Related Answers
Download topic as PDF
Release history for the Splunk Add-on for Microsoft Office 365
The latest version of the Splunk Add-on for Microsoft Office 365 is version 4.5.1. See Release notes for the Splunk Add-on for Office 365 for the release notes of this latest version.
Version 4.5.0
Version 4.5.0 of the Splunk Add-on for Microsoft Office 365 was released on January 24, 2024.
Version 4.3.0 and higher is expected to have around 1% of event duplication for the Management Activity input in the Splunk platform due to duplicate events from the Microsoft API.
About this release
Version 4.5.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 8.2.x, 9.0.x |
| CIM | 5.0.0 |
| Supported OS | Platform independent |
| Vendor products | Microsoft Office 365 |
New features
Version 4.5.0 of the Splunk Add-on for Microsoft Office 365 has the following new features:
- CIM enhancements for MessageTrace Input :
- Provided CIM support of email data model for
o365:reporting:messagetracesourcetype. - Removed two fields
orig_srcandorig_recipient. - Added new fields such as
status_code,recipient_count,recipient_domain,src_user_domainas per email data model.
- Provided CIM support of email data model for
- CIM enhancements for Management Activity Input :
- Modified
reason,user, anduser_idfield extractions which are mapped to authentication data model foro365:management:activitysourcetype.
- Modified
Fixed Issues
Version 4.5.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.
Known issues
Version 4.5.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.
| Date filed | Issue number | Description |
|---|---|---|
| 2022-05-09 | ADDON-51460 | O365 TA - Cloud App Security -> Cloud Discovery Input is not working |
Third-party software attributions
Version 4.5.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.
Third-party software attributions for the Splunk Add-on for Microsoft Office 365
Version 4.4.0
Version 4.4.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 8.2.x, 9.0.x |
| CIM | 5.0.0 |
| Supported OS | Platform independent |
| Vendor products | Microsoft Office 365 |
New features
Version 4.4.0 of the Splunk Add-on for Microsoft Office 365 has the following new features:
- UI upgrades for compatibility with future versions of the Splunk software (Fast and intuitive UI with an improved look and feel).
- Tenant, Proxy & Logging tabs from Settings are moved under the Configuration tab. Removed Settings tab.
- Introduced Clone functionality for the Tenant and Inputs tab.
- Introduced more info functionality for the inputs in the UI inputs table.
- Fixed the data duplication issue in Message Trace Input in case of input interruption.
- Fixed the data collection issue caused by invalid skip token error in the graph API input.
Fixed Issues
Version 4.4.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.
| Date resolved | Issue number | Description |
|---|---|---|
| 2023-11-27 | ADDON-63150 | : Invalid Skip Token Error for Graph Inputs |
| 2023-09-18 | ADDON-63506 | Duplicate data ingested because of failure during the pagination |
Known issues
Version 4.4.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.
| Date filed | Issue number | Description |
|---|---|---|
| 2022-05-09 | ADDON-51460 | O365 TA - Cloud App Security -> Cloud Discovery Input is not working |
Third-party software attributions
Version 4.4.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.
Third-party software attributions for the Splunk Add-on for Microsoft Office 365
Version 4.3.0
Version 4.3.0 of the Splunk Add-on for Microsoft Office 365 was released on April 20th, 2023.
Version 4.3.0 and higher is expected to have around 1% of event duplication for the Management Activity input in the Splunk platform due to duplicate events from the Microsoft API.
About this release
Version 4.3.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 8.2.x, 9.0.x |
| CIM | 5.0.0 |
| Supported OS | Platform independent |
| Vendor products | Microsoft Office 365 |
New features
Version 4.3.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.
- Improved data collection approach and checkpointing mechanism for management activity inputs for faster ingestion rates with lower memory usage.
- Added support for configurable Start date/time for management activity inputs.
- Optimized data collection and checkpointing mechanisms for Audit Logs and Service Health & Communications inputs with lower memory usage.
- Fixed the data duplication issue for Mailbox, Office 365, OneDrive, SharePoint, Teams and Yammer.
- Migrated to KVstore checkpoint for Audit Logs and Service Health & Communications, Mailbox, Office 365, OneDrive, SharePoint, Teams and Yammer from the current file-based checkpoint mechanism.
