I am trying to get O365 email data into Splunk.
I have no experience configuring the O365 API but I believe it is possible (from what I have read) to bring in cloud email data.
Specifically the data field/values that I desire is:
Received message info
.... and other email header data
I don't really want the email body content but having the option to grab it on demand would be awesome.
If anyone has any advice on this, it is greatly appreciated. I read a post about using powershell to accomplish this but I did not follow what to do.
Im currently working through the blog posts, we have the azure management stuff working. And whould get to the Email metat data later this week. I think this is what you are looking for:
I wrote a python script to get O365 email attachments into Splunk. This is probably your best option for getting only the desired header fields rather than entire messages. It also indexes less data.
Wish I was allowed to, but I can share the basics to help get you started.
I used httplib to send requests. To read messages send a GET request to "https://outlook.office365.com/api/v1.0/me/messages?$filter=IsRead eq false and HasAttachments eq true&$select=HasAttachments,From,DateTimeSent,Subject,Id", include your base64-encoded credentials.
The response is in JSON so you can use the json library to parse it and get the headers you want.
When you're finished with a message you need to mark it read. Do that by sending a PATCH request "https://outlook.office365.com/api/v1.0/me/messages/" where is a message ID from the message you just processed.
recently configured Microsoft Cloud Services add-on to get these data but this is again limited to management events and office apps like sharepoint, onedrive access and file modification only.
Thank you for the response, do you have any details / steps/ advice in configuring the O365 API?
I have seen this
but do you have additional information?
There is another post about using powershell in the cloud to grab email data, any experience with that ?