app_id, parent_object_id, client_info_str | ||
['o365:management:activity'] |
DlpRuleMatch | recipient_domain, file_name, subject, orig_src, recipient_count, src_user_domain, action, src_user, message_id, recipient, file_size, size | ||
['o365:management:activity'] |
Enable-AddressListPaging, New-App, New-ManagementRoleAssignment, New-RoleGroup, Remove-Mailbox, Remove-RoleGroup, Remove-UnifiedGroup, Set-ConditionalAccessPolicy, Set-ExchangeAssistanceConfig, Set-OrganizationConfig, Set-RoleGroup, Set-TransportConfig | object_category, object_attrs, change_type, action | ||
['o365:management:activity'] |
MailboxLogin | dest, user_agent, dest_name, action, object, client_info_str | ||
['o365:management:activity'] |
Move, MoveToDeletedItems | object_category, owner_id, parent_object, owner, object_path, dest, object, user_agent, dest_name, action, owner_email, app_id, parent_object_id, client_info_str | ||
['o365:management:activity'] |
SoftDelete | object_category, owner_id, parent_object, owner, dest, object, user_agent, dest_name, action, owner_email, app_id, parent_object_id, client_info_str | ||
['o365:management:activity'] |
SecurityComplianceCenter | All | tenant_id, result | object |
['o365:management:activity'] |
AlertEntityGenerated, AlertTriggered, AlertUpdated | signature_id, description, id, type, severity, body | object | |
['o365:management:activity'] |
AuthorizeDataInsightsSubscription, SearchAlert, SearchAlertAggregate, SearchConnectorReportData, SearchCustomTag, SearchCustomerInsight, SearchDataInsightsSubscription, SearchMailflowForwardingData, SearchMtpRoleInfo, SearchMtpStatus, SearchNonAcceptedDomainDetailData, SearchSecurityRedirection, SearchTrialOffer, ValidaterbacAccessCheck | dest_name, dest | ||
['o365:management:activity'] |
Get-ComplianceTag, Get-DlpCompliancePolicy, Get-DlpComplianceRule, Get-DlpDetectionsReport, Get-DlpSiDetectionsReport, Get-Label, Get-PolicyConfig, Get-ProtectionAlert, Get-RetentionCompliancePolicy | object | ||
['o365:management:activity'] |
Get-DlpSensitiveInformationType, New-ProtectionAlert, Remove-DlpCompliancePolicy, Remove-DlpComplianceRule | action, change_type, object_category, object_attrs | ||
['o365:management:activity'] |
InsightGenerated | description, id, type, severity, body | object | |
['o365:management:activity'] |
New-DlpCompliancePolicy, New-DlpComplianceRule, Set-DlpCompliancePolicy, Set-DlpComplianceRule | action, change_type, object_category, object_attrs, object_id | ||
['o365:management:activity'] |
MicrosoftTeams | AppInstalled, BotAddedToTeam, ChannelAdded, ChannelDeleted, ConnectorAdded, MemberAdded, MessageCreatedHasLink, MessageDeleted, OpenShiftAdded, OpenShiftDeleted, RequestAdded, RequestRespondedTo, ScheduleGroupAdded, ScheduleGroupEdited, ScheduleSettingChanged, ShiftAdded, TabAdded, TabUpdated, TeamCreated, TeamDeleted, TeamSettingChanged, TimeOffAdded, TimeOffDeleted, TimeOffEdited | result, tenant_id, change_type, object, dest, object_attrs, object_category, action, object_id, dest_name | |
['o365:management:activity'] |
CreatedApproval | tenant_id, change_type, object_attrs, object_category, action, object_id, result | ||
['o365:management:activity'] |
TeamsSessionStarted | action, tenant_id, result | object, authentication_service | |
['o365:management:activity'] |
MicrosoftForms | AllowAnonymousResponse, AllowShareFormForCopy, CreateForm, CreateResponse, DeleteAllResponses, DeleteResponse, DeleteSummaryLink, DisableSpecificResponse, DisallowAnonymousResponse, EditForm, EnableSpecificResponse, EnableWorkOrSchoolCollaboration, GetSummaryLink, UpdateFormSetting, UpdateResponse, ViewForm, ViewResponses, ViewRuntimeForm | tenant_id, action, object_category, result, object_id | |
['o365:management:activity'] |
ListForms | tenant_id, action, dest_name, dest, result, object_category | ||
['o365:management:activity'] |
SkypeForBusiness | Get-CsTeamsUpgradeOverridePolicy | change_type, result, dest_name, dest, object_id, object_category, tenant_id, object_attrs, action, object | |
['o365:management:activity'] |
Yammer | GroupCreation, MessageDeleted | result, object_id, owner_email, tenant_id, object_category, email, action |
CIM model changes¶