Fixed Issues
Version 4.3.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.
| Date resolved | Issue number | Description |
|---|---|---|
| 2023-02-21 | ADDON-59901 | Management activity input data collection not working when listenOnIPV6=yes in web.conf and server.conf |
Known issues
Version 4.3.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.
| Date filed | Issue number | Description |
|---|---|---|
| 2023-07-19 | ADDON-63506 | Duplicate data ingested because of failure during the pagination |
| 2023-07-05 | ADDON-63150 | : Invalid Skip Token Error for Graph Inputs |
| 2022-05-09 | ADDON-51460 | O365 TA - Cloud App Security -> Cloud Discovery Input is not working |
Third-party software attributions
Version 4.3.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.
Third-party software attributions for the Splunk Add-on for Microsoft Office 365
Version 4.2.1
After upgrading the Splunk Add-on for Microsoft Office 365 from 4.0.0 and higher to version 4.2.0 or higher, your Splunk platform deployment might receive duplicate events for a maximum of 7 days, due to a change in checkpoint logic. Duplicate events will stop ingesting after 7 days.
Versions 4.2.0 and higher of the Splunk Add-on for Microsoft Office 365 contain changes to the checkpoint mechanism for the Management activity input. See the Upgrade Steps section of the Upgrade topic in this manual.
Version 4.2.1 of the Splunk Add-on for Microsoft Office 365 was released on December 22nd, 2022.
About this release
Version 4.2.1 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 8.1.x, 8.2.x, 9.0.0 |
| CIM | 5.0.0 |
| Supported OS | Platform independent |
| Vendor products | Microsoft Office 365 |
New features
Version 4.2.1 of the Splunk Add-on for Microsoft Office 365 has the following new features.
- Fixed a bug related to getting 401 authorization errors for Management Activity inputs.
Versions 4.2.0 and later of this add-on use app key value store (KV store) collection functionality for checkpoints, in order to improve efficiency and optimize structuring. Versions 4.1.0 and earlier of the Splunk Add-on for Microsoft Office 365 used file-based checkpointing for the Management activity API input, which caused high memory issues for users.
KV store accelerations improve search performance by making searches that contain accelerated fields return faster. As a result, KV store will consume system memory when your input is running. If your Splunk platform deployment uses a lot of KV store, you must to scale up your Splunk platform deployment, so that the KV store functionality can run without any errors.
Fixed Issues
Version 4.2.1 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.
| Date resolved | Issue number | Description |
|---|---|---|
| 2022-12-21 | ADDON-59068 | Getting 401 Authorization error for management activity inputs |
Known issues
Version 4.2.1 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues:
- Customers will experience a delay in event ingestion in v4.2.x due to KVstore performance on cloud architecture.
| Date filed | Issue number | Description |
|---|---|---|
| 2023-04-13 | ADDON-61818 | Repeated 401 Client errors when attempting to pull message trace data. Workaround: None Known |
| 2023-01-20 | ADDON-59901 | Management activity input data collection not working when listenOnIPV6=yes in web.conf and server.conf |
| 2022-05-09 | ADDON-51460 | O365 TA - Cloud App Security -> Cloud Discovery Input is not working |
Third-party software attributions
Version 4.2.1 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.
Third-party software attributions for the Splunk Add-on for Microsoft Office 365
Version 4.2.0
After upgrading the Splunk Add-on for Microsoft Office 365 from 4.0.0 and higher to version 4.2.0 or higher, your Splunk platform deployment might receive duplicate events for a maximum of 7 days, due to a change in checkpoint logic. Duplicate events will stop ingesting after 7 days.
Version 4.2.0 of the Splunk Add-on for Microsoft Office 365 contains changes to the checkpoint mechanism for the Management activity input. See the Upgrade Steps section of the Upgrade topic in this manual.
Version 4.2.0 of the Splunk Add-on for Microsoft Office 365 was released on October 22nd, 2022.
About this release
Version 4.2.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 8.1.x, 8.2.x, 9.0.0 |
| CIM | 5.0.0 |
| Supported OS | Platform independent |
| Vendor products | Microsoft Office 365 |
New features
Version 4.2.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.
- Added support of Message Trace to collect Message Trace data from Microsoft Office 365.
- Optimized Memory utilization for the Management Activity Input.
- Improved user experience by adding validations
Fixed Issues
Version 4.2.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.
Known issues
Version 4.2.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.
| Date filed | Issue number | Description |
|---|---|---|
| 2023-01-20 | ADDON-59901 | Management activity input data collection not working when listenOnIPV6=yes in web.conf and server.conf |
| 2022-12-13 | ADDON-59068 | Getting 401 Authorization error for management activity inputs |
| 2022-05-09 | ADDON-51460 | O365 TA - Cloud App Security -> Cloud Discovery Input is not working |
Third-party software attributions
Version 4.2.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.
