Overview

Splunk Add-on for Microsoft Office 365

Version	4.7.0
Vendor Products	Microsoft Office 365
Splunk platform versions	9.1.x, 9.2.x, 9.3.x, 9.4.x
Platforms	Platform independent

Note

Version 4.3.0 and higher is expected to have around 1% of event duplication for the Management Activity input in the Splunk platform due to duplicate events from the Microsoft API.

The Splunk Add-on for Microsoft Office 365 replaces the modular input for the Office 365 Management API within the Splunk Add-on for Microsoft Cloud Services.

The Splunk Add-on for Microsoft Office 365 allows a Splunk software administrator to pull service status, service messages, and management activity logs from the Office 365 Management Activity API and the Office 365 Service Communications API. You can collect:

• Audit logs for Azure Active Directory, Sharepoint Online, and Exchange Online, supported by the Office 365 Management API. For more details, see the Office 365 Management Activity API reference on the Microsoft website.
• Historical and current service status, and service messages for the corresponding Office 365 Service Communications API.
• Data Loss Prevention events via the Office 365 Management Activity API.
• Message Trace event via the Office 365 Message Trace Report API.

After the Splunk platform indexes the events, you can then directly analyze the data or use it as a contextual data feed to correlate with other data in the Splunk platform.

Search the Splunk Community page for more information about this add-on.

Source types for the Splunk Add-on for Microsoft Office 365

The Splunk Add-on for Microsoft Office 365 provides the index-time and search-time knowledge for audit, service status, and service message events in the following formats.

Source type	Dataset_Name	Description	CIM data models
o365:cas:api	n/a	All service policies, alerts and entities visible through the Microsoft cloud application security portal.	n/a
o365:graph:api	n/a	All audit events and reports visible through the Microsoft Graph API endpoints. This includes all log events and reports visible through the Microsoft Graph API.	n/a
o365:management:activity	Authentication Alerts All_Changes.Account_Management All_Changes Data_Access DLP_Incidents All_Email.Filtering	All audit events visible through the Office 365 Management Activity API	Authentication, Alerts, Change, Data Access, Data Loss Prevention, Email
o365:service:healthIssue	n/a	All service status events visible through the Microsoft Graph API for Service health and communications. For more information on this API, see the Overview for accessing service health and communications in Microsoft Graph topic in the Microsoft's Graph API documentation. For more information on Microsoft's throttling limits for this API, see the "Service Communications service limits" section of the Microsoft Graph throttling guidance topic in the Microsoft Graph API documentation.	n/a
o365:service:updateMessage	n/a	All service message events visible through the Microsoft Graph API for Service health and communications. For more information on this API, see the Overview for accessing service health and communications in Microsoft Graph topic in the Microsoft's Graph API documentation. For more information on Microsoft's throttling limits for this API, see the "Service Communications service limits" section of the Microsoft Graph throttling guidance topic in the Microsoft Graph API documentation.	n/a
o365:reporting:messagetrace	n/a	All Message Trace events visible through the Microsoft Report API endpoints.	Email
splunk:ta:o365:log	n/a	All log events generated by the Splunk Add-on for Microsoft Office 365.	n/a

Release notes for the Splunk Add-on for Microsoft Office 365

Version 4.7.0 of the Splunk Add-on for Microsoft Office 365 was released on January 7, 2025.

Note

Version 4.3.0 and higher is expected to have around 1% of event duplication for the Management Activity input in the Splunk platform due to duplicate events from the Microsoft API.

About this release

Version 4.7.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.

Splunk platform versions	9.1.x, 9.2.x, 9.3.x, 9.4.x
CIM	5.1.0
Supported OS	Platform independent
Vendor products	Microsoft Office 365

New features

Version 4.7.0 of the Splunk Add-on for Microsoft Office 365 has the following new features:

• Audit Logs input enhancement

  • Fixed the potential data miss issue for Audit Logs input.

  • Added support for delay_throttle_min to handle the late arriving events on the Azure Cloud Audit Logs. For more information, see Audit Logs inputs.

Fixed Issues

Version 4.7.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.

Known issues

Version 4.7.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.

Third-party software attributions

Version 4.7.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.

Third-party software attributions for the Splunk Add-on for Microsoft Office 365

Release history for the Splunk Add-on for Microsoft Office 365

The latest version of the Splunk Add-on for Microsoft Office 365 is version 4.7.0. See Release notes for the Splunk Add-on for Office 365 for the release notes of this latest version.

Version 4.6.0

Version 4.6.0 of the Splunk Add-on for Microsoft Office 365 was released on November 4 , 2024.

About this release

Version 4.6.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.

Splunk platform versions	9.1.x, 9.2.x, 9.3.x
CIM	5.0.0
Supported OS	Platform independent
Vendor products	Microsoft Office 365

New features

Version 4.6.0 of the Splunk Add-on for Microsoft Office 365 has the following new features:

• Compatibility with IPV6.
• Support for providing custom self signed certificates.

• Enhanced data collection for Audit Logs Sign In input.

  • Added support for start_date to fetch historical data.

  • Added support for query_window_size through which user can control amount of data getting downloaded in single chunk.

  • Exponential backoff retry policies for 5xx series error codes.

  • Fixed _time extraction issue.

• Enhanced the data collection mechanism for the following Graph API content types, ensuring reports are generated for active resources only. Additionally, introduced support for Start Date and Delay Throttle parameters to provide greater control over data retrieval timing:

  • Office365 Groups Activity Detail
  • OneDrive Usage Account Detail
  • SharePoint Site Usage Detail
  • Teams User Activity User Detail
  • Yammer Groups Activity Detail

Fixed Issues

Version 4.6.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.

Known issues

Version 4.6.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.

Third-party software attributions

Version 4.6.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.

Third-party software attributions for the Splunk Add-on for Microsoft Office 365

Version 4.5.2

Version 4.5.2 of the Splunk Add-on for Microsoft Office 365 was released on September 16, 2024.

About this release

Version 4.5.2 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.

Splunk platform versions	9.1.x, 9.2.x, 9.3.x
CIM	5.0.0
Supported OS	Platform independent
Vendor products	Microsoft Office 365

New features

Version 4.5.2 of the Splunk Add-on for Microsoft Office 365 has the following new features:

• Security vulnerability bug fixes.
• Compatability with Python3.9.

Fixed Issues

Version 4.5.2 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.

Known issues

Version 4.5.2 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.

Third-party software attributions

Version 4.5.2 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.

Third-party software attributions for the Splunk Add-on for Microsoft Office 365

Version 4.5.1

Version 4.5.1 of the Splunk Add-on for Microsoft Office 365 was released on February 20, 2024.

About this release

Version 4.5.1 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.

Splunk platform versions	8.2.x, 9.0.x
CIM	5.0.0
Supported OS	Platform independent
Vendor products	Microsoft Office 365

New features

Version 4.5.1 of the Splunk Add-on for Microsoft Office 365 has the following new features:

• Added support for Request Timeout parameter in UI for Graph API - Audit Logs input.
• Enhanced the logic for handling API Token Error for Audit Logs input.

Fixed Issues

Version 4.5.1 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.

Known issues

Version 4.5.1 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.

Third-party software attributions

Version 4.5.1 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.

Third-party software attributions for the Splunk Add-on for Microsoft Office 365

Version 4.5.0

Version 4.5.0 of the Splunk Add-on for Microsoft Office 365 was released on January 24, 2024.

About this release

Version 4.5.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.

Splunk platform versions	8.2.x, 9.0.x
CIM	5.0.0
Supported OS	Platform independent
Vendor products	Microsoft Office 365

New features

Version 4.5.0 of the Splunk Add-on for Microsoft Office 365 has the following new features:

• CIM enhancements for MessageTrace Input :
• Provided CIM support of email data model for o365:reporting:messagetrace sourcetype.
• Removed two fields orig_src and orig_recipient.
• Added new fields such as status_code, recipient_count, recipient_domain, src_user_domain as per email data model.
• CIM enhancements for Management Activity Input :
• Modified reason, user, and user_id field extractions which are mapped to authentication data model for o365:management:activity sourcetype.

Fixed Issues

Version 4.5.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.

Known issues

Version 4.5.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.

Third-party software attributions

Version 4.5.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.

Third-party software attributions for the Splunk Add-on for Microsoft Office 365

Version 4.4.0

Version 4.4.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.

Splunk platform versions	8.2.x, 9.0.x
CIM	5.0.0
Supported OS	Platform independent
Vendor products	Microsoft Office 365

New features

Version 4.4.0 of the Splunk Add-on for Microsoft Office 365 has the following new features:

• UI upgrades for compatibility with future versions of the Splunk software (Fast and intuitive UI with an improved look and feel).
  • Tenant, Proxy & Logging tabs from Settings are moved under the Configuration tab. Removed Settings tab.
  • Introduced Clone functionality for the Tenant and Inputs tab.
  • Introduced more info functionality for the inputs in the UI inputs table.
• Fixed the data duplication issue in Message Trace Input in case of input interruption.
• Fixed the data collection issue caused by invalid skip token error in the graph API input.

Fixed Issues

Version 4.4.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.

Known issues

Version 4.4.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.

Third-party software attributions

Version 4.4.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.

Third-party software attributions for the Splunk Add-on for Microsoft Office 365

Version 4.3.0

Version 4.3.0 of the Splunk Add-on for Microsoft Office 365 was released on April 20th, 2023.

About this release

Version 4.3.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.

Splunk platform versions	8.2.x, 9.0.x
CIM	5.0.0
Supported OS	Platform independent
Vendor products	Microsoft Office 365

New features

Version 4.3.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.

• Improved data collection approach and checkpointing mechanism for management activity inputs for faster ingestion rates with lower memory usage.
• Added support for configurable Start date/time for management activity inputs.
• Optimized data collection and checkpointing mechanisms for Audit Logs and Service Health & Communications inputs with lower memory usage.
• Fixed the data duplication issue for Mailbox, Office 365, OneDrive, SharePoint, Teams and Yammer.
• Migrated to KVstore checkpoint for Audit Logs and Service Health & Communications, Mailbox, Office 365, OneDrive, SharePoint, Teams and Yammer from the current file-based checkpoint mechanism.

Fixed Issues

Version 4.3.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.

Known issues

Version 4.3.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.

Third-party software attributions

Version 4.3.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.

Third-party software attributions for the Splunk Add-on for Microsoft Office 365

Version 4.2.1

Note

After upgrading the Splunk Add-on for Microsoft Office 365 from 4.0.0 and higher to version 4.2.0 or higher, your Splunk platform deployment might receive duplicate events for a maximum of 7 days, due to a change in checkpoint logic. Duplicate events will stop ingesting after 7 days.

Note

Versions 4.2.0 and higher of the Splunk Add-on for Microsoft Office 365 contain changes to the checkpoint mechanism for the Management activity input. See the Upgrade Steps section of the Upgrade topic in this manual.

Version 4.2.1 of the Splunk Add-on for Microsoft Office 365 was released on December 22nd, 2022.

About this release

Version 4.2.1 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.

Splunk platform versions	8.1.x, 8.2.x, 9.0.0
CIM	5.0.0
Supported OS	Platform independent
Vendor products	Microsoft Office 365

New features

Version 4.2.1 of the Splunk Add-on for Microsoft Office 365 has the following new features.

• Fixed a bug related to getting 401 authorization errors for Management Activity inputs.

Note

Versions 4.2.0 and later of this add-on use app key value store (KV store) collection functionality for checkpoints, in order to improve efficiency and optimize structuring. Versions 4.1.0 and earlier of the Splunk Add-on for Microsoft Office 365 used file-based checkpointing for the Management activity API input, which caused high memory issues for users.
KV store accelerations improve search performance by making searches that contain accelerated fields return faster. As a result, KV store will consume system memory when your input is running. If your Splunk platform deployment uses a lot of KV store, you must to scale up your Splunk platform deployment, so that the KV store functionality can run without any errors.

Fixed Issues

Version 4.2.1 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.

Known issues

Version 4.2.1 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues:

• Customers will experience a delay in event ingestion in v4.2.x due to KVstore performance on cloud architecture.

Third-party software attributions

Version 4.2.1 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.

Third-party software attributions for the Splunk Add-on for Microsoft Office 365

Version 4.2.0

Note

After upgrading the Splunk Add-on for Microsoft Office 365 from 4.0.0 and higher to version 4.2.0 or higher, your Splunk platform deployment might receive duplicate events for a maximum of 7 days, due to a change in checkpoint logic. Duplicate events will stop ingesting after 7 days.

Note

Version 4.2.0 of the Splunk Add-on for Microsoft Office 365 contains changes to the checkpoint mechanism for the Management activity input.

See the Upgrade Steps section of the Upgrade topic in this manual.

Version 4.2.0 of the Splunk Add-on for Microsoft Office 365 was released on October 22nd, 2022.

About this release

Version 4.2.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.

Splunk platform versions	8.1.x, 8.2.x, 9.0.0
CIM	5.0.0
Supported OS	Platform independent
Vendor products	Microsoft Office 365

New features

Version 4.2.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.

• Added support of Message Trace to collect Message Trace data from Microsoft Office 365.
• Optimized Memory utilization for the Management Activity Input.
• Improved user experience by adding validations

Fixed Issues

Version 4.2.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.

Known issues

Version 4.2.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.

Third-party software attributions

Version 4.2.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.

Third-party software attributions for the Splunk Add-on for Microsoft Office 365

Version 4.1.0

Version 4.1.0 of the Splunk Add-on for Microsoft Office 365 was released on July 28th, 2022.

About this release

Version 4.1.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.

Splunk platform versions	8.1.x, 8.2.x, 9.0.0
CIM	5.0.0
Supported OS	Platform independent
Vendor products	Microsoft Office 365

New features

Version 4.1.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.

• For Management Activity Input, migrated from legacy authentication AADL to MSAL.
• Enhancements and improved user experience in Tenant configuration.
• Security fix for Cloud App Security. This requires upgrading to version 4.1.0 and higher of this add-on. See the upgrade topic in this manual.
• Duplicate events fix for Cloud App Security and Management Activity:

Note

After upgrading the Splunk Add-on for Microsoft Office 365 to version 4.1.0, due to a change in checkpoint logic, your Splunk platform deployment might receive duplicate events for a maximum of 7 days. Duplicate events will stop ingesting after 7 days. You may observe a rise in the usage of your deployment’s memory/CPU resources.

