Splunk® Supported Add-ons

Splunk Add-on for Microsoft Office 365

Download manual as PDF

Download topic as PDF

Release history for the Splunk Add-on for Microsoft Office 365

Latest version

The latest version of the Splunk Add-on for Microsoft Office 365 is version 2.0.0. See Release notes for the Splunk Add-on for Office 365 for the release notes of this latest version.

Version 1.1.0

Version 1.1.0 of the Splunk Add-on for Microsoft Office 365 was released on May 23, 2019.

About this release

Version 1.1.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.6.x, 7.0.x, 7.1.x, 7.2.x, 7.3.x
CIM 4.12
Supported OS Platform independent
Vendor products Microsoft Office 365

New features

Version 1.1.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.

  • Configurable Token Refresh Window for the Management Activity inputs to support uninterrupted data ingestion.

Fixed Issues

Version 1.1.0 of the Splunk Add-on for Microsoft Office 365 contains the following fixed issues.

Date resolved Issue number Description
2019-04-17 ADDON-20704 Add-on doesn't tag authentication events from o365 audit events
2019-04-14 ADDON-20616 Modular input hang on calling O365 Management API
2019-04-12 ADDON-20076 Data duplicating multiple times over for o365:management:activity
2019-04-11 ADDON-21196 splunk_ta_o365 - DLP Inputs - Date range for requested content is invalid
2018-10-12 ADDON-18373 Data ingestion may stop on Debian Linux Server

Known issues

Version 1.1.0 of the Splunk Add-on for Microsoft Office 365 contains the following known issues.

Date filed Issue number Description
2019-08-26 ADDON-22979 Missing certificate verification in office 365 add on
2019-08-26 ADDON-22982 Information leakage through Office 365 Add-On UI
2019-08-26 ADDON-22978 Insufficient validation on Tenant creation
2019-08-20 ADDON-22962 Insecure Use of Math.random() to Generate Keys in http_manager.js
2019-08-12 ADDON-22919 Upgrade urllib3 to 1.24.3 or later
2019-06-25 ADDON-22238 web.conf settings cause other apps settings pages not to load properly

Workaround:
change the permission for setting(view) of Microsoft O365 to "this app only"

Or [views] export = none

2019-04-09 ADDON-21696 Data duplication issue over multiple content URL in o365:management:activity input

Third-party software attributions

Version 1.1.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.


Version 1.0.0

Version 1.0.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.6.X, 7.0.X, 7.1.X
CIM Not supported
Supported OS Platform independent
Vendor products Microsoft Office 365

Migration

If you are currently using the Splunk Add-on for Microsoft Cloud Services to ingest Office 365 Management API data and are migrating to the Splunk Add-on for Office 365, disable the Office 365 modular input in the Splunk Add-on for Microsoft Cloud Services.

There are three new source types in the Splunk Add-on for Microsoft Office 365 which replace the single ms:o365:management source type in the Splunk Add-on for Microsoft Cloud Services. If you are migrating from the Splunk Add-on for Microsoft Cloud Services to the Splunk Add-on for Microsoft Office 365, you will need to update your existing dashboards, panels, and SPL with the new source types. See Source types for the Splunk Add-on for Microsoft Office 365.

New features

Version 1.0.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.

  • Simple authentication with the Office 365 Management API applications.
  • Simple process for changing the registered application key.
  • Three new source types, o365:management:activity, o365:service:status, and o365:service:message.

Known issues

Version 1.0.0 of the Splunk Add-on for Microsoft Office 365 contains the following known issues.

Date filed Issue number Description
2019-02-04 ADDON-21196 splunk_ta_o365 - DLP Inputs - Date range for requested content is invalid
2018-12-24 ADDON-20704 Add-on doesn't tag authentication events from o365 audit events
2018-10-23 ADDON-20076 Data duplicating multiple times over for o365:management:activity

Workaround:
locate the lines from 117 - 119 in file splunk_ta_o365/bin/splunk_ta_o365/modinputs/management_activity.py, then change the line 117 like this:

{noformat} now = self._now() // 86400 * 86400 + 86400 end_time = datetime.utcfromtimestamp(now) start_time = end_time - timedelta(days=7){noformat} This should limit the duplicates, however, Microsoft still duplicates o365:management:activity events on their side that this doesn't catch, for that you can use dedup if needed: {noformat} sourcetype="o365:management:activity" | dedup _raw {noformat}

2018-06-11 ADDON-18373 Data ingestion may stop on Debian Linux Server

Third-party software attributions

Version 1.0.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.


See Release notes for the Splunk Add-on for Microsoft Office 365 for the release notes of this latest version.

PREVIOUS
Release notes for the Splunk Add-on for Microsoft Office 365
  NEXT
Hardware and software requirements for the Splunk Add-on for Microsoft Office 365

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters