I am trying to get O365 email data into Splunk.
I have no experience configuring the O365 API but I believe it is possible (from what I have read) to bring in cloud email data.
Specifically the data field/values that I desire is:
Sender
Recipient
Subject
Message ID
Return Path
Originating IP
Received message info
.... and other email header data
I don't really want the email body content but having the option to grab it on demand would be awesome.
If anyone has any advice on this, it is greatly appreciated. I read a post about using powershell to accomplish this but I did not follow what to do.
Thank you
Hi packet_hunter and all,
Now I am able to get Office365 Email messages to Splunk, check below add-on details
Hi
Im currently working through the blog posts, we have the azure management stuff working. And whould get to the Email metat data later this week. I think this is what you are looking for:
https://www.splunk.com/blog/2017/10/05/splunking-microsoft-cloud-data-part-3.html
Regards
Mark
I wrote a python script to get O365 email attachments into Splunk. This is probably your best option for getting only the desired header fields rather than entire messages. It also indexes less data.
Would you care to share that python script? Thanks!
Wish I was allowed to, but I can share the basics to help get you started.
I used httplib to send requests. To read messages send a GET request to "https://outlook.office365.com/api/v1.0/me/messages?$filter=IsRead eq false and HasAttachments eq true&$select=HasAttachments,From,DateTimeSent,Subject,Id", include your base64-encoded credentials.
The response is in JSON so you can use the json library to parse it and get the headers you want.
When you're finished with a message you need to mark it read. Do that by sending a PATCH request "https://outlook.office365.com/api/v1.0/me/messages/" where is a message ID from the message you just processed.
Thank you for that!
recently configured Microsoft Cloud Services add-on to get these data but this is again limited to management events and office apps like sharepoint, onedrive access and file modification only.
Thank you for the response, do you have any details / steps/ advice in configuring the O365 API?
I have seen this
https://msdn.microsoft.com/en-us/office-365/get-started-with-office-365-management-apis
but do you have additional information?
There is another post about using powershell in the cloud to grab email data, any experience with that ?
with this API not able to get email related information.
Only option available is using script
just need the scripts... thx