See the following CIM model changes between 3.0.0 and 4.0.0:
| WorkLoad | Operation | Previous CIM model | New CIM model |
|---|---|---|---|
| AzureActiveDirectory | Add application., Add group., Delete group., Update application – Certificates and secrets management , Update application., Update group. | Change.Account_Management | Change.All_Changes |
| Verify domain. | Change.Account_Management | ||
| Add EligibleRoleAssignement to RoleDefinition., Add contact., Add policy., Add role definition., Add unverified domain., Create company settings, Delete application., Delete contact., Delete role definition., Finish applying group based license to users., Hard Delete group., Remove unverified domain., Restore Group., Set directory feature on tenant., Set group license., Start applying group based license to users., Update company settings, Update policy., Update service principal. | Change.All_Changes | ||
| Add eligible member to role., Disable account., Remove eligible member from role., Remove member from role., Remove owner from application., Remove owner from group., Restore user., Set user manager., Update StsRefreshTokenValidFrom Timestamp. | Change.Account_Management | ||
| SharePoint | AddedToGroup, GroupAdded, GroupRemoved, GroupUpdated, PermissionLevelAdded, SharingPolicyChanged, SiteCollectionAdminAdded, SiteCollectionAdminRemoved, SiteCollectionCreated, SiteCollectionQuotaModified, SiteRenamed | Change.Endpoint_Changes | Change.All_Changes |
| CommentCreated, CompanyLinkCreated, FileDeleted, FileModified, FileModifiedExtended, FileMoved, FileUploaded, FolderCreated, FolderDeleted, FolderModified, ListColumnCreated, ListColumnUpdated, ListCreated, ListUpdated, SharingSet | Change.Endpoint_Changes | ||
| DLPRuleMatch | DLP | ||
| HubSiteRegistered, HubSiteUnregistered, ListContentTypeDeleted, ListContentTypeUpdated, ListViewCreated, PermissionLevelRemoved, SecureLinkUpdated, SiteContentTypeCreated, SiteDeleted, SiteIBModeSet, SiteRenameScheduled | Change.All_Changes | ||
| RemovedFromSecureLink, RemovedFromSiteCollection | Change.Account_Management | ||
| OneDrive | AddedToGroup | Change.Account_Management | |
| DLPRuleMatch, DLPRuleUndo | DLP | ||
| GroupAdded, PermissionLevelAdded, SharingPolicyChanged, ShortcutAdded, SiteCollectionAdminAdded, SiteCollectionAdminRemoved, SiteCollectionCreated, SiteCollectionQuotaModified | Change.All_Changes | ||
| Exchange | Add-RecipientPermission, New-MailContact, New-Mailbox, Remove-MailContact, Remove-RoleGroupMember, Set-AdminAuditLogConfig, Set-Mailbox, Set-User | Change.Account_Management | |
| AddFolderPermissions, Enable-AddressListPaging, ModifyFolderPermissions, New-App, New-ManagementRoleAssignment, New-RoleGroup, Remove-Mailbox, Remove-RoleGroup, Remove-UnifiedGroup, Set-ConditionalAccessPolicy, Set-ExchangeAssistanceConfig, Set-OrganizationConfig, Set-RoleGroup, Set-TransportConfig | Change.All_Changes | ||
| DlpRuleMatch | Email.Filtering | ||
| MailboxLogin | Authentication | ||
| SecurityComplianceCenter | AlertEntityGenerated, AlertTriggered, AlertUpdated, InsightGenerated | Alerts | |
| Get-DlpSensitiveInformationType, New-DlpCompliancePolicy, New-DlpComplianceRule, New-ProtectionAlert, Remove-DlpCompliancePolicy, Remove-DlpComplianceRule, Set-DlpCompliancePolicy, Set-DlpComplianceRule | Change.All_Changes | ||
| MicrosoftTeams | AppInstalled, BotAddedToTeam, ChannelAdded, ChannelDeleted, ConnectorAdded, CreatedApproval, MemberAdded, MessageCreatedHasLink, MessageDeleted, OpenShiftAdded, OpenShiftDeleted, RequestAdded, RequestRespondedTo, ScheduleGroupAdded, ScheduleGroupEdited, ScheduleSettingChanged, ShiftAdded, ShiftDeleted, TabAdded, TabUpdated, TeamCreated, TeamDeleted, TeamSettingChanged, TimeOffAdded, TimeOffDeleted, TimeOffEdited | Change.All_Changes | |
| TeamsSessionStarted | Authentication | ||
| SkypeForBusiness | Get-CsTeamsUpgradeOverridePolicy | Change.All_Changes |
Fixed Issues¶
Version 4.0.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.
Known issues¶
Version 4.0.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.
Third-party software attributions¶
Version 4.0.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.
