Re: Has anyone successfully configured the O365 AP...

packet_hunter · ‎06-14-2017

I am trying to get O365 email data into Splunk.
I have no experience configuring the O365 API but I believe it is possible (from what I have read) to bring in cloud email data.
Specifically the data field/values that I desire is:
Sender
Recipient
Subject
Message ID
Return Path
Originating IP
Received message info
.... and other email header data

I don't really want the email body content but having the option to grab it on demand would be awesome.

If anyone has any advice on this, it is greatly appreciated. I read a post about using powershell to accomplish this but I did not follow what to do.

Thank you

Dev_Choudhary · ‎11-07-2017

Hi packet_hunter and all,

Now I am able to get Office365 Email messages to Splunk, check below add-on details

https://splunkbase.splunk.com/app/3720/#/details

mjm295 · ‎11-06-2017

Hi

Im currently working through the blog posts, we have the azure management stuff working. And whould get to the Email metat data later this week. I think this is what you are looking for:
https://www.splunk.com/blog/2017/10/05/splunking-microsoft-cloud-data-part-3.html

Regards
Mark

richgalloway · ‎06-19-2017

I wrote a python script to get O365 email attachments into Splunk. This is probably your best option for getting only the desired header fields rather than entire messages. It also indexes less data.

---
If this reply helps you, Karma would be appreciated.

gjanders · ‎06-19-2017

Would you care to share that python script? Thanks!

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

richgalloway · ‎06-23-2017

Wish I was allowed to, but I can share the basics to help get you started.
I used httplib to send requests. To read messages send a GET request to "https://outlook.office365.com/api/v1.0/me/messages?$filter=IsRead eq false and HasAttachments eq true&$select=HasAttachments,From,DateTimeSent,Subject,Id", include your base64-encoded credentials.
The response is in JSON so you can use the json library to parse it and get the headers you want.

When you're finished with a message you need to mark it read. Do that by sending a PATCH request "https://outlook.office365.com/api/v1.0/me/messages/" where is a message ID from the message you just processed.

---
If this reply helps you, Karma would be appreciated.

packet_hunter · ‎06-26-2017

Thank you for that!

Dev_Choudhary · ‎06-19-2017

recently configured Microsoft Cloud Services add-on to get these data but this is again limited to management events and office apps like sharepoint, onedrive access and file modification only.

packet_hunter · ‎06-19-2017

Thank you for the response, do you have any details / steps/ advice in configuring the O365 API?
I have seen this

https://msdn.microsoft.com/en-us/office-365/get-started-with-office-365-management-apis

but do you have additional information?

There is another post about using powershell in the cloud to grab email data, any experience with that ?

Dev_Choudhary · ‎06-20-2017

with this API not able to get email related information.

Only option available is using script

packet_hunter · ‎06-20-2017

just need the scripts... thx

Has anyone successfully configured the O365 API to index email data into Splunk?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life