If you're having trouble at any stage please contact us at firstname.lastname@example.org.
One of the Office 365 services suite is the Exchange online. Depends on your Office 365 subscription and features enabled Exchange could provide you with multiple different reports. One of the basic and highly important reports is the log of the entire mail flows through your Exchange server, known as message trace.
An Office 365 Exchange message trace record includes the following information:
- Message ID (aka Client ID)
- Sender address
- Recipient address
- Direction (inbound/outbound)
- Send/Receiving date
- Message subject
- Message size
- Delivery status (delivered, failed, pending, expanded, unknown)
- Sender IP address
- Sent to IP address
- Message trace ID
In some cases you might want to get the message trace events so you could perform further security analysis and identify threats as spamming activity, data exfiltration and others. Another motivation for getting your message trace events into another security system is for longer data retention needs. Office 365 message retention policy and limits are detailed here.
The SkyFormation for Office 365 Connector can collect the Office 365 message trace events and send them into your security system of choice.
This guide explains how to configure both SkyFormation and your Office 365 to allow the message trace collection.
Prerequisite: Make sure you have a running SkyFormation Office 365 connector.
If you don't have one see Adding Office 365 Connector to SkyFormation Platform.
- Add to the Office 365 connector the user details needed for the message trace events API.
At section 5 in the Adding Office 365 Connector to SkyFormation Platform guide you
should see the type of user needed to get the Exchange events.
If this section was completed successfully (the user configured has the needed Exchange
permissions) the SkyFormation for Office 365 Connector automatically creates the
following end-points (audit sources) all in disabled mode by default:
End-point (1)-(5) will only work for customers subscribed to the Office 365 Advance Threat
Protection (Exchange online protection service).
The exchange-admin-reports-message-trace needed to collect the message trace events
requires no additional license. You will need to complete the steps detailed below.
- Enable mailbox auditing in Office 365
Mailboxes in Office 365 are not audited, therefore their message trace events are not
The Office 365/Exchange administrator should configure which mailboxes will be audited
by following the steps detailed at Enable mailbox auditing in Office 365 guide.
- Verify message trace events are collected in your Exchange admin console
() Open your Exchange admin center portal at https://outlook.office365.com
() Navigate to mail flow -> message trace
() search for events at the last 24 hours and make sure you see some events
- Enable the exchange-admin-reports-message-trace end-point in your Office 365 connector
() Open your SkyFormation app
() Navigate to SETTINGS -> ACCOUNTS
() Focus on your Office 365 connector (sanity-o365-trial-0280 in the example below)
() Press the STATUS button
You should see a list of the Office 365 connector end-points with their running and sync
() Enable your exchange-admin-reports-message-trace end-point by pressing START
You should see that the end-point successfully sync events after few minutes by seeing
in the LAST-SUCCESSFUL-SYNC column any date, and a green V sign in the end-point
If you would like to see how a message trace event from SkyFormation Office 365 connector will look like in your SIEM please download the attached csv event example in this guide.