Release notes for the SPL2 templates for Microsoft Office 365¶

O365 Management Activity: Reduce log size (CIM & ESCU compatibility)¶

Version 0.0.1 of the O365 Management Activity: Reduce log size (CIM & ESCU compatibility) template was released on October 17, 2025.

New features

First version of CIM & ESCU compatibility template was published.
O365 Management Activity events are supported.
Removes 107 proven noise fields while maintaining full CIM and ESCU compatibility.
Dual output branching for archival and primary indexing.
Comprehensive test coverage with 36 automated tests across 12 O365 workloads.

Known limitations

Version 0.0.1 of the O365 Management Activity: Reduce log size (CIM only compatibility) template was released on October 17, 2025.

New features

First version of CIM only compatibility template was published.
O365 Management Activity events are supported.
Removes 127 total fields (107 noise fields + 20 ESCU-specific) for maximum space reduction.
Maintains CIM compatibility only - ESCU detections not supported.
Dual output branching for archival and primary indexing.
Comprehensive test coverage with 36 automated tests across 12 O365 workloads.

Known limitations

Events must have o365:management:activity sourcetype.
Does not process other O365 sourcetypes.
BREAKS Enterprise Security Content Updates (ESCU) compatibility - not suitable for environments using Splunk Enterprise Security.

Breaking changes

Removes ESCU-specific fields including: AlertEntityId, ApplicationId, Category, ClientAppId, ClientIPAddress, CorrelationId, Data, DeviceProperties{}, EventData, InterSystemsId, MessageId, NewValue, OldValue, Parameters, SessionId, SiteUrl, Source, SourceFileExtension, Status.
Use CIM & ESCU compatibility template if ESCU compatibility is required.