Third-party software attributions for the Splunk Add-on for Microsoft Office 365
Version 4.1.0
Version 4.1.0 of the Splunk Add-on for Microsoft Office 365 was released on July 28th, 2022.
About this release
Version 4.1.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 8.1.x, 8.2.x, 9.0.0 |
| CIM | 5.0.0 |
| Supported OS | Platform independent |
| Vendor products | Microsoft Office 365 |
New features
Version 4.1.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.
- For Management Activity Input, migrated from legacy authentication AADL to MSAL.
- Enhancements and improved user experience in Tenant configuration.
- Security fix for Cloud App Security. This requires upgrading to version 4.1.0 and higher of this add-on. See the upgrade topic in this manual.
-
Duplicate events fix for
Cloud App SecurityandManagement Activity:
After upgrading the Splunk Add-on for Microsoft Office 365 to version 4.1.0, due to a change in checkpoint logic, your Splunk platform deployment might receive duplicate events for a maximum of 7 days. Duplicate events will stop ingesting after 7 days. You may observe a rise in the usage of your deployment's memory/CPU resources.
Fixed Issues
Version 4.1.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.
| Date resolved | Issue number | Description |
|---|---|---|
| 2022-08-01 | ADDON-50559 | Cannot reset expired Client Secret for Splunk Add-on for Microsoft Office 365 |
| 2022-07-13 | ADDON-49500 | version 2.2.0 - Duplicated Events for Management Activity and Cloud App Security inputs |
Known issues
Version 4.1.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.
| Date filed | Issue number | Description |
|---|---|---|
| 2023-01-18 | ADDON-59841 | Fix token refresh issue on top of O365 v4.1.0 |
| 2022-05-09 | ADDON-51460 | O365 TA - Cloud App Security -> Cloud Discovery Input is not working |
Third-party software attributions
Version 4.1.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.
Third-party software attributions for the Splunk Add-on for Microsoft Office 365
Version 4.0.0
Version 4.0.0 of the Splunk Add-on for Microsoft Office 365 was released on May 18, 2022.
About this release
Version 4.0.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 8.0.x, 8.1.x, 8.2.x |
| CIM | 5.0.0 |
| Supported OS | Platform independent |
| Vendor products | Microsoft Office 365 |
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New features
Version 4.0.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.
-
Enhanced CIM support for below listed workloads of sourcetype
o365:management:activity.
AzureActiveDirectory
Exchange
SecurityComplianceCenter
SharePoint
OneDrive
MicrosoftTeams
MicrosoftForms
Yammer
SkypeForBusiness - Fixed Timestamp extractions issue for the o365:management:activity sourcetype.
- Fixed CIM tagging issues for the Authentication events of o365:management:activity sourcetype.
CIM field changes
Splunk Add-On for Microsoft Office 365 version 4.0.0 includes updated Common Information Model even tagging for o365:management:activity sourcetype events. These changes were made to more accurately match the nature of the events with the appropriate data model fields. Any search content that executes against the Common Information Model fields mapped to o365:management:activity events must be updated. Utilize this table of event field changes to inform updates to your search content.