Fixed Issues

Version 4.1.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.

Known issues

Version 4.1.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.

Third-party software attributions

Version 4.1.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.

Third-party software attributions for the Splunk Add-on for Microsoft Office 365

Version 4.0.0

Version 4.0.0 of the Splunk Add-on for Microsoft Office 365 was released on May 18, 2022.

About this release

Version 4.0.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.

Splunk platform versions	8.0.x, 8.1.x, 8.2.x
CIM	5.0.0
Supported OS	Platform independent
Vendor products	Microsoft Office 365

Note

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 4.0.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.

• Enhanced CIM support for below listed workloads of sourcetype o365:management:activity. - AzureActiveDirectory - Exchange - SecurityComplianceCenter - SharePoint - OneDrive - MicrosoftTeams - MicrosoftForms - Yammer - SkypeForBusiness
• Fixed Timestamp extractions issue for the o365:management:activity sourcetype.
• Fixed CIM tagging issues for the Authentication events of o365:management:activity sourcetype.

CIM field changes

Splunk Add-On for Microsoft Office 365 version 4.0.0 includes updated Common Information Model even tagging for o365:management:activity sourcetype events. These changes were made to more accurately match the nature of the events with the appropriate data model fields. Any search content that executes against the Common Information Model fields mapped to o365:management:activity events must be updated. Utilize this table of event field changes to inform updates to your search content.

See the following tables for information on field changes between 3.0.0 and 4.0.0 :

Source-type	Workload	Operation	Fields added	Fields removed
['o365:management:activity']	AzureActiveDirectory	Add EligibleRoleAssignement to RoleDefinition., Add contact., Add policy., Finish applying group based license to users., Set directory feature on tenant., Set group license., Start applying group based license to users., Update service principal.	change_type, object_id, tenant_id, object_category, action, result
['o365:management:activity']		Add application., Add device., Add group., Add member to group., Add member to role., Add user., Delete user., Update application., Update device., Update group., Update user.	tenant_id, result
['o365:management:activity']		Add eligible member to role., Disable account., Remove member from role.	change_type, src_user_type, object_id, src_user, tenant_id, object_category, action, result	user_type
['o365:management:activity']		Add owner to application.	tenant_id, result	object_id
['o365:management:activity']		Add owner to group., Remove member from group., Remove service principal.	src_user_type, object_id, src_user, tenant_id, result	user_type
['o365:management:activity']		Add role definition., Create company settings, Delete application., Delete contact., Delete role definition., Hard Delete group., Restore Group., pdate company settings, Update policy.	change_type, object_attrs, object_id, tenant_id, object_category, action, result
['o365:management:activity']		Add service principal.	tenant_id, result, src_user_type	user_type
['o365:management:activity']		Add unverified domain.	change_type, object, tenant_id, object_category, action, result
['o365:management:activity']		Change user password., Reset user password.	tenant_id, result, src_user_type, object_id	user_type
['o365:management:activity']		Delete group.	tenant_id, result, object_id
['o365:management:activity']		Remove eligible member from role., Remove owner from application., Remove owner from group., Update StsRefreshTokenValidFrom Timestamp.	change_type, object_attrs, src_user_type, object_id, src_user, tenant_id, object_category, action, result	user_type
['o365:management:activity']		Remove unverified domain.	change_type, object, object_attrs, tenant_id, object_category, action, result
['o365:management:activity']		Restore user.	change_type, object_attrs, src_user_type, object_id, tenant_id, object_category, action, result	user_type
['o365:management:activity']		Set user manager.	change_type, src_user_type, object_id, tenant_id, object_category, action, result	user_type
['o365:management:activity']		UserLoggedIn, UserLoginFailed	tenant_id	object
['o365:management:activity']		Verify domain.	object, tenant_id, result	action, object_attrs, change_type, object_category
['o365:management:activity']	SharePoint	All	tenant_id
['o365:management:activity']		AddAnAppNewListCreateButtonClick, LaunchPowerApp		object
['o365:management:activity']		AddedToGroup	src_user_type	object_id
['o365:management:activity']		AnonymousLinkCreated, AnonymousLinkUpdated, CommentsDisabled, FileDeletedFirstStageRecycleBin, FileRecycled, FileTranscriptRequested, FolderDeletedFirstStageRecycleBin, FolderRecycled, FolderRenamed, FolderRestored, ListDeleted, ListItemRecycled, ListItemRestored, ListRestored, SiteDesignInvoked, SiteLocksChanged	action, object_category
['o365:management:activity']		AppStoreStorefrontLaunchAppStorePage, AppStoreStorefrontShowAppDetailsPage, SharingInheritanceBroken		object, object_id
['o365:management:activity']		CommentCreated		object_attrs, object, change_type
['o365:management:activity']		CompanyLinkCreated, FileDeleted, FileModified, FileModifiedExtended, FileMoved, FolderCreated, FolderDeleted, FolderModified, SharingSet		change_type, object_attrs, object_id
['o365:management:activity']		DLPRuleMatch	object_category, category, dlp_type, severity, src_user, action	object_id
['o365:management:activity']		FileAccessed, FileAccessedExtended, FileCheckOutDiscarded, FileCheckedIn, FileCopied, FilePreviewed, FileRenamed, FileRestored, FileVersionsAllDeleted, PageViewed, PageViewedExtended, SecureLinkCreated, SharingRevoked		object_id
['o365:management:activity']		FileUploaded	object_size	change_type, object_attrs, object_id
['o365:management:activity']		FolderCopied, FolderMoved	action, object_category	object
['o365:management:activity']		HubSiteRegistered, HubSiteUnregistered, ListContentTypeDeleted, ListContentTypeUpdated, ListViewCreated, PermissionLevelRemoved, SecureLinkUpdated, SiteContentTypeCreated, SiteDeleted, SiteIBModeSet, SiteRenameScheduled	object_category, change_type, object_attrs, action
['o365:management:activity']		ListColumnCreated, ListColumnUpdated, ListCreated, ListUpdated		object_attrs, change_type
['o365:management:activity']		ListColumnDeleted, ListItemCreated	action, object_category, object_attrs
['o365:management:activity']		RemovedFromSecureLink, RemovedFromSiteCollection	object_category, change_type, object_attrs, src_user, action, src_user_type	user_type
['o365:management:activity']		SearchQueryPerformed	action, object_category	object_path, object
['o365:management:activity']	OneDrive	All	tenant_id, result, action, object_category
['o365:management:activity']		AddedToGroup, GroupAdded, PermissionLevelAdded, SiteCollectionCreated, SharingPolicyChanged, ShortcutAdded, SiteCollectionAdminRemoved, SiteCollectionAdminAdded, SiteCollectionQuotaModified	change_type
['o365:management:activity']		AddedToGroup, AnonymousLinkCreated, GroupAdded, PermissionLevelAdded, SiteCollectionCreated, ShortcutAdded, SiteCollectionAdminRemoved, SiteCollectionQuotaModified	object_attrs
['o365:management:activity']		AddedToGroup	src_user, src_user_type	user_type
['o365:management:activity']		AnonymousLinkCreated, PermissionLevelAdded, SiteCollectionCreated, ListColumnCreated, ListItemCreated, SharingPolicyChanged	object_path
['o365:management:activity']		DLPRuleMatch, DLPRuleUndo	dlp_type, category, severity, src_user, object_path
['o365:management:activity']		FileDownloaded, FileModified, FileModifiedExtended	object_size
['o365:management:activity']		GroupAdded, ListColumnCreated, ListItemCreated, ListCreated, ListViewed, SharingInheritanceBroken	object_id
['o365:management:activity']		PermissionLevelAdded, SiteCollectionCreated, SearchQueryPerformed, SharingPolicyChanged, SiteCollectionQuotaModified	object_id	object
['o365:management:activity']		SiteLocksChanged	object_id	object, object_attrs
['o365:management:activity']	Exchange	All	tenant_id, result, object_id
['o365:management:activity']		Add-RecipientPermission, New-MailContact, New-Mailbox, Remove-MailContact, Remove-RoleGroupMember, Set-AdminAuditLogConfig, Set-Mailbox, Set-User	object_category, src_user_type, object_attrs, change_type, action, src_user	user_type
['o365:management:activity']		AddFolderPermissions, ModifyFolderPermissions	object_category, object_attrs, dest, change_type, user_agent, dest_name, action, object, client_info_str
['o365:management:activity']		Create, Update	object_category, owner_id, parent_object, owner, object_path, dest, object, user_agent, object_size, action, owner_email, dest_name, app_id, parent_object_id, client_info_str
['o365:management:activity']		DlpRuleMatch	recipient_domain, file_name, subject, orig_src, recipient_count, src_user_domain, action, src_user, message_id, recipient, file_size, size
['o365:management:activity']		Enable-AddressListPaging, New-App, New-ManagementRoleAssignment, New-RoleGroup, Remove-Mailbox, Remove-RoleGroup, Remove-UnifiedGroup, Set-ConditionalAccessPolicy, Set-ExchangeAssistanceConfig, Set-OrganizationConfig, Set-RoleGroup, Set-TransportConfig	object_category, object_attrs, change_type, action
['o365:management:activity']		MailboxLogin	dest, user_agent, dest_name, action, object, client_info_str
['o365:management:activity']		Move, MoveToDeletedItems	object_category, owner_id, parent_object, owner, object_path, dest, object, user_agent, dest_name, action, owner_email, app_id, parent_object_id, client_info_str
['o365:management:activity']		SoftDelete	object_category, owner_id, parent_object, owner, dest, object, user_agent, dest_name, action, owner_email, app_id, parent_object_id, client_info_str
['o365:management:activity']	SecurityComplianceCenter	All	tenant_id, result	object
['o365:management:activity']		AlertEntityGenerated, AlertTriggered, AlertUpdated	signature_id, description, id, type, severity, body	object
['o365:management:activity']		AuthorizeDataInsightsSubscription, SearchAlert, SearchAlertAggregate, SearchConnectorReportData, SearchCustomTag, SearchCustomerInsight, SearchDataInsightsSubscription, SearchMailflowForwardingData, SearchMtpRoleInfo, SearchMtpStatus, SearchNonAcceptedDomainDetailData, SearchSecurityRedirection, SearchTrialOffer, ValidaterbacAccessCheck	dest_name, dest
['o365:management:activity']		Get-ComplianceTag, Get-DlpCompliancePolicy, Get-DlpComplianceRule, Get-DlpDetectionsReport, Get-DlpSiDetectionsReport, Get-Label, Get-PolicyConfig, Get-ProtectionAlert, Get-RetentionCompliancePolicy		object
['o365:management:activity']		Get-DlpSensitiveInformationType, New-ProtectionAlert, Remove-DlpCompliancePolicy, Remove-DlpComplianceRule	action, change_type, object_category, object_attrs
['o365:management:activity']		InsightGenerated	description, id, type, severity, body	object
['o365:management:activity']		New-DlpCompliancePolicy, New-DlpComplianceRule, Set-DlpCompliancePolicy, Set-DlpComplianceRule	action, change_type, object_category, object_attrs, object_id
['o365:management:activity']	MicrosoftTeams	AppInstalled, BotAddedToTeam, ChannelAdded, ChannelDeleted, ConnectorAdded, MemberAdded, MessageCreatedHasLink, MessageDeleted, OpenShiftAdded, OpenShiftDeleted, RequestAdded, RequestRespondedTo, ScheduleGroupAdded, ScheduleGroupEdited, ScheduleSettingChanged, ShiftAdded, TabAdded, TabUpdated, TeamCreated, TeamDeleted, TeamSettingChanged, TimeOffAdded, TimeOffDeleted, TimeOffEdited	result, tenant_id, change_type, object, dest, object_attrs, object_category, action, object_id, dest_name
['o365:management:activity']		CreatedApproval	tenant_id, change_type, object_attrs, object_category, action, object_id, result
['o365:management:activity']		TeamsSessionStarted	action, tenant_id, result	object, authentication_service
['o365:management:activity']	MicrosoftForms	AllowAnonymousResponse, AllowShareFormForCopy, CreateForm, CreateResponse, DeleteAllResponses, DeleteResponse, DeleteSummaryLink, DisableSpecificResponse, DisallowAnonymousResponse, EditForm, EnableSpecificResponse, EnableWorkOrSchoolCollaboration, GetSummaryLink, UpdateFormSetting, UpdateResponse, ViewForm, ViewResponses, ViewRuntimeForm	tenant_id, action, object_category, result, object_id
['o365:management:activity']		ListForms	tenant_id, action, dest_name, dest, result, object_category
['o365:management:activity']	SkypeForBusiness	Get-CsTeamsUpgradeOverridePolicy	change_type, result, dest_name, dest, object_id, object_category, tenant_id, object_attrs, action, object
['o365:management:activity']	Yammer	GroupCreation, MessageDeleted	result, object_id, owner_email, tenant_id, object_category, email, action

CIM model changes

See the following CIM model changes between 3.0.0 and 4.0.0:

WorkLoad	Operation	Previous CIM model	New CIM model
AzureActiveDirectory	Add application., Add group., Delete group., Update application – Certificates and secrets management , Update application., Update group.	Change.Account_Management	Change.All_Changes
	Verify domain.	Change.Account_Management
	Add EligibleRoleAssignement to RoleDefinition., Add contact., Add policy., Add role definition., Add unverified domain., Create company settings, Delete application., Delete contact., Delete role definition., Finish applying group based license to users., Hard Delete group., Remove unverified domain., Restore Group., Set directory feature on tenant., Set group license., Start applying group based license to users., Update company settings, Update policy., Update service principal.		Change.All_Changes
	Add eligible member to role., Disable account., Remove eligible member from role., Remove member from role., Remove owner from application., Remove owner from group., Restore user., Set user manager., Update StsRefreshTokenValidFrom Timestamp.		Change.Account_Management
SharePoint	AddedToGroup, GroupAdded, GroupRemoved, GroupUpdated, PermissionLevelAdded, SharingPolicyChanged, SiteCollectionAdminAdded, SiteCollectionAdminRemoved, SiteCollectionCreated, SiteCollectionQuotaModified, SiteRenamed	Change.Endpoint_Changes	Change.All_Changes
	CommentCreated, CompanyLinkCreated, FileDeleted, FileModified, FileModifiedExtended, FileMoved, FileUploaded, FolderCreated, FolderDeleted, FolderModified, ListColumnCreated, ListColumnUpdated, ListCreated, ListUpdated, SharingSet	Change.Endpoint_Changes
	DLPRuleMatch		DLP
	HubSiteRegistered, HubSiteUnregistered, ListContentTypeDeleted, ListContentTypeUpdated, ListViewCreated, PermissionLevelRemoved, SecureLinkUpdated, SiteContentTypeCreated, SiteDeleted, SiteIBModeSet, SiteRenameScheduled		Change.All_Changes
	RemovedFromSecureLink, RemovedFromSiteCollection		Change.Account_Management
OneDrive	AddedToGroup		Change.Account_Management
	DLPRuleMatch, DLPRuleUndo		DLP
	GroupAdded, PermissionLevelAdded, SharingPolicyChanged, ShortcutAdded, SiteCollectionAdminAdded, SiteCollectionAdminRemoved, SiteCollectionCreated, SiteCollectionQuotaModified		Change.All_Changes
Exchange	Add-RecipientPermission, New-MailContact, New-Mailbox, Remove-MailContact, Remove-RoleGroupMember, Set-AdminAuditLogConfig, Set-Mailbox, Set-User		Change.Account_Management
	AddFolderPermissions, Enable-AddressListPaging, ModifyFolderPermissions, New-App, New-ManagementRoleAssignment, New-RoleGroup, Remove-Mailbox, Remove-RoleGroup, Remove-UnifiedGroup, Set-ConditionalAccessPolicy, Set-ExchangeAssistanceConfig, Set-OrganizationConfig, Set-RoleGroup, Set-TransportConfig		Change.All_Changes
	DlpRuleMatch		Email.Filtering
	MailboxLogin		Authentication
SecurityComplianceCenter	AlertEntityGenerated, AlertTriggered, AlertUpdated, InsightGenerated		Alerts
	Get-DlpSensitiveInformationType, New-DlpCompliancePolicy, New-DlpComplianceRule, New-ProtectionAlert, Remove-DlpCompliancePolicy, Remove-DlpComplianceRule, Set-DlpCompliancePolicy, Set-DlpComplianceRule		Change.All_Changes
MicrosoftTeams	AppInstalled, BotAddedToTeam, ChannelAdded, ChannelDeleted, ConnectorAdded, CreatedApproval, MemberAdded, MessageCreatedHasLink, MessageDeleted, OpenShiftAdded, OpenShiftDeleted, RequestAdded, RequestRespondedTo, ScheduleGroupAdded, ScheduleGroupEdited, ScheduleSettingChanged, ShiftAdded, ShiftDeleted, TabAdded, TabUpdated, TeamCreated, TeamDeleted, TeamSettingChanged, TimeOffAdded, TimeOffDeleted, TimeOffEdited		Change.All_Changes
	TeamsSessionStarted		Authentication
SkypeForBusiness	Get-CsTeamsUpgradeOverridePolicy		Change.All_Changes

Fixed Issues

Version 4.0.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.

Known issues

Version 4.0.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.

Third-party software attributions

Version 4.0.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.

• axios
• certifi
• chardet
• dateutil
• debug
• follow-redirects
• future
• idna
• is-buffer
• ms
• qs
• requests
• six.py
• sortedcontainers
• u-msgpack-python
• urllib3

Version 3.0.0

Version 3.0.0 of the Splunk Add-on for Microsoft Office 365 was released on February 11, 2022.

About this release

Version 3.0.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.

Splunk platform versions	8.0.x, 8.1.x, 8.2.x
CIM	4.20
Supported OS	Platform independent
Vendor products	Microsoft Office 365

Note

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 3.0.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.

• Changed from using the Service Communications API (now deprecated by Microsoft) to using the new Microsoft Graph API for Service Health & Communication events. This new API changes the structure how data is ingested by the Splunk software. The following source types have had to be updated:

  • Retired source types:
    • o365:service:status
    • o365:service:message
  • New source types:
    • o365:service:healthIssue
    • o365:service:updateMessage

  To learn about the type of data these new source types represent coming through the Graph API, see the Overview for accessing service health and communications in Microsoft Graph topic in the Microsoft’s Graph API documentation.

  Note

  If upgrading to version 3.0.0 or later, disable ServiceHealth.Read.All in Office 365 Management APIs, and enable ServiceHealth.Read.All in Microsoft Graph.

• Enhanced the Add Input menu for ease of use. This menu includes the new Microsoft Graph API for Service Health & Communication events, and also reflects the various Graph API data categories we already support, in a more logical taxonomy.

• Added API request throttling when making too many requests to the Microsoft APIs.

Fixed Issues

Version 3.0.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.

Known issues

Version 3.0.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.

Third-party software attributions

Version 3.0.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.

• axios
• certifi
• chardet
• dateutil
• debug
• follow-redirects
• future
• idna
• is-buffer
• ms
• qs
• requests
• six.py
• sortedcontainers
• u-msgpack-python
• urllib3

Version 2.2.0

Version 2.2.0 of the Splunk Add-on for Microsoft Office 365 was released on October 13, 2021.

About this release

Version 2.2.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.

Splunk platform versions	7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x, 8.1.x
CIM	4.20
Supported OS	Platform independent
Vendor products	Microsoft Office 365

Note

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 2.2.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.

• Common Information Model (CIM) version 4.20 compatibility and enhanced CIM mapping.
• Enhanced CIM mapping for the following sourcetypes:
  • o365:management:activity
  • o365:service:status
  • o365:service:message
  • o365:cas:api
  • o365:graph:api
• Added support for the Alerts CIM data model for the following sourcetypes:
  • o365:service:status
  • o365:service:message
  • o365:cas:api
• Updates to the lookup splunk_ta_o365_cim_change_analysis.csv
• Updates to the lookup splunk_ta_o365_cim_data_access.csv

Note

Self-service app install (SSAI) upgrades do not automatically update the lookups with the latest values. To fix this, upgrade the add-on, then manually update the lookup files using the lookup files from the latest version of this add-on.

Field changes

The following sections contain information on fields and data models that have been added, modified, or removed in this release.

Fields added and removed

The following tables display the fields that have been added and removed in this release, listed by sourcetype.

Sourcetype	Operation	Fields added	Fields removed
o365:management:activity	AccessRequestCreated, GroupRemoved, GroupUpdated, SiteCollectionCreated, AccessRequestRejected, SharingSet, RemovedFromGroup, AccessRequestApproved, AddedToGroup, GroupAdded, SharingRevoked	status, authentication_service, dest_name, result, object_attrs
o365:management:activity	Add application.	env_name, env_seqNum, authentication_service, targetName, correlationId, env_appVer, dataset_name, targetObjectId, ResultStatusDetail, user_agent, tag, modified_properties_new_value, auditEventCategory, env_popSample, env_time, env_cloud_name, modified_properties_name, action, actorUPN, nCloud, env_iKey, env_flags, , env_cv, actorPUID, FlowTokenScenario, authentication_method, targetContextId, env_cloud_deploymentUnit, UserAuthenticationMethod, change_type, actorObjectClass, object_category, version, KeepMeSignedIn, actorAppID, targetSPN, eventtype, actorObjectId, additionalTargets, dest_name, env_epoch, env_cloud_roleVer, UserAgent, extended_properties, user_agent_change, env_cloud_ver	object_path, reason, modified_properties_mv
o365:management:activity	Add device.	authentication_service, correlationId, dataset_name, tag, modified_properties_new_value, env_cloud_name, modified_properties_name, action, actorContextId, object_attrs, , actorPUID, change_type, object_category, env_ver, actorAppID, targetSPN, eventtype, dest_name, extended_properties, modified_properties	object_id, object_path
o365:management:activity	Add group.	auditEventCategory, modified_properties, targetContextId, modified_properties_name, authentication_service, additionalDetails, env_ver, env_cv, dest_name, env_cloud_roleVer, object_attrs, extended_properties, targetIncludedUpdatedProperties, user_agent, modified_properties_new_value, user_agent_change	object_id, object_path
o365:management:activity	Add member to group.	actorAppID, env_time, env_cloud_name, modified_properties_name, authentication_service, targetSPN, src_user, dest_name, actorUPN, object_attrs, extended_properties, teamName, env_cv, modified_properties_new_value, modified_properties	object_id, object_path
o365:management:activity	Add member to role.	modified_properties, targetContextId, modified_properties_name, authentication_service, env_cloud_deploymentUnit, additionalDetails, targetName, correlationId, dest_name, nCloud, object_attrs, extended_properties, user_agent, modified_properties_new_value, env_appId, user_agent_change	object_id, object_path
o365:management:activity	Add owner to application.	modified_properties, modified_properties_name, authentication_service, env_cloud_deploymentUnit, targetSPN, env_epoch, dest_name, env_cloud_roleVer, object_attrs, extended_properties, version, env_cloud_environment, user_agent, modified_properties_new_value, user_agent_change	object_id, object_path
o365:management:activity	Add owner to service principal.	authentication_service, dest_name, object_attrs, extended_properties, user_agent, user_agent_change	object_id, object_path
o365:management:activity	Add service principal.	env_name, env_seqNum, authentication_service, targetName, targetObjectId, ResultStatusDetail, targetIncludedUpdatedProperties, env_cloud_environment, user_agent, modified_properties_new_value, auditEventCategory, env_osVer, env_popSample, env_cloud_name, modified_properties_name, src_user, RequestType, actorUPN, nCloud, env_iKey, env_cv, actorPUID, env_appId, FlowTokenScenario, resultDescription, authentication_method, env_cloud_deploymentUnit, env_os, UserAuthenticationMethod, actorObjectClass, version, KeepMeSignedIn, env_ver, actorAppID, actorObjectId, env_epoch, dest_name, env_cloud_roleVer, result, env_cloud_roleInstance, extended_properties, teamName, user_agent_change, actorContextId	object_path, modified_properties_mv
o365:management:activity	Add user.	env_seqNum, modified_properties_name, authentication_service, src_name, targetName, dest_name, env_cloud_roleVer, env_appVer, actorContextId, env_cloud_role, object_attrs, extended_properties, teamName, modified_properties_new_value, modified_properties	object_id, object_path
o365:management:activity	FolderDeleted, SiteCollectionQuotaModified, SecureLinkCreated, CommentCreated, ListColumnCreated, ListViewUpdated, PermissionLevelAdded, WebMembersCanShareModified, CommentDeleted, ListUpdated, WebRequestAccessModified, ListColumnUpdated, ListCreated, WebAccessRequestApproverModified, CompanyLinkCreated, FolderModified, AddedToSecureLink, FolderCreated	status, authentication_service, action, eventtype, dest_name, dataset_name, result, object_attrs, change_type, object_category, , tag
o365:management:activity	SharingInheritanceBroken, ClientViewSignaled, ListViewed, PageViewed, PagePrefetched, PageViewedExtended	status, authentication_service, action, eventtype, dest_name, dataset_name, result, object_category, , tag
o365:management:activity	Delete user.	actorAppID, env_osVer, modified_properties_name, authentication_service, extendedAuditEventCategory, actorObjectId, dest_name, env_cloud_roleVer, object_attrs, env_flags, env_cloud_environment, extended_properties, modified_properties_new_value, modified_properties	object_id, object_path
o365:management:activity	FileCheckedOut, FileCheckedIn, FileCheckOutDiscarded, FileCopied, FileAccessed, FileDownloaded	status, authentication_service, dest_name, result,	change_type
o365:management:activity	FilePreviewed, FileAccessedExtended	status, authentication_service, action, eventtype, dest_name, dataset_name, result, , object_category, , tag
o365:management:activity	FileMoved, FileModified, FileDeleted, FileRestored, FileRenamed, FileUploaded	status, authentication_service, dest_name, result, , object_attrs
o365:management:activity	FileVersionsAllDeleted, FileModifiedExtended	status, authentication_service, action, eventtype, dest_name, dataset_name, result, , object_attrs, change_type, object_category, , tag
o365:management:activity	SiteCollectionAdminRemoved, SharingPolicyChanged, SiteColumnCreated	status, authentication_service, action, eventtype, dest_name, dataset_name, result, object_attrs, change_type, object_category, , tag	src, src_ip
o365:management:activity	SiteCollectionAdminAdded	status, authentication_service, dest_name, result, object_attrs	src, src_ip
o365:management:activity	Update application.	env_name, env_seqNum, authentication_service, env_cloud_ver, targetName, correlationId, resultType, env_appVer, dataset_name, ResultStatusDetail, targetIncludedUpdatedProperties, env_cloud_environment, tag, user_agent, modified_properties_new_value, env_popSample, env_time, env_cloud_name, modified_properties_name, action, RequestType, env_cloud_role, env_iKey, env_flags, , env_cv, env_appId, FlowTokenScenario, authentication_method, targetContextId, env_cloud_deploymentUnit, env_os, src_name, UserAuthenticationMethod, change_type, actorObjectClass, object_category, env_ver, actorAppID, targetSPN, eventtype, additionalTargets, dest_name, env_epoch, env_cloud_roleVer, result, env_cloud_roleInstance, extended_properties, user_agent_change, actorContextId	object_id, object_path, modified_properties_mv
o365:management:activity	Update device.	authentication_service, targetName, dataset_name, tag, modified_properties_new_value, auditEventCategory, modified_properties_name, action, env_iKey, , env_cv, actorPUID, env_cloud_deploymentUnit, change_type, object_category, eventtype, actorObjectId, dest_name, extended_properties, env_cloud_ver	object_id, object_path, modified_properties_mv
o365:management:activity	Update group.	modified_properties_name, authentication_service, env_cloud_ver, env_epoch, correlationId, dest_name, actorContextId, actorUPN, env_cloud_roleInstance, object_attrs, extended_properties, version, modified_properties_new_value, modified_properties	object_id, object_path
o365:management:activity	Update user.	env_name, env_seqNum, authentication_service, targetName, correlationId, targetObjectId, targetIncludedUpdatedProperties, env_cloud_environment, user_agent, modified_properties_new_value, modified_properties, env_popSample, env_time, modified_properties_name, env_cloud_role, actorUPN, object_attrs, nCloud, env_flags, env_iKey, env_cv, actorPUID, env_appId, FlowTokenScenario, resultDescription, authentication_method, env_cloud_deploymentUnit, env_os, src_name, UserAuthenticationMethod, actorObjectClass, KeepMeSignedIn, additionalDetails, env_ver, actorAppID, targetSPN, actorObjectId, additionalTargets, dest_name, env_cloud_roleVer, env_cloud_roleInstance, UserAgent, extended_properties, teamName, extendedAuditEventCategory, actorContextId	object_path, reason
o365:management:activity	UserLoggedIn	FlowTokenScenario, actorAppID, authentication_method, targetContextId, env_seqNum, targetSPN, authentication_service, RequestType, dest_name, correlationId, ResultStatusDetail, actorUPN, UserAuthenticationMethod, , extended_properties, teamName, env_ver	object_id, modified_properties, object_path, object_attrs, reason, modified_properties_mv
o365:management:activity	UserLoginFailed	env_name, authentication_service, env_cloud_environment, env_osVer, env_popSample, nCloud, env_cv, env_appId, FlowTokenScenario, env_os, actorObjectClass, , KeepMeSignedIn, actorAppID, additionalTargets, dest_name, result, extended_properties, extendedAuditEventCategory	object_id, IsCompliantAndManaged, SessionId, object_path, BrowserType

