Source types for the Splunk Add-on for Microsoft Office 365¶
The Splunk Add-on for Microsoft Office 365 provides the index-time and search-time knowledge for audit, service status, and service message events in the following formats.
| Source type | Dataset_Name | Description | CIM data models |
|---|---|---|---|
o365:cas:api |
n/a | All service policies, alerts and entities visible through the Microsoft cloud application security portal. | n/a |
o365:graph:api |
n/a | All audit events and reports visible through the Microsoft Graph API endpoints. This includes all log events and reports visible through the Microsoft Graph API. | n/a |
o365:management:activity |
Authentication Alerts All_Changes.Account_Management All_Changes Data_Access DLP_Incidents All_Email.Filtering |
All audit events visible through the Office 365 Management Activity API | Authentication, Alerts, Change, Data Access, Data Loss Prevention, Email |
o365:service:healthIssue |
n/a | All service status events visible through the Microsoft Graph API for Service health and communications. For more information on this API, see the Overview for accessing service health and communications in Microsoft Graph topic in the Microsoft’s Graph API documentation. For more information on Microsoft’s throttling limits for this API, see the “Service Communications service limits” section of the Microsoft Graph throttling guidance topic in the Microsoft Graph API documentation. |
n/a |
o365:service:updateMessage |
n/a | All service message events visible through the Microsoft Graph API for Service health and communications. For more information on this API, see the Overview for accessing service health and communications in Microsoft Graph topic in the Microsoft’s Graph API documentation. For more information on Microsoft’s throttling limits for this API, see the “Service Communications service limits” section of the Microsoft Graph throttling guidance topic in the Microsoft Graph API documentation. |
n/a |
o365:reporting:messagetrace |
n/a | All Message Trace events visible through the Microsoft Report API endpoints | |
o365:metadata |
n/a | All Microsoft Entra ID Metadata events visible through the Graph API. | n/a |
splunk:ta:o365:log |
n/a | All log events generated by the Splunk Add-on for Microsoft Office 365. | n/a |