See the following tables for information on field changes between 3.0.0 and 4.0.0 :
| Source-type | Workload | Operation | Fields added | Fields removed | |
|---|---|---|---|---|---|
['o365:management:activity']
|
AzureActiveDirectory | Add EligibleRoleAssignement to RoleDefinition., Add contact., Add policy., Finish applying group based license to users., Set directory feature on tenant., Set group license., Start applying group based license to users., Update service principal. | change_type, object_id, tenant_id, object_category, action, result | ||
['o365:management:activity']
|
Add application., Add device., Add group., Add member to group., Add member to role., Add user., Delete user., Update application., Update device., Update group., Update user. | tenant_id, result | |||
['o365:management:activity']
|
Add eligible member to role., Disable account., Remove member from role. | change_type, src_user_type, object_id, src_user, tenant_id, object_category, action, result | user_type | ||
['o365:management:activity']
|
Add owner to application. | tenant_id, result | object_id | ||
['o365:management:activity']
|
Add owner to group., Remove member from group., Remove service principal. | src_user_type, object_id, src_user, tenant_id, result | user_type | ||
['o365:management:activity']
|
Add role definition., Create company settings, Delete application., Delete contact., Delete role definition., Hard Delete group., Restore Group., pdate company settings, Update policy. | change_type, object_attrs, object_id, tenant_id, object_category, action, result | |||
['o365:management:activity']
|
Add service principal. | tenant_id, result, src_user_type | user_type | ||
['o365:management:activity']
|
Add unverified domain. | change_type, object, tenant_id, object_category, action, result | |||
['o365:management:activity']
|
Change user password., Reset user password. | tenant_id, result, src_user_type, object_id | user_type | ||
['o365:management:activity']
|
Delete group. | tenant_id, result, object_id | |||
['o365:management:activity']
|
Remove eligible member from role., Remove owner from application., Remove owner from group., Update StsRefreshTokenValidFrom Timestamp. | change_type, object_attrs, src_user_type, object_id, src_user, tenant_id, object_category, action, result | user_type | ||
['o365:management:activity']
|
Remove unverified domain. | change_type, object, object_attrs, tenant_id, object_category, action, result | |||
['o365:management:activity']
|
Restore user. | change_type, object_attrs, src_user_type, object_id, tenant_id, object_category, action, result | user_type | ||
['o365:management:activity']
|
Set user manager. | change_type, src_user_type, object_id, tenant_id, object_category, action, result | user_type | ||
['o365:management:activity']
|
UserLoggedIn, UserLoginFailed | tenant_id | object | ||
['o365:management:activity']
|
Verify domain. | object, tenant_id, result | action, object_attrs, change_type, object_category | ||
['o365:management:activity']
|
SharePoint | All | tenant_id | ||
['o365:management:activity']
|
AddAnAppNewListCreateButtonClick, LaunchPowerApp | object | |||
['o365:management:activity']
|
AddedToGroup | src_user_type | object_id | ||
['o365:management:activity']
|
AnonymousLinkCreated, AnonymousLinkUpdated, CommentsDisabled, FileDeletedFirstStageRecycleBin, FileRecycled, FileTranscriptRequested, FolderDeletedFirstStageRecycleBin, FolderRecycled, FolderRenamed, FolderRestored, ListDeleted, ListItemRecycled, ListItemRestored, ListRestored, SiteDesignInvoked, SiteLocksChanged | action, object_category | |||
['o365:management:activity']
|
AppStoreStorefrontLaunchAppStorePage, AppStoreStorefrontShowAppDetailsPage, SharingInheritanceBroken | object, object_id | |||
['o365:management:activity']
|
CommentCreated | object_attrs, object, change_type | |||
['o365:management:activity']
|
CompanyLinkCreated, FileDeleted, FileModified, FileModifiedExtended, FileMoved, FolderCreated, FolderDeleted, FolderModified, SharingSet | change_type, object_attrs, object_id | |||
['o365:management:activity']
|
DLPRuleMatch | object_category, category, dlp_type, severity, src_user, action | object_id | ||
['o365:management:activity']
|
FileAccessed, FileAccessedExtended, FileCheckOutDiscarded, FileCheckedIn, FileCopied, FilePreviewed, FileRenamed, FileRestored, FileVersionsAllDeleted, PageViewed, PageViewedExtended, SecureLinkCreated, SharingRevoked | object_id | |||
['o365:management:activity']
|
FileUploaded | object_size | change_type, object_attrs, object_id | ||
['o365:management:activity']