Sourcetype	Status	Fields added	Fields removed
o365:service:status	ServiceOperational, ServiceRestored, ServiceDegradation	, signature, eventtype, type, dest, severity, app, id, tag, description

Sourcetype	ImpactDescription	Fields added	Fields removed
o365:service:message	Users may be unable to view shared calendars within the Outlook client or Outlook on the web services., Admins were unable to access the Microsoft Secure Score webpage via the Microsoft 365 security center., Admins may see Microsoft 365 app usage and productivity score reports data delayed after June 30, 2021., Admins may have experienced delayed data in Productivity score reports from the Microsoft 365 admin center., Users may be unable to use the multi-language spellcheck feature of the Microsoft Teams desktop client., Users may have intermittently been unable to connect to the OneDrive for Business service., null, Admins see some users’ Outlook Desktop activity isn’t showing up in usage reports., Users are unable to create Skype account., Admins may experience a delay in receiving messages., Users may have been unable to use the search function in SharePoint Online., Users may have been unable to sign in to Outlook., Users may have been unable to sign in to Skype., Users are unable to create Outlook account., Admins may have been unable to install O365., Users saw an error and were unable to access the “Shared by you” tab in OneDrive for Business., Admins may have seen a delay in updated data for Skype for Business usage reports within the Microsoft 365 admin center., Admins are unable to exclude errors., Users were seeing errors when downloading records with 10,000 or more entries from the Security and Compliance Center.	, signature, body, eventtype, type, dest, severity, app, id, tag, description

Sourcetype	isSystemAlert	Fields added	Fields removed
o365:cas:api	true	app, signature, src, eventtype, type, dest, severity, severity_id, , user, tag

Sourcetype	policyType	Fields added	Fields removed
o365:cas:api	NEW_SERVICE	app, signature, src, eventtype, type, severity, severity_id, , tag

Sourcetype	Fields added	Fields removed
o365:graph:api	eventtype

Fields modified

The following tables display the fields that have been modified in this release, listed by sourcetype.

Sourcetype	CIM Field	Operation	Vendor Field Before	Vendor field after	Sample value before	Sample value after
o365:management:activity	user	Add member to role., Add member to group.	UserId	ObjectId	abcd@27cf00f56f558d8859778b97.example.com	abcdefghi@d10b5fea7bd2276be1bba7cd.qwertyu.com
o365:management:activity	user_id	UserLoggedIn, UserLoginFailed	UserId	Actor{}.ID where Actor{}.Type=3	abcd@27cf00f56f558d8859778b97.example.com	10037FFE8EC1E08E
o365:management:activity	reason	where ResultStatus indicates “failure”, such as UserLoginFailed	LogonError	resultDescription OR ResultStatusDetail	InvalidUserNameOrPassword	UserError
o365:management:activity	status	All where ResultStatus IN (failed, failure, success, succeeded)	ResultStatus	ResultStatus	failure, failed, success, succeeded	failure, success
o365:management:activity	dvc	where Workload=SharePoint	Workload	ObjectId	SharePoint	a830edad9050849nda3079.sharepoint.com
o365:management:activity	modified_properties	Add application.,Add service principal.,Update application., Update device.	ModifiedProperties{} from the event	ModifiedProperties{} from the event	AppId, AppIdentifierUri, AvailableToOtherTenants, DisplayName, Entitlement, PublicClient, WwwHomepage	{“Name”:”AppId”,”NewValue”:”[\r\n “1ac58b10-9fc3-4436-a49d-1edf7c485b9a”\r\n]“,”OldValue”:”[]“},{“Name”:”AppIdentifierUri”,”NewValue”:”[\r\n “http://customappsso/cec784fd-e8d3-479e-8a6a-176a21cd73ea”\r\n]“,”OldValue”:”[]“},{“Name”:”AvailableToOtherTenants”,”NewValue”:”[\r\n false\r\n]“,”OldValue”:”[]“},{“Name”:”DisplayName”,”NewValue”:”[\r\n “Fraedom Flexipurchase”\r\n]“,”OldValue”:”[]“},{“Name”:”Entitlement”,”NewValue”:”[\r\n {\r\n “EntitlementEncodingVersion”: 2,\r\n “EntitlementId”: “f98592a2-00f5-4e30-a973-be093e529651”,\r\n “IsDisabled”: false,\r\n “Origin”: 0,\r\n “Name”: “Access Fraedom Flexipurchase”,\r\n “Description”: “Allow the application to access Fraedom Flexipurchase on behalf of the signed-in user.”,\r\n “Definition”: null,\r\n “ClaimValue”: “user_impersonation”,\r\n “ResourceScopeType”: 1,\r\n “IsPrivate”: false,\r\n “UserConsentDisplayName”: “Access Fraedom Flexipurchase”,\r\n “UserConsentDescription”: “Allow the application to access Fraedom Flexipurchase on your behalf.”,\r\n “DirectAccessGrantTypes”: [],\r\n “ImpersonationAccessGrantTypes”: [\r\n {\r\n “Impersonator”: 29,\r\n “Impersonated”: 20\r\n }\r\n ],\r\n “EntitlementCategory”: 0\r\n }\r\n]“,”OldValue”:”[]“},{“Name”:”PublicClient”,”NewValue”:”[\r\n false\r\n]“,”OldValue”:”[]“},{“Name”:”WwwHomepage”,”NewValue”:”[\r\n “https://abc.ewa.com:111/qwerty/abc.html?iefnqev=efqev
o365:management:activity	object_category	Add service principal.	Static value: user	Static value: ServicePrincipal
o365:management:activity	object_category	Update group.	Static value: user, group	Static value: group
o365:management:activity	object_category	SiteCollectionCreated	Static value: user	Static value: site
o365:management:activity	change_type	AccessRequestApproved, AccessRequestRejected, SharingSet	Static Value: user	Static Value: AAA
o365:management:activity	change_type	SiteCollectionCreated	Static Value: user	Static Value: collection
o365:management:activity	dest	Add application., Add user., Update user., Delete user., Add group., Add device., Update device, Update application., Add owner to application., Add service principal., Add member to group., Add member to role, etc. where env_cloud_name present inside ExtendedProperties{} in the event	ObjectId	env_cloud_name OR ObjectId	abcdef@705e62b9e1c0c47a2c4e0709.example.com	MSO-BY1
o365:management:activity	dest	UserLoggedIn, UserLoginFailed	ObjectId	Static value: Microsoft Office 365 AzureActiveDirectory	797f4846-ba00-4fd7-ba43-dac1f8f63013	Microsoft Office 365 AzureActiveDirectory
o365:management:activity	dest	If env_cloud_name is not present in the event, then ObjectId will be dest	ObjectId	ObjectId
o365:management:activity	action	AccessRequestRejected	Static Value: unknown	Static Value: deleted
o365:management:activity	action	FileCheckOutDiscarded	Static Value: modified	Static Value: read
o365:management:activity	action	FileCheckedIn	Static Value: created	Static Value: read
o365:management:activity	action	FileCopied	Static value: read	Static value: copied
o365:management:activity	action	FileDownloaded	Static value: read	Static value: downloaded
o365:management:activity	action	Add group.,SharingSet	Static Value: modified	Static Value: created
o365:management:activity	object_attrs	Add user., Update user., Add group., Add device., Add application., etc.	ModifiedProperties{} from the event, a list of attributes that were modified	ModifiedProperties{} from the event, but it will be key=value pair of relevant and necessary attributes	StsRefreshTokensValidFrom, UserType, AccountEnabled, UserPrincipalName	UserPrincipalName=abcdef@705e62b9e1c0c47a2c4e0709.example.com, AccountEnabled=true, UserType=Member
o365:management:activity	object_attrs	Update group., Update application.	ModifiedProperties{} from the event, a list of attributes that were modified	object_category	LastDirSyncTime	group, application
o365:management:activity	object	Add group., Update group., Add device., Update device. Add application., Update application., Add service principal.	ObjectId	targetName	Not Available	APP_User_Adobe_Sign, EBIZ_SAP_PP_USR, iPad-ABCD1234, Fraedom Flexipurchase
o365:management:activity	object_id	where Workload=AzureActiveDirectory	ObjectId	targetObjectId from ExtendedProperties{} in the evnet	abcdef@705e62b9e1c0c47a2c4e0709.example.com	93a565f6-d0fc-4ac3-9d2a-8c1de9aeed3c

Sourcetype	CIM Field	isSystemAlert=true	Vendor Field Before	Vendor field after	Sample value before	Sample value after
o365:cas:api	description	where description=”” OR isnull(description)	description	title	empty	System alert: Deprecation of Label Management in the Azure Portal, System alert: Service health status page deprecation

Modified data models

The following table displays the CIM data models that have been modified in this release, listed by sourcetype.

Sourcetype	Operation	Previous CIM model	New CIM model
o365:management:activity	FileAccessed, FileCheckedOut, FileCheckOutDiscarded, FileCopied, FileCheckedIn, FileDownloaded	Change:Endpoint_Changes	Data Access

Fixed Issues

Version 2.2.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.

Known issues

Version 2.2.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.

Third-party software attributions

Version 2.2.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.

• axios
• certifi
• chardet
• dateutil
• debug
• follow-redirects
• future
• idna
• is-buffer
• ms
• qs
• requests
• six.py
• sortedcontainers
• u-msgpack-python
• urllib3

Version 2.1.0

Version 2.1.0 of the Splunk Add-on for Microsoft Office 365 was released on June 25, 2021.

About this release

Version 2.1.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.

Splunk platform versions	7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM	4.18
Supported OS	Platform independent
Vendor products	Microsoft Office 365

Note

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 2.1.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.

Two new sourcetypes:

• Cloud Application Security - o365:cas:api - All service policies, alerts and entities visible through the Microsoft cloud application security portal.
• Graph API - o365:graph:api - Audit events and reports visible through the microsoft graph api endpoints. This includes all log events and reports visible through the Microsoft Graph API.

Fixed Issues

Version 2.1.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.

Known issues

Version 2.1.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.

Third-party software attributions

Version 2.1.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.

• axios
• certifi
• chardet
• dateutil
• debug
• follow-redirects
• future
• idna
• is-buffer
• ms
• qs
• requests
• six.py
• sortedcontainers
• u-msgpack-python
• urllib3

Version 2.0.3

Version 2.0.3 of the Splunk Add-on for Microsoft Office 365 was released on January 15, 2021.

About this release

Version 2.0.3 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.

Splunk platform versions	7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM	4.16
Supported OS	Platform independent
Vendor products	Microsoft Office 365

Note

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 2.0.3 of the Splunk Add-on for Microsoft Office 365 has the following new features.

• Security bug fixes.

Fixed Issues

Version 2.0.3 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.

Known issues

Version 2.0.3 of the Splunk Add-on for Microsoft Office 365 contains the following known issues.

Third-party software attributions

Version 2.0.3 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.

• axios
• certifi
• chardet
• dateutil
• debug
• follow-redirects
• future
• idna
• is-buffer
• ms
• qs
• requests
• six.py
• sortedcontainers
• u-msgpack-python
• urllib3

Version 2.0.2

Version 2.0.2 of the Splunk Add-on for Microsoft Office 365 was released on May 1, 2020.

About this release

Version 2.0.2 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.

Splunk platform versions	7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM	4.16
Supported OS	Platform independent
Vendor products	Microsoft Office 365

Note

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 2.0.2 of the Splunk Add-on for Microsoft Office 365 has the following new features.

• Improved Support for the Authentication CIM Model.

Fixed Issues

Version 2.0.2 of the Splunk Add-on for Microsoft Office 365 contains the following fixed issues.

Known issues

Version 2.0.2 of the Splunk Add-on for Microsoft Office 365 contains the following known issues.

Third-party software attributions

Version 2.0.2 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.

• axios
• certifi
• chardet
• dateutil
• debug
• follow-redirects
• future
• idna
• is-buffer
• ms
• qs
• requests
• six.py
• sortedcontainers
• u-msgpack-python
• urllib3

Version 2.0.1

Version 2.0.1 of the Splunk Add-on for Microsoft Office 365 was released on March 14, 2020.

About this release

Version 2.0.1 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.

Splunk platform versions	7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM	4.12
Supported OS	Platform independent
Vendor products	Microsoft Office 365

New features

Version 2.0.1 of the Splunk Add-on for Microsoft Office 365 has the following new features.

• Default Python3 support.

Fixed Issues

Version 2.0.1 of the Splunk Add-on for Microsoft Office 365 contains the following fixed issues.

Known issues

Version 2.0.1 of the Splunk Add-on for Microsoft Office 365 contains the following known issues.

Third-party software attributions

Version 2.0.1 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.

