Skip to content

Source types for the Splunk Add-on for Microsoft Office 365

The Splunk Add-on for Microsoft Office 365 provides the index-time and search-time knowledge for audit, service status, and service message events in the following formats.

Source type

Dataset_Name

Description

CIM data models

o365:cas:api

n/a

All service policies, alerts and entities visible through the Microsoft cloud application security portal.

n/a

o365:graph:api

n/a

All audit events and reports visible through the Microsoft Graph API endpoints. This includes all log events and reports visible through the Microsoft Graph API.

n/a

o365:management:activity

Authentication
Alerts
All_Changes.Account_Management
All_Changes
Data_Access
DLP_Incidents
All_Email.Filtering

All audit events visible through the Office 365 Management Activity API

Authentication, Alerts, Change, Data Access, Data Loss Prevention, Email

o365:service:healthIssue

n/a

All service status events visible through the Microsoft Graph API for Service health and communications.
For more information on this API, see the Overview for accessing service health and communications in Microsoft Graph topic in the Microsoft's Graph API documentation.
For more information on Microsoft's throttling limits for this API, see the "Service Communications service limits" section of the Microsoft Graph throttling guidance topic in the Microsoft Graph API documentation.

n/a

o365:service:updateMessage

n/a

All service message events visible through the Microsoft Graph API for Service health and communications.
For more information on this API, see the Overview for accessing service health and communications in Microsoft Graph topic in the Microsoft's Graph API documentation.
For more information on Microsoft's throttling limits for this API, see the "Service Communications service limits" section of the Microsoft Graph throttling guidance topic in the Microsoft Graph API documentation.

n/a

o365:reporting:messagetrace

n/a

All Message Trace events visible through the Microsoft Report API endpoints.

Email

splunk:ta:o365:log

n/a

All log events generated by the Splunk Add-on for Microsoft Office 365.

n/a