- axios
- certifi
- chardet
- dateutil
- debug
- follow-redirects
- future
- idna
- is-buffer
- ms
- qs
- requests
- six.py
- sortedcontainers
- u-msgpack-python
- urllib3
Version 3.0.0¶
Version 3.0.0 of the Splunk Add-on for Microsoft Office 365 was released on February 11, 2022.
About this release¶
Version 3.0.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 8.0.x, 8.1.x, 8.2.x |
| CIM | 4.20 |
| Supported OS | Platform independent |
| Vendor products | Microsoft Office 365 |
Note
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New features¶
Version 3.0.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.
-
Changed from using the Service Communications API (now deprecated by Microsoft) to using the new Microsoft Graph API for Service Health & Communication events. This new API changes the structure how data is ingested by the Splunk software. The following source types have had to be updated:
- Retired source types:
o365:service:statuso365:service:message
- New source types:
o365:service:healthIssueo365:service:updateMessage
To learn about the type of data these new source types represent coming through the Graph API, see the Overview for accessing service health and communications in Microsoft Graph topic in the Microsoft’s Graph API documentation.
Note
If upgrading to version 3.0.0 or later, disable
ServiceHealth.Read.Allin Office 365 Management APIs, and enableServiceHealth.Read.Allin Microsoft Graph. - Retired source types:
-
Enhanced the Add Input menu for ease of use. This menu includes the new Microsoft Graph API for Service Health & Communication events, and also reflects the various Graph API data categories we already support, in a more logical taxonomy.
-
Added API request throttling when making too many requests to the Microsoft APIs.
Fixed Issues¶
Version 3.0.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.
Known issues¶
Version 3.0.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.
Third-party software attributions¶
Version 3.0.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.
- axios
- certifi
- chardet
- dateutil
- debug
- follow-redirects
- future
- idna
- is-buffer
- ms
- qs
- requests
- six.py
- sortedcontainers
- u-msgpack-python
- urllib3
Version 2.2.0¶
Version 2.2.0 of the Splunk Add-on for Microsoft Office 365 was released on October 13, 2021.
About this release¶
Version 2.2.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x, 8.1.x |
| CIM | 4.20 |
| Supported OS | Platform independent |
| Vendor products | Microsoft Office 365 |
Note
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New features¶
Version 2.2.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.
- Common Information Model (CIM) version 4.20 compatibility and enhanced CIM mapping.
- Enhanced CIM mapping for the following sourcetypes:
o365:management:activityo365:service:statuso365:service:messageo365:cas:apio365:graph:api
- Added support for the Alerts CIM data model for the following sourcetypes:
o365:service:statuso365:service:messageo365:cas:api
- Updates to the lookup
splunk_ta_o365_cim_change_analysis.csv - Updates to the lookup
splunk_ta_o365_cim_data_access.csv
Note
Self-service app install (SSAI) upgrades do not automatically update the lookups with the latest values. To fix this, upgrade the add-on, then manually update the lookup files using the lookup files from the latest version of this add-on.
Field changes¶
The following sections contain information on fields and data models that have been added, modified, or removed in this release.
Fields added and removed¶
The following tables display the fields that have been added and removed in this release, listed by sourcetype.
| Sourcetype | Operation | Fields added | Fields removed |
|---|---|---|---|
o365:management:activity |
AccessRequestCreated, GroupRemoved, GroupUpdated, SiteCollectionCreated, AccessRequestRejected, SharingSet, RemovedFromGroup, AccessRequestApproved, AddedToGroup, GroupAdded, SharingRevoked | status, authentication_service, dest_name, result, object_attrs | |
o365:management:activity |
Add application. | env_name, env_seqNum, authentication_service, targetName, correlationId, env_appVer, dataset_name, targetObjectId, ResultStatusDetail, user_agent, tag, modified_properties_new_value, auditEventCategory, env_popSample, env_time, env_cloud_name, modified_properties_name, action, actorUPN, nCloud, env_iKey, env_flags, |
object_path, reason, modified_properties_mv |
o365:management:activity |
Add device. | authentication_service, correlationId, dataset_name, tag, modified_properties_new_value, env_cloud_name, modified_properties_name, action, actorContextId, object_attrs, |
object_id, object_path |
o365:management:activity |
Add group. | auditEventCategory, modified_properties, targetContextId, modified_properties_name, authentication_service, additionalDetails, env_ver, env_cv, dest_name, env_cloud_roleVer, object_attrs, extended_properties, targetIncludedUpdatedProperties, user_agent, modified_properties_new_value, user_agent_change | object_id, object_path |
o365:management:activity |
Add member to group. | actorAppID, env_time, env_cloud_name, modified_properties_name, authentication_service, targetSPN, src_user, dest_name, actorUPN, object_attrs, extended_properties, teamName, env_cv, modified_properties_new_value, modified_properties | object_id, object_path |
o365:management:activity |
Add member to role. | modified_properties, targetContextId, modified_properties_name, authentication_service, env_cloud_deploymentUnit, additionalDetails, targetName, correlationId, dest_name, nCloud, object_attrs, extended_properties, user_agent, modified_properties_new_value, env_appId, user_agent_change | object_id, object_path |
o365:management:activity |
Add owner to application. | modified_properties, modified_properties_name, authentication_service, env_cloud_deploymentUnit, targetSPN, env_epoch, dest_name, env_cloud_roleVer, object_attrs, extended_properties, version, env_cloud_environment, user_agent, modified_properties_new_value, user_agent_change | object_id, object_path |
o365:management:activity |
Add owner to service principal. | authentication_service, dest_name, object_attrs, extended_properties, user_agent, user_agent_change | object_id, object_path |
o365:management:activity |
Add service principal. | env_name, env_seqNum, authentication_service, targetName, targetObjectId, ResultStatusDetail, targetIncludedUpdatedProperties, env_cloud_environment, user_agent, modified_properties_new_value, auditEventCategory, env_osVer, env_popSample, env_cloud_name, modified_properties_name, src_user, RequestType, actorUPN, nCloud, env_iKey, env_cv, actorPUID, env_appId, FlowTokenScenario, resultDescription, authentication_method, env_cloud_deploymentUnit, env_os, UserAuthenticationMethod, actorObjectClass, version, KeepMeSignedIn, env_ver, actorAppID, actorObjectId, env_epoch, dest_name, env_cloud_roleVer, result, env_cloud_roleInstance, extended_properties, teamName, user_agent_change, actorContextId | object_path, modified_properties_mv |
o365:management:activity |
Add user. | env_seqNum, modified_properties_name, authentication_service, src_name, targetName, dest_name, env_cloud_roleVer, env_appVer, actorContextId, env_cloud_role, object_attrs, extended_properties, teamName, modified_properties_new_value, modified_properties | object_id, object_path |
o365:management:activity |
FolderDeleted, SiteCollectionQuotaModified, SecureLinkCreated, CommentCreated, ListColumnCreated, ListViewUpdated, PermissionLevelAdded, WebMembersCanShareModified, CommentDeleted, ListUpdated, WebRequestAccessModified, ListColumnUpdated, ListCreated, WebAccessRequestApproverModified, CompanyLinkCreated, FolderModified, AddedToSecureLink, FolderCreated | status, authentication_service, action, eventtype, dest_name, dataset_name, result, object_attrs, change_type, object_category, |
|
o365:management:activity |
SharingInheritanceBroken, ClientViewSignaled, ListViewed, PageViewed, PagePrefetched, PageViewedExtended | status, authentication_service, action, eventtype, dest_name, dataset_name, result, object_category, |
|
o365:management:activity |
Delete user. | actorAppID, env_osVer, modified_properties_name, authentication_service, extendedAuditEventCategory, actorObjectId, dest_name, env_cloud_roleVer, object_attrs, env_flags, env_cloud_environment, extended_properties, modified_properties_new_value, modified_properties | object_id, object_path |
o365:management:activity |
FileCheckedOut, FileCheckedIn, FileCheckOutDiscarded, FileCopied, FileAccessed, FileDownloaded | status, authentication_service, dest_name, result, |
change_type |
o365:management:activity |
FilePreviewed, FileAccessedExtended | status, authentication_service, action, eventtype, dest_name, dataset_name, result, |
|
o365:management:activity |
FileMoved, FileModified, FileDeleted, FileRestored, FileRenamed, FileUploaded | status, authentication_service, dest_name, result, |
|
o365:management:activity |
FileVersionsAllDeleted, FileModifiedExtended | status, authentication_service, action, eventtype, dest_name, dataset_name, result, |
|
o365:management:activity |
SiteCollectionAdminRemoved, SharingPolicyChanged, SiteColumnCreated | status, authentication_service, action, eventtype, dest_name, dataset_name, result, object_attrs, change_type, object_category, |
src, src_ip |
o365:management:activity |
SiteCollectionAdminAdded | status, authentication_service, dest_name, result, object_attrs | src, src_ip |