• axios
• certifi
• chardet
• dateutil
• debug
• follow-redirects
• future
• idna
• is-buffer
• ms
• qs
• requests
• six.py
• sortedcontainers
• u-msgpack-python
• urllib3

Version 2.0.0

Version 2.0.0 of the Splunk Add-on for Microsoft Office 365 was released on October 21, 2019.

About this release

Version 2.0.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.

Splunk platform versions	7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM	4.12
Supported OS	Platform independent
Vendor products	Microsoft Office 365

New features

Version 2.0.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.

• Python 3 support.
• Enhanced role and capability functionality. Regular users now need additional permissions to use the UI to see input configurations and tenant associations.
• FIPS compliance encryption changes.

Fixed Issues

Version 2.0.0 of the Splunk Add-on for Microsoft Office 365 contains the following fixed issues.

Known issues

Version 2.0.0 of the Splunk Add-on for Microsoft Office 365 contains the following known issues.

Third-party software attributions

Version 2.0.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.

• axios
• certifi
• chardet
• dateutil
• debug
• follow-redirects
• future
• idna
• is-buffer
• ms
• qs
• requests
• six.py
• sortedcontainers
• u-msgpack-python
• urllib3

Version 1.1.0

Version 1.1.0 of the Splunk Add-on for Microsoft Office 365 was released on May 23, 2019.

About this release

Version 1.1.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.

Splunk platform versions	6.6.x, 7.0.x, 7.1.x, 7.2.x, 7.3.x
CIM	4.12
Supported OS	Platform independent
Vendor products	Microsoft Office 365

New features

Version 1.1.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.

• Configurable Token Refresh Window for the Management Activity inputs to support uninterrupted data ingestion.

Fixed Issues

Version 1.1.0 of the Splunk Add-on for Microsoft Office 365 contains the following fixed issues.

Known issues

Version 1.1.0 of the Splunk Add-on for Microsoft Office 365 contains the following known issues.

Third-party software attributions

Version 1.1.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.

• axios
• certifi
• dateutil
• debug
• follow-redirects
• idna
• is-buffer
• ms
• qs
• requests
• six.py
• sortedcontainers
• u-msgpack-python
• urllib3

Version 1.0.0

Version 1.0.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.

Splunk platform versions	6.6.X, 7.0.X, 7.1.X
CIM	Not supported
Supported OS	Platform independent
Vendor products	Microsoft Office 365

Migration

If you are currently using the Splunk Add-on for Microsoft Cloud Services to ingest Office 365 Management API data and are migrating to the Splunk Add-on for Office 365, disable the Office 365 modular input in the Splunk Add-on for Microsoft Cloud Services.

There are three new source types in the Splunk Add-on for Microsoft Office 365 which replace the single ms:o365:management source type in the Splunk Add-on for Microsoft Cloud Services. If you are migrating from the Splunk Add-on for Microsoft Cloud Services to the Splunk Add-on for Microsoft Office 365, you will need to update your existing dashboards, panels, and SPL with the new source types. See Source types for the Splunk Add-on for Microsoft Office 365.

New features

Version 1.0.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.

• Simple authentication with the Office 365 Management API applications.
• Simple process for changing the registered application key.
• Three new source types, o365:management:activity, o365:service:status, and o365:service:message.

Known issues

Version 1.0.0 of the Splunk Add-on for Microsoft Office 365 contains the following known issues.

Third-party software attributions

Version 1.0.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.

• axios
• certifi
• dateutil
• debug
• follow-redirects
• idna
• is-buffer
• ms
• qs
• requests
• six.py
• sortedcontainers
• u-msgpack-python
• urllib3

See Release notes for the Splunk Add-on for Microsoft Office 365 for the release notes of this latest version.

Hardware and software requirements for the Splunk Add-on for Microsoft Office 365

Splunk admin requirements

To install and configure the Splunk Add-on for Microsoft Office 365, you must be a member of the admin role.

Network configuration requirements

The Splunk Add-on for Microsoft Office 365 makes REST API calls via HTTPS on port 443.

Secure socket layer (SSL) certification configuration requirements

By default, SSL verification is enabled. To configure secure socket layer (SSL) certifications according to the needs of your deployment, perform the following steps:

1. Add SSL certificates to the file cacert.pem to the following paths: - $SPLUNK_HOME/etc/apps/splunk_ta_o365/lib/certifi/cacert.pem, or $SPLUNK_HOME/etc/apps/splunk_ta_o365/bin/3rdparty/certify/. - $SPLUNK_HOME/lib/python3.7/site-packages/certifi/cacert.pem
2. Open the cacert.pem file with a text editor.
3. Add the SSL certificates for your deployment.
4. Use the internal certificate for your client machine. If you use a proxy connection, use the same internal certificate as the one on your client machine. The connection will be inspected by your proxy, and the certificate must match your root certificate when making the connection to your server.
5. Save your changes.

Microsoft Office 365 requirements

You must have administrator access to the Office 365 Admin Console to configure an application in Azure Active Directory and grant the necessary permissions to send data to the Splunk platform using the Office 365 Management Activity API and Office 365 Service Communication API.

Note

Accessing the optional DLP policy events requires an additional Microsoft Azure Active Directory subscription. Refer to the Microsoft Azure Active Directory documentation for more information.

Azure Government Cloud limitations

Warning

The Splunk Add-on for Office 365 has not been tested with Azure Government Cloud. The functionality of the Splunk Add-on for Office 365 responsible for Azure Government Cloud data is not supported and is provided “as is”, and should be used at your own risk.

Splunk platform requirements

Because this add-on runs on the Splunk platform, all of the system requirements apply for the Splunk software that you use to run this add-on.

• For Splunk Enterprise system requirements, see System Requirements in the Splunk Enterprise Installation Manual.
• If you plan to run this add-on entirely in Splunk Cloud, there are no additional Splunk platform requirements.
• If you are managing on-premises forwarders to get data into Splunk Cloud, see System Requirements in the Splunk Enterprise Installation Manual, which includes information about forwarders.

Installation and configuration overview for the Splunk Add-on for Microsoft Office 365

Complete the following steps to install and configure this add-on.

1. Install the Splunk Add-on for Microsoft Office 365.
2. Configure an integration application in Microsoft Entra ID (Azure AD) for the Splunk Add-on for Microsoft Office 365.
3. Configure a Tenant in the Splunk Add-on for Microsoft Office 365.
4. To learn more about configuring respective inputs, See the Configuration topic in this manual.
5. (Optional) Configure the Optional Settings for the Splunk Add-on for Microsoft Office 365.

Ended: Overview

Installation

Install the Splunk Add-on for Microsoft Office 365

You can install the Splunk Add-on for Microsoft Office 365 with Splunk Web or from the command line. You can install the add-on onto any type of Splunk Enterprise or Splunk Cloud instance (indexer, search head, or forwarder).

1. Download the Splunk Add-on for Microsoft Office 365 from Splunkbase.
2. Determine where and how to install this add-on in your deployment.
3. Perform any prerequisite steps before installing.
4. Complete your installation.

If you need step-by-step instructions on how to install an add-on in your specific deployment environment, see the installation walkthrough section at the bottom of this page for links to installation instructions specific to a single-instance deployment, distributed deployment, or Splunk Cloud.

Distributed installation of this add-on

Use the tables below to determine where and how to install this add-on in a distributed deployment of Splunk Enterprise or any deployment for which you are using forwarders to get your data in. Depending on your environment, your preferences, and the requirements of the add-on, you may need to install the add-on in multiple places.

Splunk instance type	Supported	Required	Comments
Search Heads	Yes	Yes	Install this add-on to all search heads where Microsoft Office 365 knowledge management is required. Select one node, either a search head or a heavy forwarder, to serve as the configuration server for this add-on, and disable visibility of the add-on in all other locations.
Indexers	No	No	Not required, This TA only supports mod input-based data collection which uses a heavy forwarder.
Heavy Forwarders	Yes	No	If installed on heavy forwarders, does not need to be installed on indexers. Select one node, either a search head or a heavy forwarder, to serve as the configuration server for this add-on, and disable visibility of the add-on in all other locations.
Universal Forwarders	No	No	Universal forwarders are not supported for data collection, because the modular inputs require Python and the Splunk REST handler.

Distributed deployment compatibility

This table provides a quick reference for the compatibility of this add-on with Splunk distributed deployment features.

Distributed deployment feature	Supported	Comments
Search Head Clusters	Yes	Disable add-on visibility on search heads.
Indexer Clusters	Yes
Deployment Server	Yes	Supported for deploying the unconfigured add-on only. Configure this add-on using the add-on’s configuration UI from one node only.

Installation walkthrough

See Installing add-ons in Splunk Add-Ons for detailed instructions describing how to install a Splunk add-on in the following deployment scenarios:

• Single-instance Splunk Enterprise
• Distributed Splunk Enterprise
• Splunk Cloud

Upgrade the Splunk Add-on for Microsoft Office 365

Caution

Version 4.4.0 is not backward compatible, and downgrading from version 4.3.0 will result in complete data duplication due to major checkpoint changes.

Note

After Upgrading to version 4.4.0, inputs created with the same name but different content-types, or any input with a name that begins with “_“, cannot be edited.

Note

After upgrading the Splunk Add-on for Microsoft Office 365 from 4.0.0 and higher to version 4.2.0 or higher, your Splunk platform deployment might receive duplicate events for a maximum of 7 days, due to a change in checkpoint logic. Duplicate events will stop ingesting after 7 days.
Restarting the Splunk platform or disabling the input can cause duplication of management activity events that TA would be collecting at that time.

If the Splunk Add-on for Microsoft Office 365 was previously installed and configured, there are several prerequisite steps that must be completed before upgrading to versions 4.2.0 and higher. If you have not yet upgraded to version 2.0.0 or later, perform the steps in the Upgrade to version 2.0.0 and Upgrade to version 4.1.0 section of this topic. Follow the following migration steps if you are facing high memory usage.

1. Disable all Management Activity Inputs.

2. Download the latest version of Splunk Add-on for Microsoft Office 365 from Splunkbase.

3. Install the add-on across your Splunk platform deployment.

4. Enable one Management Activity input at a time.

   • Confirm Checkpoint migration for each input with the following information.
   • Check for the Checkpoint Migration Completed Successfully message in the UI.
   • Check for the Completed KVStore Migration for Input: <input_name> message log in the internal logs. Completed KVStore Migration for Input: <input_name>

5. Repeat the above steps until each management activity input has been migrated successfully.

The following table displays the performance statistics of Splunk platform deployments when performing the upgrade steps for management activity inputs.

Splunk Platform Version/Type	Memory	OS	Number of Inputs	Checkpoint Size Main Input (GB)	Checkpoint Size Other Input (individual) (GB)	Theoretical Memory Utilization (%)	Migration Time	CPU Utilization(AVG)	Memory Utilization(AVG)	KVStore Health Check	Migration Status	Additional Comments
8.x(Enterprise)	VCPU 2 / 8 GB	Linux	1	1.1		25					Failed	At the time of migration, Memory Error when reading the checkpoint file.
9.x(Enterprise/Heavy Forwarder)	VCPU 2 / 8 GB	Linux	2	0.5	0.7	65	Input 1 : 24m 20s Input 1 : 32m 14s	~45%	~60%	Normal	Success	The migration process for both inputs ran in parallel.
9.x(Enterprise)	VCPU 4 / 16 GB	Linux	2	1.2	1.2	50	Input 1: 53m 08s Input 2: 51m 28s	~50%	~50%	Normal	Success	The migration process for both inputs ran sequentially.
9.x(Enterprise/Heavy Forwarder)	VCPU 8 / 32 GB	Linux	3	1.3	1.3	30	Input 1: 01h 05m 56s Input 2: 01h 02m 51s Input 3: 01h 05m 43s	~45%	~60%	Normal	Success	Started checkpoint migration for 2 input parallel and it was successful.
8.x(Victoria)	VCPU 8 / 32 GB	Linux	5	10	3	80	Input 1: ~ 01h Input 2: ~ 01h Input 3: ~ 01h Input 4: ~ 45m Input 5: ~ 45m			Normal	Success	Started with 2 main inputs, then 3 inputs, and then the migration was complete.

Upgrade to version 4.1.0

Note

After upgrading the Splunk Add-on for Microsoft Office 365 to version 4.1.0, due to a change in checkpoint logic, your Splunk platform deployment might receive duplicate events for a maximum of 7 days. Duplicate events will stop ingesting after 7 days. You may observe a rise in the usage of your deployment’s memory/CPU resources.

If the Splunk Add-on for Microsoft Office 365 was previously installed and configured, there are several prerequisite steps that must be completed before upgrading to versions 4.1.0 and above. If you have not yet upgraded to version 2.0.0 or later, perform the steps in the Upgrade to version 2.0.0 section of this topic.

1. Disable all inputs.
2. Download the latest version of Splunk Add-on for Microsoft Office 365 from Splunkbase.
3. Install the add-on across your deployment.
4. For existing tenants configured with Cloud App Security Token, a warning sign will appear with a message to re-enter the tenant’s Cloud App Security Token. To mitigate the warning, edit that tenant and re-enter your Cloud App Security Token. On submitting a new Cloud App Security Token, if you are not allowed to proceed due to any validation errors, delete your tenant by clicking the “Delete” button and reconfigure the new tenant.
5. Enable all the configured inputs to resume the data collection.

Upgrade to version 2.0.0

If the Splunk Add-on for Microsoft Office 365 was previously installed and configured, there are several prerequisite steps that must be completed before upgrading to versions 2.0.0 and later.

1. Disable all inputs.
2. Download the latest version of Splunk Add-on for Microsoft Office 365 from Splunkbase.
3. Install the add-on across your deployment.
4. Re-enter the tenant’s client secrets and proxy passwords. If an alert appears that says Re-enter client secret before the Edit button, update all applicable tenants in your environment. If you submit a new secret, and you are not allowed to proceed without also entering a Cloud Application Security Token. delete your tenant from your splunk_ta_o365_tenants.conf file, create a new one.
5. Enable all the configured inputs to resume the data collection.

For Python 3 guidance on upgrading your Splunk Enterprise deployment to version 8.0.0 and above, see the Choose your Splunk Enterprise upgrade path for the Python 3 migration topic in the Splunk Enterprise manual.

Ended: Installation

Configuration

Configure an integration application in Microsoft Entra ID (Azure AD) for the Splunk Add-on for Microsoft Office 365

In order to gather data from the Office 365 Management Activity API and the Office 365 Service Communication API using this add-on, you must first create an integration application in Microsoft Entra ID. This application securely authenticates the Splunk Add-on for Microsoft Office via the OAuth2 protocol, so that it can access and gather the data according to the services and permission levels that you specify.

In order to create an integration application, you need the following prerequisites:

• A Microsoft Azure account with administrator permissions to delegate roles to the application user. Your Microsoft Azure subscription must be linked with your Office 365 subscription by using the same login id.
• A security token for the Microsoft Cloud Application Security Portal. See the Managing API tokens topic in the Microsoft documentation.

Create an Application in Microsoft Entra ID

1. Follow the instructions in the Create a Microsoft Entra ID application topic in the Microsoft documentation to create an integration application.

2. When creating your application, make a note of the following parameters. They will be needed to Configure a Tenant in the Splunk Add-on for Microsoft Office 365.

   • Directory ID (Tenant ID)
   • Application ID (Client ID)

3. Set the Application permissions in the API Permissions > Add a permission pane of the Azure Active Directory Office 365 Management API configuration. These permissions are required for the Splunk Add-on for Microsoft Office 365.

API/Permissions name	Description	API Technology Name
ServiceHealth.Read.All	Read service health information for your organization. If upgrading to version 3.0.0 or later, disable ServiceHealth.Read.All in Office 365 Management APIs, and enable ServiceHealth.Read.All in Microsoft Graph.**	Microsoft Graph
ServiceMessage.Read.All	Read service message information for your organization.	Microsoft Graph
ActivityFeed.Read	Read activity data for your organization	Microsoft Office 365 Management
AuditLog.Read.All	Read all audit log data	Microsoft Graph
Reports.Read.All	Read all usage reports	Microsoft Graph
ReportingWebService.Read.All	Read Message Trace data	Microsoft Reporting WebService
ActivityFeed.ReadDlp (Optional)	Read DLP policy events including detected sensitive data.	Microsoft Office 365 Management

Note

Accessing DLP policy events requires an additional Microsoft Azure Active Directory subscription. Refer to the Microsoft Azure Active Directory documentation for more information.

4. Click Save after you change permissions.

5. Click Grant admin consent for <tenant name>.

6. In Certificates & secrets, under Client secrets, create a new client secret.

7. In the Value column, make a note of the generated value. This is the Client Secret. If you lose this value, you have to generate a new one.

Configure a Tenant in the Splunk Add-on for Microsoft Office 365

You must configure at least one Tenant in the Splunk Add-on for Microsoft Office 365.

Prerequisite: Before you create a Tenant, complete the previous step in the configuration process:

• Configure an integration application in Microsoft Entra ID (Azure AD) for the Splunk Add-on for Microsoft Office 365
• Make sure that port 443 is open to allow the Splunk Add-on for Microsoft Office 365 to communicate with the Microsoft Azure servers.

Set up the add-on using Splunk Web

1. Go to the Splunk Web home screen.
2. Click on Splunk Add-on for Microsoft Office 365 in the left navigation banner.
3. Click on the Configuration tab.
4. Under the “Tenant” section, Click on “Add” and fill in the fields. Use the parameters you configured for the application in the Azure Active Directory, see Configure an integration application in Microsoft Entra ID (Azure AD) for the Splunk Add-on for Microsoft Office 365 where: - Tenant ID is the Directory ID from Microsoft Entra ID. - Client ID is the Application ID from the registered application within the Microsoft Entra ID. - Client Secret is the registered application key for the corresponding application. - (Optional) The following fields are only required for the Cloud Application Security input:
   • Cloud Application Security Token is the registered application key for the corresponding tenant.
   • Tenant Subdomain is the first component of the Cloud App Security Portal URL. For example, https://<tenant_subdomain>.<tenant_datacenter>.portal.cloudappsecurity.com.
   • Tenant Data Center is the second component of the Cloud App Security Portal URL. For example, https://<tenant_subdomain>.<tenant_datacenter>.portal.cloudappsecurity.com.
5. Click Add to add the Tenant to your local configuration.

Configure Management Activity inputs for the Splunk Add-on for Microsoft Office 365

Description: All audit events visible through the Office 365 Management Activity API.

Following content-types are supported for Management Activity input.

• Audit.AzureActiveDirectory: The audit logs for Microsoft Azure Active Directory
• Audit.Exchange: The audit logs for Microsoft Exchange
• Audit.SharePoint: The audit logs for Microsoft SharePoint
• Audit.General: The general audit logs for Microsoft Office 365
• DLP.All: All log information for DLP

Note

Version 4.3.0 and higher is expected to have around 1% of event duplication for the Management Activity input in the Splunk platform due to duplicate events from the Microsoft API.

Note

Versions 4.2.0 and higher of the Splunk Add-on for Microsoft Office 365 contain changes to the checkpoint mechanism for the Management Activity input. See the upgrade steps in this manual for more information.

Note

• If you want to collect audit logs for mailbox access from Exchange Online, you need to turn on mailbox audit logging in Office 365, which is not enabled by default.
• If you configure the Office365 input for the first time, the activity log (such as Audit.Exchange, Audit.Sharepoint and Audit.AzureActivityDirectory) will subscribe the data from Microsoft side. But it will take up to 12 hours for the first content blobs to become available for that subscription in Microsoft.
• The retention period for historical data is 7 days.

Prerequisites: Before you enable inputs, complete the previous steps in the configuration process:

• Configure an integration application in Microsoft Entra ID (Azure AD) for the Splunk Add-on for Microsoft Office 365
• Configure a Tenant in the Splunk Add-on for Microsoft Office 365

Configure your inputs on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You can configure inputs using Splunk Web (recommended) or using the configuration files.

Configure inputs using Splunk Web

Configure your inputs using Splunk Web on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

1. In the Splunk Add-on for Microsoft Office 365, click Inputs > Create New Input > Management Activity.
2. Enter the Input Name, Tenant Name, Content Type, Start date/time and Index using information in the following input parameter table.
3. Click Add.
4. Verify that data is successfully arriving by running the following search on your search head:

Splunk Search

sourcetype=o365:management:activity

If you do not see any events, check the Troubleshooting tab on your data collection node to verify that your accounts, forwarders, and inputs are all configured successfully.

Configure inputs in the configuration files

Configure your inputs using the configuration files on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

1. Create $SPLUNK_HOME/etc/apps/Splunk_ta_o365/local/inputs.conf.
2. Add the following stanza.

[splunk_ta_o365_management_activity://<management_input_name>]
tenant_name = <value>
interval = <value>
index = <value>
content_type = <value>
start_date_time =  <value>

3. (Optional) Configure a custom index.
4. Restart your Splunk platform instance.
5. Verify that data is successfully arriving by running the following search on your search head:

Splunk Search

sourcetype=o365:management:activity

If you do not see any events, check the Troubleshooting tab on your data collection node to verify that your accounts, forwarders, and inputs are all configured successfully.

Input Parameters

Each attribute in the following table corresponds to a field in Splunk Web.

Input Name	Corresponding field in Splunk Web	Description
management_input_name	Input Name	A unique name for your input.
tenant_name	Tenant Name	The Microsoft Office 365 account from which you want to gather data.
content_type	Content type	Supported content-type of the Management Activity API, from which data is to be fetched.
start_date_time	Start date/time	Select a Start date/time to specify how far back to go when initially collecting data. This parameter is optional. If no date/time is given, the input will start 4 hours in the past.
index	Index	The index in which the Microsoft Cloud Services data should be stored. The default is main.

Configure Graph Reporting inputs for the Splunk Add-on for Microsoft Office 365

Description:

Following reporting APIs data collection is supported.

• Office 365 - Audit events and reports visible through the Microsoft Graph API endpoints. This includes all log events and reports visible through the Microsoft Graph API.
  • Office365GroupsActivityDetail - List details about group activity details.
  • Office365ServicesUserCounts - List details about Microsoft 365 Services counts.
• One Drive - Audit events and reports visible through the Microsoft Graph API endpoints. This includes all log events and reports visible through the Microsoft Graph API.
  • OneDriveActivityUserCounts - List details about OneDrive user activity.
  • OneDriveUsageAccountDetail - List details about OneDrive usage by account.
  • OneDriveUsageStorage - List details regarding the amount of OneDrive storage.
• Share Point - Audit events and reports visible through the Microsoft Graph API endpoints. This includes all log events and reports visible through the Microsoft Graph API.
  • SharePointSiteUsageDetail - List details about SharePoint site usage.
  • SharePointSiteUsageFileCounts - List details about SharePoint file counts and activity.
• Teams - Audit events and reports visible through the Microsoft Graph API endpoints. This includes all log events and reports visible through the Microsoft Graph API.
  • TeamsUserActivityCounts - List details about the number of Teams active by activity.
  • TeamsUserActivityUserDetail - List details about Teams user activity.
• Yammer - Audit events and reports visible through the Microsoft Graph API endpoints. This includes all log events and reports visible through the Microsoft Graph API.
  • YammerGroupsActivityDetail - List details about Yammer Group activity.
  • YammerGroupsActivityGroupCounts - List details about Yammer group activity.

Note

Start Date and Delay Throttle parameters are supported for following content-types only

• Office365GroupsActivity Detail
• OneDriveUsageAccountDetail
• SharePointSiteUsageDetail
• TeamsUserActivityUserDetail
• YammerGroupsActivityDetail

Prerequisites: Before you enable inputs, complete the previous steps in the configuration process:

• Configure an integration application in Microsoft Entra ID (Azure AD) for the Splunk Add-on for Microsoft Office 365
• Configure a Tenant in the Splunk Add-on for Microsoft Office 365

Configure your inputs on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You can configure inputs using Splunk Web (recommended) or using the configuration files.

Configure inputs using Splunk Web

Configure your inputs using Splunk Web on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

1. Following Graph reporting inputs can be configured from Create New Input option.
   • MailBox
   • Office365
   • OneDrive
   • SharePoint
   • Teams
   • Yammer
2. Enter the parameter values using information provided in the input parameter table below.
3. Click Add.
4. Verify that data is successfully arriving by running the following search on your search head:

Splunk Search

sourcetype=o365:graph:api

If you do not see any events, check the Troubleshooting tab on your data collection node to verify that your accounts, forwarders, and inputs are all configured successfully.

Configure inputs in the configuration files

Configure your inputs using the configuration files on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

1. Create $SPLUNK_HOME/etc/apps/Splunk_ta_o365/local/inputs.conf.
2. Add the following stanza.

[splunk_ta_o365_graph_api://<reporting_input_name>]
content_type = <value>
index = <value>
delay_throttle = <value>
interval = <value>
start_date = <value>
tenant_name = <value>

3. (Optional) Configure a custom index.
4. Restart your Splunk platform instance.
5. Verify that data is successfully arriving by running the following search on your search head:

Splunk Search

sourcetype=o365:graph:api

If you do not see any events, check the Troubleshooting tab on your data collection node to verify that your accounts, forwarders, and inputs are all configured successfully.

Input Parameters

Each attribute in the following table corresponds to a field in Splunk Web.

Input Name	Corresponding field in Splunk Web	Description
reporting_input_name	Input Name	A unique name for your input.
tenant_name	Tenant Name	The Microsoft Office 365 account from which you want to gather data.
content_type	Content Type	Content-type for fetching Audit Logs data AuditLogs.SignIns
start_date	Start Date	Select a Start Date to specify how far back to go when initially collecting data. This parameter is optional. If no date is given, the input will start 7 days in the past.
delay_throttle	Delay Throttle(In Days)	Microsoft generally reports events with a delay of at least 2 days.
index	Index	The index in which the Audit Logs data should be stored. The default is main.
interval	Interval (seconds)	Rerun the input after the defined value, in seconds.

Configure Audit Logs inputs for the Splunk Add-on for Microsoft Office 365

Description: List user signins to an azure tenant.

Prerequisites: Before you enable inputs, complete the previous steps in the configuration process:

• Configure an integration application in Microsoft Entra ID (Azure AD) for the Splunk Add-on for Microsoft Office 365
• Configure a Tenant in the Splunk Add-on for Microsoft Office 365

Configure your inputs on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You can configure inputs using Splunk Web (recommended) or using the configuration files.

Configure inputs using Splunk Web

Configure your inputs using Splunk Web on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

1. In the Splunk Add-on for Microsoft Office 365, click Inputs > Create New Input > Audit Logs.
2. Enter the parameter values using information provided in the input parameter table below.
3. Click Add.
4. Verify that data is successfully arriving by running the following search on your search head:

Splunk Search

sourcetype=o365:graph:api

If you do not see any events, check the Troubleshooting tab on your data collection node to verify that your accounts, forwarders, and inputs are all configured successfully.

Configure inputs in the configuration files

Configure your inputs using the configuration files on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

1. Create $SPLUNK_HOME/etc/apps/Splunk_ta_o365/local/inputs.conf.
2. Add the following stanza.

[splunk_ta_o365_graph_api://<audit_logs_input_name>]
content_type = AuditLogs.SignIns
index = <value>
interval = <value>
query_window_size = <value>
request_timeout = <value>
start_date = <value>
tenant_name = <value>
delay_throttle_min = <value>

3. (Optional) Configure a custom index.
4. Restart your Splunk platform instance.
5. Verify that data is successfully arriving by running the following search on your search head:

Splunk Search

sourcetype=o365:graph:api

If you do not see any events, check the Troubleshooting tab on your data collection node to verify that your accounts, forwarders, and inputs are all configured successfully.

Input Parameters

Each attribute in the following table corresponds to a field in Splunk Web.

Input Name	Corresponding field in Splunk Web	Description
audit_logs_input_name	Input Name	A unique name for your input.
tenant_name	Tenant Name	The Microsoft Office 365 account from which you want to gather data.
content_type	Content Type	Content-type for fetching Audit Logs data AuditLogs.SignIns
start_date	Start Date	Select a Start Date to specify how far back to go when initially collecting data. This parameter is optional. If no date is given, the input will start 1 days in the past.
index	Index	The index in which the Audit Logs data should be stored. The default is main.
interval	Interval (seconds)	Rerun the input after the defined value, in seconds.
request_timeout	Request Timeout (seconds)	Specifies the maximum time (in seconds) the system will wait for a request to complete before timing out.
query_window_size	Query Window Size (minutes)	Defines the time interval (in minutes) for each data query chunk, allowing the system to retrieve data in specified time-based segments.
delay_throttle_min	Delay Throttle (minutes)	Specify delay throttle(in minutes) based on the latency observed in Azure Cloud Audit Sign-in Logs.