|
FolderCopied, FolderMoved | action, object_category | object | ||
['o365:management:activity']
|
HubSiteRegistered, HubSiteUnregistered, ListContentTypeDeleted, ListContentTypeUpdated, ListViewCreated, PermissionLevelRemoved, SecureLinkUpdated, SiteContentTypeCreated, SiteDeleted, SiteIBModeSet, SiteRenameScheduled | object_category, change_type, object_attrs, action | |||
['o365:management:activity']
|
ListColumnCreated, ListColumnUpdated, ListCreated, ListUpdated | object_attrs, change_type | |||
['o365:management:activity']
|
ListColumnDeleted, ListItemCreated | action, object_category, object_attrs | |||
['o365:management:activity']
|
RemovedFromSecureLink, RemovedFromSiteCollection | object_category, change_type, object_attrs, src_user, action, src_user_type | user_type | ||
['o365:management:activity']
|
SearchQueryPerformed | action, object_category | object_path, object | ||
['o365:management:activity']
|
OneDrive | All | tenant_id, result, action, object_category | ||
['o365:management:activity']
|
AddedToGroup, GroupAdded, PermissionLevelAdded, SiteCollectionCreated, SharingPolicyChanged, ShortcutAdded, SiteCollectionAdminRemoved, SiteCollectionAdminAdded, SiteCollectionQuotaModified | change_type | |||
['o365:management:activity']
|
AddedToGroup, AnonymousLinkCreated, GroupAdded, PermissionLevelAdded, SiteCollectionCreated, ShortcutAdded, SiteCollectionAdminRemoved, SiteCollectionQuotaModified | object_attrs | |||
['o365:management:activity']
|
AddedToGroup | src_user, src_user_type | user_type | ||
['o365:management:activity']
|
AnonymousLinkCreated, PermissionLevelAdded, SiteCollectionCreated, ListColumnCreated, ListItemCreated, SharingPolicyChanged | object_path | |||
['o365:management:activity']
|
DLPRuleMatch, DLPRuleUndo | dlp_type, category, severity, src_user, object_path | |||
['o365:management:activity']
|
FileDownloaded, FileModified, FileModifiedExtended | object_size | |||
['o365:management:activity']
|
GroupAdded, ListColumnCreated, ListItemCreated, ListCreated, ListViewed, SharingInheritanceBroken | object_id | |||
['o365:management:activity']
|
PermissionLevelAdded, SiteCollectionCreated, SearchQueryPerformed, SharingPolicyChanged, SiteCollectionQuotaModified | object_id | object | ||
['o365:management:activity']
|
SiteLocksChanged | object_id | object, object_attrs | ||
['o365:management:activity']
|
Exchange | All | tenant_id, result, object_id | ||
['o365:management:activity']
|
Add-RecipientPermission, New-MailContact, New-Mailbox, Remove-MailContact, Remove-RoleGroupMember, Set-AdminAuditLogConfig, Set-Mailbox, Set-User | object_category, src_user_type, object_attrs, change_type, action, src_user | user_type | ||
['o365:management:activity']
|
AddFolderPermissions, ModifyFolderPermissions | object_category, object_attrs, dest, change_type, user_agent, dest_name, action, object, client_info_str | |||
['o365:management:activity']
|
Create, Update | object_category, owner_id, parent_object, owner, object_path, dest, object, user_agent, object_size, action, owner_email, dest_name, app_id, parent_object_id, client_info_str | |||
['o365:management:activity']
|
DlpRuleMatch | recipient_domain, file_name, subject, orig_src, recipient_count, src_user_domain, action, src_user, message_id, recipient, file_size, size | |||
['o365:management:activity']
|
Enable-AddressListPaging, New-App, New-ManagementRoleAssignment, New-RoleGroup, Remove-Mailbox, Remove-RoleGroup, Remove-UnifiedGroup, Set-ConditionalAccessPolicy, Set-ExchangeAssistanceConfig, Set-OrganizationConfig, Set-RoleGroup, Set-TransportConfig | object_category, object_attrs, change_type, action | |||
['o365:management:activity']
|
MailboxLogin | dest, user_agent, dest_name, action, object, client_info_str | |||
['o365:management:activity']
|
Move, MoveToDeletedItems | object_category, owner_id, parent_object, owner, object_path, dest, object, user_agent, dest_name, action, owner_email, app_id, parent_object_id, client_info_str | |||
['o365:management:activity']
|
SoftDelete | object_category, owner_id, parent_object, owner, dest, object, user_agent, dest_name, action, owner_email, app_id, parent_object_id, client_info_str | |||
['o365:management:activity']
|
SecurityComplianceCenter | All | tenant_id, result | object | |
['o365:management:activity']
|
AlertEntityGenerated, AlertTriggered, AlertUpdated | signature_id, description, id, type, severity, body | object | ||
['o365:management:activity']
|
AuthorizeDataInsightsSubscription, SearchAlert, SearchAlertAggregate, SearchConnectorReportData, SearchCustomTag, SearchCustomerInsight, SearchDataInsightsSubscription, SearchMailflowForwardingData, SearchMtpRoleInfo, SearchMtpStatus, SearchNonAcceptedDomainDetailData, SearchSecurityRedirection, SearchTrialOffer, ValidaterbacAccessCheck | dest_name, dest | |||
['o365:management:activity']
|
Get-ComplianceTag, Get-DlpCompliancePolicy, Get-DlpComplianceRule, Get-DlpDetectionsReport, Get-DlpSiDetectionsReport, Get-Label, Get-PolicyConfig, Get-ProtectionAlert, Get-RetentionCompliancePolicy | object | |||
['o365:management:activity']
|
Get-DlpSensitiveInformationType, New-ProtectionAlert, Remove-DlpCompliancePolicy, Remove-DlpComplianceRule | action, change_type, object_category, object_attrs | |||
['o365:management:activity']
|
InsightGenerated | description, id, type, severity, body | object | ||
['o365:management:activity']
|
New-DlpCompliancePolicy, New-DlpComplianceRule, Set-DlpCompliancePolicy, Set-DlpComplianceRule | action, change_type, object_category, object_attrs, object_id | |||
['o365:management:activity']
|
MicrosoftTeams | AppInstalled, BotAddedToTeam, ChannelAdded, ChannelDeleted, ConnectorAdded, MemberAdded, MessageCreatedHasLink, MessageDeleted, OpenShiftAdded, OpenShiftDeleted, RequestAdded, RequestRespondedTo, ScheduleGroupAdded, ScheduleGroupEdited, ScheduleSettingChanged, ShiftAdded, TabAdded, TabUpdated, TeamCreated, TeamDeleted, TeamSettingChanged, TimeOffAdded, TimeOffDeleted, TimeOffEdited | result, tenant_id, change_type, object, dest, object_attrs, object_category, action, object_id, dest_name | ||
['o365:management:activity']
|
CreatedApproval | tenant_id, change_type, object_attrs, object_category, action, object_id, result | |||
['o365:management:activity']
|
TeamsSessionStarted | action, tenant_id, result | object, authentication_service | ||
['o365:management:activity']
|
MicrosoftForms | AllowAnonymousResponse, AllowShareFormForCopy, CreateForm, CreateResponse, DeleteAllResponses, DeleteResponse, DeleteSummaryLink, DisableSpecificResponse, DisallowAnonymousResponse, EditForm, EnableSpecificResponse, EnableWorkOrSchoolCollaboration, GetSummaryLink, UpdateFormSetting, UpdateResponse, ViewForm, ViewResponses, ViewRuntimeForm | tenant_id, action, object_category, result, object_id | ||
['o365:management:activity']
|
ListForms | tenant_id, action, dest_name, dest, result, object_category | |||
['o365:management:activity']
|
SkypeForBusiness | Get-CsTeamsUpgradeOverridePolicy | change_type, result, dest_name, dest, object_id, object_category, tenant_id, object_attrs, action, object | ||
['o365:management:activity']
|
Yammer | GroupCreation, MessageDeleted | result, object_id, owner_email, tenant_id, object_category, email, action |
CIM model changes
See the following CIM model changes between 3.0.0 and 4.0.0:
| WorkLoad | Operation | Previous CIM model | New CIM model |
|---|---|---|---|
| AzureActiveDirectory | Add application., Add group., Delete group., Update application – Certificates and secrets management , Update application., Update group. | Change.Account_Management | Change.All_Changes |
| Verify domain. | Change.Account_Management | ||
| Add EligibleRoleAssignement to RoleDefinition., Add contact., Add policy., Add role definition., Add unverified domain., Create company settings, Delete application., Delete contact., Delete role definition., Finish applying group based license to users., Hard Delete group., Remove unverified domain., Restore Group., Set directory feature on tenant., Set group license., Start applying group based license to users., Update company settings, Update policy., Update service principal. | Change.All_Changes | ||
| Add eligible member to role., Disable account., Remove eligible member from role., Remove member from role., Remove owner from application., Remove owner from group., Restore user., Set user manager., Update StsRefreshTokenValidFrom Timestamp. | Change.Account_Management | ||
| SharePoint | AddedToGroup, GroupAdded, GroupRemoved, GroupUpdated, PermissionLevelAdded, SharingPolicyChanged, SiteCollectionAdminAdded, SiteCollectionAdminRemoved, SiteCollectionCreated, SiteCollectionQuotaModified, SiteRenamed | Change.Endpoint_Changes | Change.All_Changes |
| CommentCreated, CompanyLinkCreated, FileDeleted, FileModified, FileModifiedExtended, FileMoved, FileUploaded, FolderCreated, FolderDeleted, FolderModified, ListColumnCreated, ListColumnUpdated, ListCreated, ListUpdated, SharingSet | Change.Endpoint_Changes | ||
| DLPRuleMatch | DLP | ||
| HubSiteRegistered, HubSiteUnregistered, ListContentTypeDeleted, ListContentTypeUpdated, ListViewCreated, PermissionLevelRemoved, SecureLinkUpdated, SiteContentTypeCreated, SiteDeleted, SiteIBModeSet, SiteRenameScheduled | Change.All_Changes | ||
| RemovedFromSecureLink, RemovedFromSiteCollection | Change.Account_Management | ||
| OneDrive | AddedToGroup | Change.Account_Management | |
| DLPRuleMatch, DLPRuleUndo | DLP | ||
| GroupAdded, PermissionLevelAdded, SharingPolicyChanged, ShortcutAdded, SiteCollectionAdminAdded, SiteCollectionAdminRemoved, SiteCollectionCreated, SiteCollectionQuotaModified | Change.All_Changes | ||
| Exchange | Add-RecipientPermission, New-MailContact, New-Mailbox, Remove-MailContact, Remove-RoleGroupMember, Set-AdminAuditLogConfig, Set-Mailbox, Set-User | Change.Account_Management | |
| AddFolderPermissions, Enable-AddressListPaging, ModifyFolderPermissions, New-App, New-ManagementRoleAssignment, New-RoleGroup, Remove-Mailbox, Remove-RoleGroup, Remove-UnifiedGroup, Set-ConditionalAccessPolicy, Set-ExchangeAssistanceConfig, Set-OrganizationConfig, Set-RoleGroup, Set-TransportConfig | Change.All_Changes | ||
| DlpRuleMatch | Email.Filtering | ||
| MailboxLogin | Authentication | ||
| SecurityComplianceCenter | AlertEntityGenerated, AlertTriggered, AlertUpdated, InsightGenerated | Alerts | |
| Get-DlpSensitiveInformationType, New-DlpCompliancePolicy, New-DlpComplianceRule, New-ProtectionAlert, Remove-DlpCompliancePolicy, Remove-DlpComplianceRule, Set-DlpCompliancePolicy, Set-DlpComplianceRule | Change.All_Changes | ||
| MicrosoftTeams | AppInstalled, BotAddedToTeam, ChannelAdded, ChannelDeleted, ConnectorAdded, CreatedApproval, MemberAdded, MessageCreatedHasLink, MessageDeleted, OpenShiftAdded, OpenShiftDeleted, RequestAdded, RequestRespondedTo, ScheduleGroupAdded, ScheduleGroupEdited, ScheduleSettingChanged, ShiftAdded, ShiftDeleted, TabAdded, TabUpdated, TeamCreated, TeamDeleted, TeamSettingChanged, TimeOffAdded, TimeOffDeleted, TimeOffEdited | Change.All_Changes | |
| TeamsSessionStarted | Authentication | ||
| SkypeForBusiness | Get-CsTeamsUpgradeOverridePolicy | Change.All_Changes |
Fixed Issues
Version 4.0.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.
Known issues
Version 4.0.0of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.
Third-party software attributions
Version 4.0.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.
- axios
- certifi
- chardet
- dateutil
- debug
- follow-redirects
- future
- idna
- is-buffer
- ms
- qs
- requests
- six.py
- sortedcontainers
- u-msgpack-python
- urllib3
Version 3.0.0
Version 3.0.0 of the Splunk Add-on for Microsoft Office 365 was released on February 11, 2022.
About this release
Version 3.0.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 8.0.x, 8.1.x, 8.2.x |
| CIM | 4.20 |
| Supported OS | Platform independent |
| Vendor products | Microsoft Office 365 |
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New features
Version 3.0.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.
- Changed from using the Service Communications API (now deprecated by Microsoft) to using the new Microsoft Graph API for Service Health & Communication events.
This new API changes the structure how data is ingested by the Splunk software. The following source types have had to be updated:
Retired source types:
o365:service:statuso365:service:message
New source types:
o365:service:healthIssueo365:service:updateMessage
To learn about the type of data these new source types represent coming through the Graph API, see the Overview for accessing service health and communications in Microsoft Graph topic in the Microsoft's Graph API documentation.
If upgrading to version 3.0.0 or later, disable
ServiceHealth.Read.Allin Office 365 Management APIs, and enableServiceHealth.Read.Allin Microsoft Graph. - Enhanced the Add Input menu for ease of use. This menu includes the new Microsoft Graph API for Service Health & Communication events, and also reflects the various Graph API data categories we already support, in a more logical taxonomy.
- Added API request throttling when making too many requests to the Microsoft APIs.
Fixed Issues
Version 3.0.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.
Known issues
Version 3.0.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.
Third-party software attributions
Version 3.0.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.
- axios
- certifi
- chardet
- dateutil
- debug
- follow-redirects
- future
- idna
- is-buffer
- ms
- qs
- requests
- six.py
- sortedcontainers
- u-msgpack-python
- urllib3
Version 2.2.0
Version 2.2.0 of the Splunk Add-on for Microsoft Office 365 was released on October 13, 2021.