o365:management:activity |
Update application. | env_name, env_seqNum, authentication_service, env_cloud_ver, targetName, correlationId, resultType, env_appVer, dataset_name, ResultStatusDetail, targetIncludedUpdatedProperties, env_cloud_environment, tag, user_agent, modified_properties_new_value, env_popSample, env_time, env_cloud_name, modified_properties_name, action, RequestType, env_cloud_role, env_iKey, env_flags, |
object_id, object_path, modified_properties_mv |
o365:management:activity |
Update device. | authentication_service, targetName, dataset_name, tag, modified_properties_new_value, auditEventCategory, modified_properties_name, action, env_iKey, |
object_id, object_path, modified_properties_mv |
o365:management:activity |
Update group. | modified_properties_name, authentication_service, env_cloud_ver, env_epoch, correlationId, dest_name, actorContextId, actorUPN, env_cloud_roleInstance, object_attrs, extended_properties, version, modified_properties_new_value, modified_properties | object_id, object_path |
o365:management:activity |
Update user. | env_name, env_seqNum, authentication_service, targetName, correlationId, targetObjectId, targetIncludedUpdatedProperties, env_cloud_environment, user_agent, modified_properties_new_value, modified_properties, env_popSample, env_time, modified_properties_name, env_cloud_role, actorUPN, object_attrs, nCloud, env_flags, env_iKey, env_cv, actorPUID, env_appId, FlowTokenScenario, resultDescription, authentication_method, env_cloud_deploymentUnit, env_os, src_name, UserAuthenticationMethod, actorObjectClass, KeepMeSignedIn, additionalDetails, env_ver, actorAppID, targetSPN, actorObjectId, additionalTargets, dest_name, env_cloud_roleVer, env_cloud_roleInstance, UserAgent, extended_properties, teamName, extendedAuditEventCategory, actorContextId | object_path, reason |
o365:management:activity |
UserLoggedIn | FlowTokenScenario, actorAppID, authentication_method, targetContextId, env_seqNum, targetSPN, authentication_service, RequestType, dest_name, correlationId, ResultStatusDetail, actorUPN, UserAuthenticationMethod, |
object_id, modified_properties, object_path, object_attrs, reason, modified_properties_mv |
o365:management:activity |
UserLoginFailed | env_name, authentication_service, env_cloud_environment, env_osVer, env_popSample, nCloud, env_cv, env_appId, FlowTokenScenario, env_os, actorObjectClass, |
object_id, IsCompliantAndManaged, SessionId, object_path, BrowserType |
| Sourcetype | Status | Fields added | Fields removed |
|---|---|---|---|
o365:service:status |
ServiceOperational, ServiceRestored, ServiceDegradation |
| Sourcetype | ImpactDescription | Fields added | Fields removed |
|---|---|---|---|
o365:service:message |
Users may be unable to view shared calendars within the Outlook client or Outlook on the web services., Admins were unable to access the Microsoft Secure Score webpage via the Microsoft 365 security center., Admins may see Microsoft 365 app usage and productivity score reports data delayed after June 30, 2021., Admins may have experienced delayed data in Productivity score reports from the Microsoft 365 admin center., Users may be unable to use the multi-language spellcheck feature of the Microsoft Teams desktop client., Users may have intermittently been unable to connect to the OneDrive for Business service., null, Admins see some users’ Outlook Desktop activity isn’t showing up in usage reports., Users are unable to create Skype account., Admins may experience a delay in receiving messages., Users may have been unable to use the search function in SharePoint Online., Users may have been unable to sign in to Outlook., Users may have been unable to sign in to Skype., Users are unable to create Outlook account., Admins may have been unable to install O365., Users saw an error and were unable to access the “Shared by you” tab in OneDrive for Business., Admins may have seen a delay in updated data for Skype for Business usage reports within the Microsoft 365 admin center., Admins are unable to exclude errors., Users were seeing errors when downloading records with 10,000 or more entries from the Security and Compliance Center. |
| Sourcetype | isSystemAlert | Fields added | Fields removed |
|---|---|---|---|
o365:cas:api |
true | app, signature, src, eventtype, type, dest, severity, severity_id, |
| Sourcetype | policyType | Fields added | Fields removed |
|---|---|---|---|
o365:cas:api |
NEW_SERVICE | app, signature, src, eventtype, type, severity, severity_id, |
| Sourcetype | Fields added | Fields removed |
|---|---|---|
o365:graph:api |
eventtype |
Fields modified¶
The following tables display the fields that have been modified in this release, listed by sourcetype.
| Sourcetype | CIM Field | Operation | Vendor Field Before | Vendor field after | Sample value before | Sample value after |
|---|---|---|---|---|---|---|
o365:management:activity |
user | Add member to role., Add member to group. | UserId | ObjectId | abcd@27cf00f56f558d8859778b97.example.com | abcdefghi@d10b5fea7bd2276be1bba7cd.qwertyu.com |
o365:management:activity |
user_id | UserLoggedIn, UserLoginFailed | UserId | Actor{}.ID where Actor{}.Type=3 | abcd@27cf00f56f558d8859778b97.example.com | 10037FFE8EC1E08E |
o365:management:activity |
reason | where ResultStatus indicates “failure”, such as UserLoginFailed | LogonError | resultDescription OR ResultStatusDetail | InvalidUserNameOrPassword | UserError |
o365:management:activity |
status | All where ResultStatus IN (failed, failure, success, succeeded) | ResultStatus | ResultStatus | failure, failed, success, succeeded | failure, success |
o365:management:activity |
dvc | where Workload=SharePoint | Workload | ObjectId | SharePoint | a830edad9050849nda3079.sharepoint.com |
o365:management:activity |
modified_properties | Add application.,Add service principal.,Update application., Update device. | ModifiedProperties{} from the event | ModifiedProperties{} from the event | AppId, AppIdentifierUri, AvailableToOtherTenants, DisplayName, Entitlement, PublicClient, WwwHomepage | {“Name”:”AppId”,”NewValue”:”[\r\n “1ac58b10-9fc3-4436-a49d-1edf7c485b9a”\r\n]“,”OldValue”:”[]“},{“Name”:”AppIdentifierUri”,”NewValue”:”[\r\n “http://customappsso/cec784fd-e8d3-479e-8a6a-176a21cd73ea”\r\n]“,”OldValue”:”[]“},{“Name”:”AvailableToOtherTenants”,”NewValue”:”[\r\n false\r\n]“,”OldValue”:”[]“},{“Name”:”DisplayName”,”NewValue”:”[\r\n “Fraedom Flexipurchase”\r\n]“,”OldValue”:”[]“},{“Name”:”Entitlement”,”NewValue”:”[\r\n {\r\n “EntitlementEncodingVersion”: 2,\r\n “EntitlementId”: “f98592a2-00f5-4e30-a973-be093e529651”,\r\n “IsDisabled”: false,\r\n “Origin”: 0,\r\n “Name”: “Access Fraedom Flexipurchase”,\r\n “Description”: “Allow the application to access Fraedom Flexipurchase on behalf of the signed-in user.”,\r\n “Definition”: null,\r\n “ClaimValue”: “user_impersonation”,\r\n “ResourceScopeType”: 1,\r\n “IsPrivate”: false,\r\n “UserConsentDisplayName”: “Access Fraedom Flexipurchase”,\r\n “UserConsentDescription”: “Allow the application to access Fraedom Flexipurchase on your behalf.”,\r\n “DirectAccessGrantTypes”: [],\r\n “ImpersonationAccessGrantTypes”: [\r\n {\r\n “Impersonator”: 29,\r\n “Impersonated”: 20\r\n }\r\n ],\r\n “EntitlementCategory”: 0\r\n }\r\n]“,”OldValue”:”[]“},{“Name”:”PublicClient”,”NewValue”:”[\r\n false\r\n]“,”OldValue”:”[]“},{“Name”:”WwwHomepage”,”NewValue”:”[\r\n “https://abc.ewa.com:111/qwerty/abc.html?iefnqev=efqev |
o365:management:activity |
object_category | Add service principal. | Static value: user | Static value: ServicePrincipal | ||
o365:management:activity |
object_category | Update group. | Static value: user, group | Static value: group | ||
o365:management:activity |
object_category | SiteCollectionCreated | Static value: user | Static value: site | ||
o365:management:activity |
change_type | AccessRequestApproved, AccessRequestRejected, SharingSet | Static Value: user | Static Value: AAA | ||
o365:management:activity |
change_type | SiteCollectionCreated | Static Value: user | Static Value: collection | ||
o365:management:activity |
dest | Add application., Add user., Update user., Delete user., Add group., Add device., Update device, Update application., Add owner to application., Add service principal., Add member to group., Add member to role, etc. where env_cloud_name present inside ExtendedProperties{} in the event | ObjectId | env_cloud_name OR ObjectId | abcdef@705e62b9e1c0c47a2c4e0709.example.com | MSO-BY1 |
o365:management:activity |
dest | UserLoggedIn, UserLoginFailed | ObjectId | Static value: Microsoft Office 365 AzureActiveDirectory | 797f4846-ba00-4fd7-ba43-dac1f8f63013 | Microsoft Office 365 AzureActiveDirectory |
o365:management:activity |
dest | If env_cloud_name is not present in the event, then ObjectId will be dest | ObjectId | ObjectId | ||
o365:management:activity |
action | AccessRequestRejected | Static Value: unknown | Static Value: deleted | ||
o365:management:activity |
action | FileCheckOutDiscarded | Static Value: modified | Static Value: read | ||
o365:management:activity |
action | FileCheckedIn | Static Value: created | Static Value: read | ||
o365:management:activity |
action | FileCopied | Static value: read | Static value: copied | ||
o365:management:activity |
action | FileDownloaded | Static value: read | Static value: downloaded | ||
o365:management:activity |
action | Add group.,SharingSet | Static Value: modified | Static Value: created | ||
o365:management:activity |
object_attrs | Add user., Update user., Add group., Add device., Add application., etc. | ModifiedProperties{} from the event, a list of attributes that were modified | ModifiedProperties{} from the event, but it will be key=value pair of relevant and necessary attributes | StsRefreshTokensValidFrom, UserType, AccountEnabled, UserPrincipalName | UserPrincipalName=abcdef@705e62b9e1c0c47a2c4e0709.example.com, AccountEnabled=true, UserType=Member |
o365:management:activity |
object_attrs | Update group., Update application. | ModifiedProperties{} from the event, a list of attributes that were modified | object_category | LastDirSyncTime | group, application |
o365:management:activity |
object | Add group., Update group., Add device., Update device. Add application., Update application., Add service principal. | ObjectId | targetName | Not Available | APP_User_Adobe_Sign, EBIZ_SAP_PP_USR, iPad-ABCD1234, Fraedom Flexipurchase |
o365:management:activity |
object_id | where Workload=AzureActiveDirectory | ObjectId | targetObjectId from ExtendedProperties{} in the evnet | abcdef@705e62b9e1c0c47a2c4e0709.example.com | 93a565f6-d0fc-4ac3-9d2a-8c1de9aeed3c |
| Sourcetype | CIM Field | isSystemAlert=true | Vendor Field Before | Vendor field after | Sample value before | Sample value after |
|---|---|---|---|---|---|---|
o365:cas:api |
description | where description=”” OR isnull(description) | description | title | empty | System alert: Deprecation of Label Management in the Azure Portal, System alert: Service health status page deprecation |
Modified data models¶
The following table displays the CIM data models that have been modified in this release, listed by sourcetype.
| Sourcetype | Operation | Previous CIM model | New CIM model |
|---|---|---|---|
o365:management:activity |
FileAccessed, FileCheckedOut, FileCheckOutDiscarded, FileCopied, FileCheckedIn, FileDownloaded | Change:Endpoint_Changes | Data Access |
Fixed Issues¶
Version 2.2.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.
Known issues¶
Version 2.2.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.
Third-party software attributions¶
Version 2.2.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.
- axios
- certifi
- chardet
- dateutil
- debug
- follow-redirects
- future
- idna
- is-buffer
- ms
- qs
- requests
- six.py
- sortedcontainers
- u-msgpack-python
- urllib3
Version 2.1.0¶
Version 2.1.0 of the Splunk Add-on for Microsoft Office 365 was released on June 25, 2021.
About this release¶
Version 2.1.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x |
| CIM | 4.18 |
| Supported OS | Platform independent |
| Vendor products | Microsoft Office 365 |
Note
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New features¶
Version 2.1.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.
Two new sourcetypes:
- Cloud Application Security -
o365:cas:api- All service policies, alerts and entities visible through the Microsoft cloud application security portal. - Graph API -
o365:graph:api- Audit events and reports visible through the microsoft graph api endpoints. This includes all log events and reports visible through the Microsoft Graph API.
Fixed Issues¶
Version 2.1.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.
Known issues¶
Version 2.1.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.
Third-party software attributions¶
Version 2.1.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.
- axios
- certifi
- chardet
- dateutil
- debug
- follow-redirects
- future
- idna
- is-buffer
- ms
- qs
- requests
- six.py
- sortedcontainers
- u-msgpack-python
- urllib3
Version 2.0.3¶
Version 2.0.3 of the Splunk Add-on for Microsoft Office 365 was released on January 15, 2021.
About this release¶
Version 2.0.3 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x |
| CIM | 4.16 |
| Supported OS | Platform independent |
| Vendor products | Microsoft Office 365 |
Note
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New features¶
Version 2.0.3 of the Splunk Add-on for Microsoft Office 365 has the following new features.
- Security bug fixes.
Fixed Issues¶
Version 2.0.3 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.
Known issues¶
Version 2.0.3 of the Splunk Add-on for Microsoft Office 365 contains the following known issues.
Third-party software attributions¶
Version 2.0.3 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.
- axios
- certifi
- chardet
- dateutil
- debug
- follow-redirects
- future
- idna
- is-buffer
- ms
- qs
- requests
- six.py
- sortedcontainers
- u-msgpack-python
- urllib3
Version 2.0.2¶
Version 2.0.2 of the Splunk Add-on for Microsoft Office 365 was released on May 1, 2020.
About this release¶
Version 2.0.2 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x |
| CIM | 4.16 |
| Supported OS | Platform independent |
| Vendor products | Microsoft Office 365 |
Note
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New features¶
Version 2.0.2 of the Splunk Add-on for Microsoft Office 365 has the following new features.
- Improved Support for the Authentication CIM Model.
Fixed Issues¶
Version 2.0.2 of the Splunk Add-on for Microsoft Office 365 contains the following fixed issues.
Known issues¶
Version 2.0.2 of the Splunk Add-on for Microsoft Office 365 contains the following known issues.
Third-party software attributions¶
Version 2.0.2 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.
- axios
- certifi
- chardet
- dateutil
- debug
- follow-redirects
- future
- idna
- is-buffer
- ms
- qs
- requests
- six.py
- sortedcontainers
- u-msgpack-python
- urllib3
Version 2.0.1¶
Version 2.0.1 of the Splunk Add-on for Microsoft Office 365 was released on March 14, 2020.
About this release¶
Version 2.0.1 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x |
| CIM | 4.12 |
| Supported OS | Platform independent |
| Vendor products | Microsoft Office 365 |
New features¶
Version 2.0.1 of the Splunk Add-on for Microsoft Office 365 has the following new features.
- Default Python3 support.
Fixed Issues¶
Version 2.0.1 of the Splunk Add-on for Microsoft Office 365 contains the following fixed issues.
Known issues¶
Version 2.0.1 of the Splunk Add-on for Microsoft Office 365 contains the following known issues.
Third-party software attributions¶
Version 2.0.1 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.
- axios
- certifi
- chardet
- dateutil
- debug
- follow-redirects
- future
- idna
- is-buffer
- ms
- qs
- requests
- six.py
- sortedcontainers
- u-msgpack-python
- urllib3
Version 2.0.0¶
Version 2.0.0 of the Splunk Add-on for Microsoft Office 365 was released on October 21, 2019.
About this release¶
Version 2.0.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x |
| CIM | 4.12 |
| Supported OS | Platform independent |
| Vendor products | Microsoft Office 365 |
New features¶
Version 2.0.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.
- Python 3 support.
- Enhanced role and capability functionality. Regular users now need additional permissions to use the UI to see input configurations and tenant associations.
- FIPS compliance encryption changes.
Fixed Issues¶
Version 2.0.0 of the Splunk Add-on for Microsoft Office 365 contains the following fixed issues.
Known issues¶
Version 2.0.0 of the Splunk Add-on for Microsoft Office 365 contains the following known issues.
Third-party software attributions¶
Version 2.0.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.
- axios
- certifi
- chardet
- dateutil
- debug
- follow-redirects
- future
- idna
- is-buffer
- ms
- qs
- requests
- six.py
- sortedcontainers
- u-msgpack-python
- urllib3
Version 1.1.0¶
Version 1.1.0 of the Splunk Add-on for Microsoft Office 365 was released on May 23, 2019.
About this release¶
Version 1.1.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 6.6.x, 7.0.x, 7.1.x, 7.2.x, 7.3.x |
| CIM | 4.12 |
| Supported OS | Platform independent |
| Vendor products | Microsoft Office 365 |
New features¶
Version 1.1.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.
- Configurable Token Refresh Window for the Management Activity inputs to support uninterrupted data ingestion.
Fixed Issues¶
Version 1.1.0 of the Splunk Add-on for Microsoft Office 365 contains the following fixed issues.
Known issues¶
Version 1.1.0 of the Splunk Add-on for Microsoft Office 365 contains the following known issues.
Third-party software attributions¶
Version 1.1.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.
- axios
- certifi
- dateutil
- debug
- follow-redirects
- idna
- is-buffer
- ms
- qs
- requests
- six.py
- sortedcontainers
- u-msgpack-python
- urllib3
Version 1.0.0¶
Version 1.0.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 6.6.X, 7.0.X, 7.1.X |
| CIM | Not supported |
| Supported OS | Platform independent |
| Vendor products | Microsoft Office 365 |
Migration¶
If you are currently using the Splunk Add-on for Microsoft Cloud Services to ingest Office 365 Management API data and are migrating to the Splunk Add-on for Office 365, disable the Office 365 modular input in the Splunk Add-on for Microsoft Cloud Services.
There are three new source types in the Splunk Add-on for Microsoft Office 365 which replace the single ms:o365:management source type in
the Splunk Add-on for Microsoft Cloud Services. If you are migrating from the Splunk Add-on for Microsoft Cloud Services to the Splunk Add-on
for Microsoft Office 365, you will need to update your existing dashboards, panels, and SPL with the new source types. See Source types for the Splunk Add-on for Microsoft Office 365.
New features¶
Version 1.0.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.
- Simple authentication with the Office 365 Management API applications.
- Simple process for changing the registered application key.
- Three new source types,
o365:management:activity,o365:service:status, ando365:service:message.
Known issues¶
Version 1.0.0 of the Splunk Add-on for Microsoft Office 365 contains the following known issues.
Third-party software attributions¶
Version 1.0.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.
- axios
- certifi
- dateutil
- debug
- follow-redirects
- idna
- is-buffer
- ms
- qs
- requests
- six.py
- sortedcontainers
- u-msgpack-python
- urllib3
See Release notes for the Splunk Add-on for Microsoft Office 365 for the release notes of this latest version.