Configure Service Health & Communication inputs for the Splunk Add-on for Microsoft Office 365

Description: Access the health status and message center posts.

Following content-types are supported.

• Service Health: This operation retrieves information about all service health issues that exist for the tenant.
• Service Update Messages: This operation retrieves all service update messages that exist for the tenant.

Prerequisites: Before you enable inputs, complete the previous steps in the configuration process:

• Configure an integration application in Microsoft Entra ID (Azure AD) for the Splunk Add-on for Microsoft Office 365
• Configure a Tenant in the Splunk Add-on for Microsoft Office 365

Configure your inputs on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You can configure inputs using Splunk Web (recommended) or using the configuration files.

Configure inputs using Splunk Web

Configure your inputs using Splunk Web on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

1. In the Splunk Add-on for Microsoft Office 365, click Inputs > Create New Input > Service Health & Communications.
2. Enter the parameter values using information provided in the input parameter table below.
3. Click Add.
4. Verify that data is successfully arriving by running the following search on your search head depending on the selected contennt-type while:

If the content-type is Service Health

Splunk Search

sourcetype=o365:service:healthIssue

If the content-type is Service Update Messages

Splunk Search

sourcetype=o365:service:updateMessage

If you do not see any events, check the Troubleshooting tab on your data collection node to verify that your accounts, forwarders, and inputs are all configured successfully.

Configure inputs in the configuration files

Configure your inputs using the configuration files on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

1. Create $SPLUNK_HOME/etc/apps/Splunk_ta_o365/local/inputs.conf.
2. Add the following stanza.

[splunk_ta_o365_graph_api://<service_health_input_name>]
content_type = <value>
index = <value>
interval = <value>
tenant_name = <value>

3. (Optional) Configure a custom index.
4. Restart your Splunk platform instance.
5. Verify that data is successfully arriving by running the following search on your search head:

If the content-type is Service Health

Splunk Search

sourcetype=o365:service:healthIssue

If the content-type is Service Update Messages

Splunk Search

sourcetype=o365:service:updateMessage

If you do not see any events, check the Troubleshooting tab on your data collection node to verify that your accounts, forwarders, and inputs are all configured successfully.

Input Parameters

Each attribute in the following table corresponds to a field in Splunk Web.

Input Name	Corresponding field in Splunk Web	Description
service_health_input_name	Input Name	A unique name for your input.
tenant_name	Tenant Name	The Microsoft Office 365 account from which you want to gather data.
content_type	Content Type	Supported Content Type of the Service Health API from which data is to be fetched.
index	Index	The index in which the Audit Logs data should be stored. The default is main.
interval	Interval (seconds)	Rerun the input after the defined value, in seconds.

Configure Cloud Application Security inputs for the Splunk Add-on for Microsoft Office 365

Description: All service policies, alerts and entities visible through the Microsoft Cloud Application Security portal.

• Policies - Lists threat protection policy information.
• Alerts - Lists information about risks identified.
• Cloud Discovery Entities - Lists information about accounts and users of cloud apps.
• Files - Lists information about files and folders metadata.

Prerequisites: Before you enable inputs, complete the previous steps in the configuration process:

• Configure an integration application in Microsoft Entra ID (Azure AD) for the Splunk Add-on for Microsoft Office 365
• Configure a Tenant in the Splunk Add-on for Microsoft Office 365

Configure your inputs on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You can configure inputs using Splunk Web (recommended) or using the configuration files.

Configure inputs using Splunk Web

Configure your inputs using Splunk Web on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

1. In the Splunk Add-on for Microsoft Office 365, click Inputs > Create New Input > Cloud Application Security.
2. Enter the parameter values using information provided in the input parameter table below.
3. Click Add.
4. Verify that data is successfully arriving by running the following search on your search head:

Splunk Search

sourcetype=o365:cas:api

If you do not see any events, check the Troubleshooting tab on your data collection node to verify that your accounts, forwarders, and inputs are all configured successfully.

Configure inputs in the configuration files

Configure your inputs using the configuration files on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

1. Create $SPLUNK_HOME/etc/apps/Splunk_ta_o365/local/inputs.conf.
2. Add the following stanza.

[splunk_ta_o365_cloud_app_security://<name>]
content_type = <value>
index = <value>
interval = <value>
tenant_name = <value>

3. (Optional) Configure a custom index.
4. Restart your Splunk platform instance.
5. Verify that data is successfully arriving by running the following search on your search head:

Splunk Search

sourcetype=o365:cas:api

If you do not see any events, check the Troubleshooting tab on your data collection node to verify that your accounts, forwarders, and inputs are all configured successfully.

Input Parameters

Each attribute in the following table corresponds to a field in Splunk Web.

Input Name	Corresponding field in Splunk Web	Description
name	Input Name	A unique name for your input.
tenant_name	Tenant Name	The Microsoft Office 365 account from which you want to gather data.
content_type	Content Type	Supported content-type of Cloud Application Security for which data is to be fetched.
index	Index	The index in which the Audit Logs data should be stored. The default is main.
interval	Interval (seconds)	Rerun the input after the defined value, in seconds.

Configure Message Trace inputs for the Splunk Add-on for Microsoft Office 365

Description: Message Trace rovides detailed insights into email message flow within a system, tracking message delivery, status, and potential issues.

Prerequisites: Before you enable inputs, complete the previous steps in the configuration process:

• Configure an integration application in Microsoft Entra ID (Azure AD) for the Splunk Add-on for Microsoft Office 365
• Configure a Tenant in the Splunk Add-on for Microsoft Office 365
• Configure application to have one of the following IAM roles.
  • Exchange Administrator
  • Global Administrator
  • Global Reader role
• Configure application to have the ReportingWebService.Read.All permission. To add the permission, follow the following steps:
  • Navigate to Application permissions in the API Permissions > Add a permission
  • Select APIs my organisation uses
  • Select Office 365 exchange online by searching in the search box
  • Select Application Permission, and search for ReportingWebService
  • Add the ReportingWebService.Read.All permission

Note

The Message Trace API for the Splunk Add-on for Microsoft Office 365 does not support data collection for USGovGCC and USGovGCCHigh endpoints.

Configure inputs using Splunk Web

Configure your inputs using Splunk Web on the Splunk platform instance that you have designated as your configuration server, and is responsible for collecting data for this add-on. The best practice for this is usually a heavy forwarder.

1. Launch the Splunk add-on for Microsoft Office 365.
2. Click on the Inputs tab.
3. Click Create New Input.
4. Select “Message Trace”.
5. Enter the Input Name, Tenant Name, Start Date Time, Input Mode, and Index using information in the input parameter table below.
6. Click Add.
7. Enter the details of the given fields in the input page using the information in the input parameter table below.
8. Verify that data is successfully arriving by running the following search on your search head:

Splunk Search

sourcetype=o365:reporting:messagetrace

If you do not see any events, check the Troubleshooting tab on your data collection node to verify that your accounts, forwarders, and inputs are all configured successfully.

Configure inputs in the configuration files

Configure your inputs using the configuration files on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

1. Navigate to $SPLUNK_HOME/etc/apps/Splunk_ta_o365/local/, and create an inputs.conf
2. Open the inputs.conf file with a text editor.
3. Add the following stanza.

[splunk_ta_o365_message_trace://<messagetrace_input_name>]
delay_throttle = <value>
input_mode = <value>
interval = <value>
tenant_name = <value>
query_window_size = <value>
start_date_time = <value>
end_date_time = <value>
index = <value>

4. (Optional) Configure a custom index.
5. Restart your Splunk platform instance.
6. Verify that data is successfully being ingested by running the following search on your search head:

Splunk Search

sourcetype=o365:reporting:messagetrace

If you do not see any events, check the Troubleshooting tab on your data collection node to verify that your accounts, forwarders, and inputs are all configured successfully.

Input Parameters

Each attribute in the following table corresponds to a field in Splunk Web.

Input Name	Corresponding field in Splunk Web	Description
messagetrace_input_name	Name	A unique name for your input.
tenant_name	Tenant Name	Select the configured tenant from where you want to gather data.
input_mode	Input Mode	Input Mode Types: Continuously Monitor:- Continuously ingesting data into the Splunk platform based on the Query Window Size. Index Once:- Ingest data only once and ignore “Query window size” and “Delay throttle”. Additionally, “Start date/time” and “End date/time” are required.
start_date_time	Start Date/Time	Select a Start date/time to specify how far back to go when initially collecting data. This parameter is optional when Continuously Monitor is selected, but the parameter is required when Index Once is selected. If no date/time is given, the input will start 7 days in the past.
index	Index	The index in which the Message Trace data should be stored. The default is main.
interval	Interval (seconds)	Rerun the input after the defined value, in seconds. Note: If the Input mode is Index Once then the interval must be -1
query_window_size	Query Window Size (minutes)	When Continuously Monitor is selected, each time this input runs a start date is calculated for the Office 365 API query. The end date for the Office 365 API query will be the calculated start date plus the number of minutes specified by this parameter. For example, if the calculated start date is 2022-01-01T00:00:00 (midnight on January 1, 2022), the end date for the query will be 2022-01-01T00:01:00 (one hour after midnight) if the query window size is 60 minutes.
delay_throttle	Delay Throttle (minutes)	Microsoft may delay trace events for up to 24 hours, and events are not guaranteed to be sequential during this delay. For more information, see the Data granularity, persistence, and availability section of the Message Trace report topic in the Microsoft documentation. This parameter specifies how close to “now” the end date for a query may be (where “now” is the time that the input runs). Continuing from the example above, if “now” is 2022-01-01T00:02:00 (two minutes after midnight) and the delay throttle is 60 minutes, the input will exit because the end date for the query is only 1 minute away from “now”. Each time the input runs, the input will exit and do nothing until the end date is at least 60 minutes away from “now”.

Configure optional settings for the Splunk Add-on for Microsoft Office 365

Note

The Splunk Add-on for Microsoft Office 365 only supports HTTP proxy.

Prerequisites: Before you configure the Settings, complete the previous steps in the configuration process:

• Configure an integration application in Microsoft Entra ID (Azure AD) for the Splunk Add-on for Microsoft Office 365
• Configure a Tenant in the Splunk Add-on for Microsoft Office 365
• For more information on configuring respective inputs, see the Configuration topic in this manual.

Configure Proxy and Log Level settings

Using Splunk Web, configure Proxy and Log Level settings on the Splunk platform instance that you have designated as your configuration server for this add-on.

1. On your Splunk platform instance, navigate to the Splunk Web home screen.
2. In the left navigation banner, click on Splunk Add-on for Microsoft Office 365.
3. Click on the Configuration tab.
4. If you need to use a proxy: - Click the Proxy tab. - Fill in the form with your proxy details. If your proxy server does not require authentication, leave the username and password fields empty. - Click Save.
5. To change the logging levels: - Click the Logging tab. - Select the Log Level. - Click Save.

Configure the request timeout parameter for Management Activity inputs

Configure the request_timeout parameter for Management Activity inputs.

request_timeout is the number of seconds to wait before timeout while getting a response from the subscription API.

• The range for the parameter is from 10 to 600 seconds.
• The default value of request_timeout parameter is 60 seconds.
• The upper limit value of a request_timeout parameter is 600 seconds.
• The lower limit value of a request_timeout parameter is 10 seconds.

There are two ways to add a request_timeout parameter with a configured input.

1. Make the request_timeout parameter configurable to all configured inputs.
   • Navigate to $SPLUNK_HOME/etc/apps/splunk_ta_o365/local, and create an inputs.conf file, if it does not already exist.
   • Copy the following stanza, and add it to the $SPLUNK_HOME/etc/apps/splunk_ta_o365/local/inputs.conf file.

     [splunk_ta_o365_management_activity]
     request_timeout = <integer>
     

     This setting will override the default value of request_timeout defined in default/inputs.conf and will apply to all configurable Management Activity inputs.
     
     • Save your changes.
2. Make the request_timeout parameter configurable by adding request_timeout to the specific Management Activity input.
   • Configure Managment Activity Input using Splunk Web.
   • Navigate to $SPLUNK_HOME/etc/apps/splunk_ta_o365/local, and create an inputs.conf file, if it does not already exist.
   • Open $SPLUNK_HOME/etc/apps/splunk_ta_o365/local/inputs.conf and add request_timeout = <integer> parameter under each configured input. For example, [splunk_ta_o365_management_activity://<Input_Name>].
     • Save your changes.

Configure the request timeout parameter for Graph API inputs

Configure the request_timeout parameter for Audit Logs inputs.

request_timeout is the number of seconds to wait before a timeout while getting a response from the Graph API.

• The range for the parameter is from 10 to 600 seconds.
• The default value of request_timeout parameter is 60 seconds.
• The upper limit value of a request_timeout parameter is 600 seconds.
• The lower limit value of a request_timeout parameter is 10 seconds.

To configure it from UI

• Click on “Create New Input” and Select “Audit Logs”.
• Under the “Advanced Settings” section configure “Request Timeout” parameter.

You can also configure the request_timeout in all the Graph API inputs from $SPLUNK_HOME/etc/apps/splunk_ta_o365/local/inputs.conf.

Configure the token refresh window parameter for Management Activity inputs

Configure the token_refresh_window parameter for Management Activity inputs.

token_refresh_window is the number of seconds before the token expires, and must be refreshed. For example, if the token is expiring at 01:00 PM and the user has entered the 600 as a value of parameter token_refresh_window then the token will be refreshed at 12:50 PM.

• The range for the token_refresh_window parameter is from 400 seconds to 3600 seconds.
• The default value of token_refresh_window is 600 seconds.
• The upper limit of token_refresh_window is 3600 seconds.
• The lower limit of token_refresh_window is 400 seconds.

There are two ways to add a token_refresh_window parameter with configured inputs.

1. Make the token_refresh_window parameter configurable to all configured inputs. - Navigate to $SPLUNK_HOME/etc/apps/splunk_ta_o365/local, and create an inputs.conf file, if it does not already exist. - Copy the below stanza, and add it to the $SPLUNK_HOME/etc/apps/splunk_ta_o365/local/inputs.conf file.

   [splunk_ta_o365_management_activity]
   token_refresh_window = <integer>
   

   This setting will override the default value of token_refresh_window defined in default/inputs.conf and it will apply to all configurable Management Activity inputs. - Save your changes.

2. Make the token_refresh_window parameter configurable by adding token_refresh_window to specific Management Activity inputs.

   • Configure the Managment Activity Input using Splunk Web.
   • Navigate to $SPLUNK_HOME/etc/apps/splunk_ta_o365/local, and create an inputs.conf file, if it does not already exist.
   • Open $SPLUNK_HOME/etc/apps/splunk_ta_o365/local/inputs.conf, and add the token_refresh_window = <integer> parameter to each specific Management Activity input. For example, the [splunk_ta_o365_management_activity://<Input_Name>] stanza.
   • Save your changes.

Ended: Configuration

Troubleshoot

Troubleshoot the Splunk Add-on for Microsoft Office 365

General troubleshooting

For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.

Cannot ingest data after configuring a new application and tenant

The Splunk Add-on for Microsoft Office 365 requires Application permission to read the service health, activity data, and DLP policy events. Make sure these permissions are selected, saved and then granted within the Office 365 Management Activity API configuration on Azure Active Directory.

1. Navigate to the Enable Access pane in the Microsoft Azure Active Directory application configuration UI

2. Set the Application permissions.

   • Read service health information for your organization
   • Read activity data for your organization
   • (Optional) Read DLP policy events including detected sensitive data

   Note

   Accessing DLP policy events requires an additional Microsoft Azure Active Directory subscription. If you are unable to ingest DLP policy events, make sure you have the correct Microsoft Azure Active Directory subscription. Refer to the Microsoft Azure Active Directory documentation for more information.

3. Click Save after you change permissions.

4. Click Grant permissions to finish applying the permission changes.

Cannot ingest Message Trace data after configuring a new application and tenant

HTTP Request error: 401 Client Error

The Splunk Add-on for Microsoft Office 365 requires ReportingWebService.Read.All. Verify this permission is selected, saved, and then granted within the Office 365 Management Activity API configuration on Azure Active Directory.

Certificate verify failed (_ssl.c:741) error message

If you create a new input, you might receive the following error message: certificate verify failed (_ssl.c:741) Perform the following steps to resolve the error:

Navigate to $SPLUNK_HOME/etc/auth/cacert.pem and open the cacert.pem file with a text editor. Copy the text from your deployment’s proxy server certificate, and paste it into the cacert.pem file. Save your changes.

SSL Cert Errors

O365 TA supports HTTP proxy only, so it will not work with the HTTPS proxy. Make sure the proxy configured in the add-on is of the HTTP type.

If there is ssl.SSLEOFError: EOF occurred in violation of protocol (_ssl.c:1106) error, please check below.

• Check that HTTPS proxy is not set at the splunk(e.g. in splunk-launch.conf) or system level(https_proxy/http_proxy environment variables).

If there is a CERTIFICATE_VERIFY_FAILED error, make sure the required proxy server certificates and vendor-specific certificates are appended to the following available file paths: - $SPLUNK_HOME/etc/apps/splunk_ta_o365/lib/certifi/cacert.pem - $SPLUNK_HOME/lib/python3.7/site-packages/certifi/cacert.pem

Data collection stops working - HTTP errors

The Client Secrets in your Microsoft Azure deployment can rotate on a predefined schedule, according to your organization’s security requirements. If the secret is not updated in the Splunk Add-on for Microsoft Office 365, data collection will stop. You may see HTTP Error 401 - Unauthorized or HTTP Error 500 - Internal Server Error in the logs.

1. Navigate to the Splunk Web home screen.
2. Click on Splunk Add-on for Microsoft Office 365 in the left navigation banner.
3. Click on the Configuration > Tenant tab.
4. Select the Tenant that needs an updated Client Secret and click Edit.
5. Select Change and update the Client Secret.
6. Click Update to save the changes.

Audit events are delayed or missing

As the number of events in your deployment increases, the Splunk Add-on for Microsoft Office 365 may not be able return all events in one query before the next query executes, and events from the previous query may be delayed or even missed. One root cause for this can be the number of threads that are available and used to collect the necessary data sets. If events are being queued, you can increase the number of threads in increments of four until all events are returned in one query.

1. Navigate to $SPLUNK_HOME/etc/apps/splunk_ta_o365/local, and create an inputs.conf file, if it does not already exist.
2. Add the following stanza to the $SPLUNK_HOME/etc/apps/splunk_ta_o365/local/inputs.conf file.

[splunk_ta_o365_management_activity]
interval = 300
disabled = 0
sourcetype = o365:management:activity
number_of_threads = 4

3. Increase the number of threads in increments of 4. The maximum number of threads is 64.

Note

Increase the thread count gradually until it stops boosting performance. Avoid having high thread count unless the system is of high specifications and you are observing performance improvement with increase in threads.

4. Restart Splunk.
5. Test to see if all events are being returned:

Splunk Search

index=_internal sourcetype=”splunk:ta:o365:log” message=”Ingesting content success.”
| eval content_time = strptime(content_id, “%Y%m%d%H%M%S”)
| chart count by content_time span=600

You can add a filter on the data_input field to narrow down the search for a particular data input:

Splunk Search

index=_internal sourcetype=”splunk:ta:o365:log” message=”Ingesting content success.” data_input=my_test_input
| eval content_time = strptime(content_id, “%Y%m%d%H%M%S”)
| chart count by content_time span=600

Change my_test_input to the data input name you would like to check.

You could also deploy the Splunk Add-on for Microsoft Office 365 as a tuned standalone add-on to capture Microsoft Azure Active Directory audit events separately from Service Events and Service Messages.

Data ingestion stops on Debian or Ubuntu Linux Server

Splunk Enterprise launches modular inputs under a shell process on Debian or Ubuntu Linux Server and this can block new modular input instances. If you are running the add-on with Debian or Ubuntu Linux Server, set the option start_by_shell = false in each stanza of inputs.conf.

1. Navigate to $SPLUNK_HOME/etc/apps/splunk_ta_o365/local, and create an inputs.conf file, if it does not already exist.
2. Add the folowing stanzas to the $SPLUNK_HOME/etc/apps/splunk_ta_o365/local/inputs.conf file:

[splunk_ta_o365_management_activity]
interval = 300
disabled = 0
sourcetype = o365:management:activity
number_of_threads = 4
start_by_shell = false

[splunk_ta_o365_service_status]
interval = 1800
disabled = 0
sourcetype = o365:service:status
start_by_shell = false

[splunk_ta_o365_service_message]
interval = 600
disabled = 0
sourcetype = o365:service:message
start_by_shell = false

3. Restart Splunk.

Data collection hangs while calling the Office 365 management API

While calling the Office 365 management API, you receive the following error message in your logs.

ReadTimeout: HTTPSConnectionPool(host='manage.office.com', port=443): Read timed out. (read timeout=60)

The modular input is hung during data collection. Configure the request_timeout parameter in inputs.conf.

Data ingestion stops for management activity

If data collection for the management activity input stops, and you receive the following message in your error logs.

message="failed to get error code" body="{\"Message\":\"Authorization has been denied for this request.\"}"

Configure token_refresh_window parameter in inputs.conf. Enter the number of seconds before the token’s expiration time when the token should be refreshed. The range for the parameter is from 400 seconds to 3600 seconds. See the inputs.conf.spec file in the README directory for this add-on for more information.

Data duplication issues when fetching multiple content URLs

Microsoft’s o365:management:activity API is not like typical event services and does not forward actual events. The API is a front end to an at-least-once delivery message bus, and returns lists of urls pointing to data, and not unique events. With each call to this API, the API clients (like the Splunk software) retrieve new events by time. But the at-least-once nature of the API means that clients get instructed to process the same set of data more than once.

This API design from Microsoft provides assurance that both internal and external failures in process will avoid lost events. A consequence of this design assurance is the occasional duplication of events whenever there is any doubt about the delivery of a message. This API design is highly scalable, as it does not require consistency or checkpoints from the O365 API.

Modular inputs have the ability to manage checkpoints such as counters and last queried time. However for the sake of performance, modular inputs in this add-on are stateless and do not retain data from previous calls, so cannot determine if the current or prior thread has been given the same content by value or key/identifier. This design is intentional, in order to minimize the overhead of high volume interfaces.

Typically these duplicate events from the API should have minimal impact on most use cases, but can impact some aggregate (threshold) or anomaly detection use cases. If these events impact your use case significantly, the best practice is to either raise a request with Microsoft for any possible enhancements to the API design, or alternatively build a message-format compatible webhook using Azure functions or other serverless technologies or any of the available API gateway solutions, that can be used to check for duplicate events by maintaining a history of messages sent by the API over a period of time. This alternative solution can also easily send data to Splunk via the HTTP Event Collector (HEC).

Service health information is not getting ingested

If your service health information is not getting ingested, check to see if you are using the ServiceHealth.Read.All API from Office 365 Management APIs, or the ServiceHealth.Read.All API in Microsoft Graph.

The ServiceHealth.Read.All API from Office 365 Management APIs was retired by Microsoft on December 17, 2021. Use ServiceHealth.Read.All API in Microsoft Graph

If upgrading to version 3.0.0 or later, disable ServiceHealth.Read.All in Office 365 Management APIs, and enable ServiceHealth.Read.All in Microsoft Graph.

Input page not showing any configured inputs with “Unexpected Error” shown on UI

Troubleshoot the “Unexpected Error” in input page shown on UI

• While configuring inputs, if the "Content Type" field is not selected.
  • Determine the inputs without the "Content Type" field.
  • Go to "Settings" -> "Data Inputs"
  • Find out the already configured Office 365 Add-on Inputs which don't have the "Content Type" field provided.
  • Delete those inputs from the same "Data Inputs" UI
  • Reconfigure your inputs using the appropriate Content Type.
• If any input is configured from "Settings" -> "Data Inputs" UI, then validations handled in the Add-on will be skipped resulting in the above error.
  • Delete those inputs from the same "Data Inputs" UI
  • Reconfigure your inputs using the appropriate Content Type

Data ingestion stops for cloud application security input

If data collection for the cloud application security input stops, and you receive the following message in your error logs.

message="Error retrieving Cloud Application Security messages." exception=401:{"detail":"Invalid token header. Token string should not contain spaces."}

One of the reasons for the this error is because of issues following the upgrade steps to migrate to versions 4.1.0 and higher. For more information, see the upgrade topic in this manual.

Duplicate events for Cloud App Security and Management Activity

Problem

You encounter duplicate events for Cloud App Security and Management Activity data ingestion.

Possible solution

After upgrading the Splunk Add-on for Microsoft Office 365 to version 4.1.0, due to a change in checkpoint logic, your Splunk platform deployment might receive duplicate events for a maximum of 7 days. Duplicate events will stop ingesting after 7 days. You may observe a rise in the usage of your deployment’s memory/CPU resources.

Ended: Troubleshoot

Reference

Performance reference for the Management Activity input in the Splunk Add-on for Microsoft Office 365

The following tables contain reference information about Splunk’s performance testing of the Management Activity input in the Splunk Add-on for Microsoft Office 365. Use this information to enhance the performance of your own Management Activity data collection tasks.

Note

Many factors impact performance results, including deployment architecture, and hardware. These results represent reference information and do not represent performance in all environments.

Management Activity input performance characteristics

Version 4.3.0 performance statistics

Common architecture setup	Time Taken for Data Collection	No. of Events	No. of Threads	HF/IDM Average CPU (%)	HF/IDM Average RAM (%)
On Prem Heavy Forwarder (m5.4xlarge) 16 CPU 64 GiB Memory	14min	5M	4	7.40%	0.08%
	9min	5M	32	15%	0.31%
CO2 Stack - Classic Cluster (1 IDM) 1 cluster master (c5.xlarge) 3 search heads (m6i.4xlarge) 16 CPU 64 GiB Memory 3 indexer clusters (is4gen.4xlarge) 16 CPU 96 GiB Memory 1 Input Data Manager (IDM) (m6i.4xlarge) 16 CPU 64 GiB Memory	19min	5M	4	38%	0.19%
	18min	5M	32	50.54%	0.62%
CO2 Stack - Victoria Search Head Cluster 1 cluster master (c5.xlarge) 3 search heads (m6i.4xlarge) 16 CPU 64 GiB Memory 3 indexer clusters (is4gen.4xlarge) 16 CPU 96 GiB Memory	14min	5M	4	20%	0.18%
	12min	5M	32	27%	0.62%

Version 4.3.0 vs 4.2.1 performance comparison statistics

Common architecture setup	TA Version	Time Taken for Data Collection	No. of Events	No. of Threads	HF/IDM Average CPU (%)	HF/IDM Average RAM (%)
On Prem Heavy Forwarder (m5.4xlarge) 16 CPU 64 GiB Memory	v4.3.0	2min	500K	4	3.84%	0.05%
	v4.2.1	51min	500K	4	4.76%	0.05%
CO2 Stack - Classic Cluster (1 IDM) 1 cluster master (c5.xlarge) 3 search heads (m6i.4xlarge) 16 CPU 64 GiB Memory 3 indexer clusters (is4gen.4xlarge) 16 CPU 96 GiB Memory 1 Input Data Manager (IDM) (m6i.4xlarge) 16 CPU 64 GiB Memory	v4.3.0	1min 47sec	500K	4	36%	0.15%
	v4.2.1	4hr 48min	500K	4	7.50%	0.18%
CO2 Stack - Victoria Search Head Cluster 1 cluster master (c5.xlarge) 3 search heads (m6i.4xlarge) 16 CPU 64 GiB Memory 3 indexer clusters (is4gen.4xlarge) 16 CPU 96 GiB Memory	v4.3.0	1min 25sec	500K	4	17.48%	0.16%
	v4.2.1	4hr 45min	500K	4	2.45%	0.19%

Ended: Reference