About this release
Version 2.2.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x, 8.1.x |
| CIM | 4.20 |
| Supported OS | Platform independent |
| Vendor products | Microsoft Office 365 |
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New features
Version 2.2.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.
- Common Information Model (CIM) version 4.20 compatibility and enhanced CIM mapping.
- Enhanced CIM mapping for the following sourcetypes:
o365:management:activityo365:service:statuso365:service:messageo365:cas:apio365:graph:api
- Added support for the Alerts CIM data model for the following sourcetypes:
o365:service:statuso365:service:messageo365:cas:api
- Updates to the lookup
splunk_ta_o365_cim_change_analysis.csv - Updates to the lookup
splunk_ta_o365_cim_data_access.csv
Self-service app install (SSAI) upgrades do not automatically update the lookups with the latest values. To fix this, upgrade the add-on, then manually update the lookup files using the lookup files from the latest version of this add-on.
Field changes
The following sections contain information on fields and data models that have been added, modified, or removed in this release.
Fields added and removed
The following tables display the fields that have been added and removed in this release, listed by sourcetype.
| Sourcetype | Operation | Fields added | Fields removed |
|---|---|---|---|
o365:management:activity
|
AccessRequestCreated, GroupRemoved, GroupUpdated, SiteCollectionCreated, AccessRequestRejected, SharingSet, RemovedFromGroup, AccessRequestApproved, AddedToGroup, GroupAdded, SharingRevoked | status, authentication_service, dest_name, result, object_attrs | |
o365:management:activity
|
Add application. | env_name, env_seqNum, authentication_service, targetName, correlationId, env_appVer, dataset_name, targetObjectId, ResultStatusDetail, user_agent, tag, modified_properties_new_value, auditEventCategory, env_popSample, env_time, env_cloud_name, modified_properties_name, action, actorUPN, nCloud, env_iKey, env_flags, tag::eventtype, env_cv, actorPUID, FlowTokenScenario, authentication_method, targetContextId, env_cloud_deploymentUnit, UserAuthenticationMethod, change_type, actorObjectClass, object_category, version, KeepMeSignedIn, actorAppID, targetSPN, eventtype, actorObjectId, additionalTargets, dest_name, env_epoch, env_cloud_roleVer, UserAgent, extended_properties, user_agent_change, env_cloud_ver | object_path, reason, modified_properties_mv |
o365:management:activity
|
Add device. | authentication_service, correlationId, dataset_name, tag, modified_properties_new_value, env_cloud_name, modified_properties_name, action, actorContextId, object_attrs, tag::eventtype, actorPUID, change_type, object_category, env_ver, actorAppID, targetSPN, eventtype, dest_name, extended_properties, modified_properties | object_id, object_path |
o365:management:activity
|
Add group. | auditEventCategory, modified_properties, targetContextId, modified_properties_name, authentication_service, additionalDetails, env_ver, env_cv, dest_name, env_cloud_roleVer, object_attrs, extended_properties, targetIncludedUpdatedProperties, user_agent, modified_properties_new_value, user_agent_change | object_id, object_path |
o365:management:activity
|
Add member to group. | actorAppID, env_time, env_cloud_name, modified_properties_name, authentication_service, targetSPN, src_user, dest_name, actorUPN, object_attrs, extended_properties, teamName, env_cv, modified_properties_new_value, modified_properties | object_id, object_path |
o365:management:activity
|
Add member to role. | modified_properties, targetContextId, modified_properties_name, authentication_service, env_cloud_deploymentUnit, additionalDetails, targetName, correlationId, dest_name, nCloud, object_attrs, extended_properties, user_agent, modified_properties_new_value, env_appId, user_agent_change | object_id, object_path |
o365:management:activity
|
Add owner to application. | modified_properties, modified_properties_name, authentication_service, env_cloud_deploymentUnit, targetSPN, env_epoch, dest_name, env_cloud_roleVer, object_attrs, extended_properties, version, env_cloud_environment, user_agent, modified_properties_new_value, user_agent_change | object_id, object_path |
o365:management:activity
|
Add owner to service principal. | authentication_service, dest_name, object_attrs, extended_properties, user_agent, user_agent_change | object_id, object_path |
o365:management:activity
|
Add service principal. | env_name, env_seqNum, authentication_service, targetName, targetObjectId, ResultStatusDetail, targetIncludedUpdatedProperties, env_cloud_environment, user_agent, modified_properties_new_value, auditEventCategory, env_osVer, env_popSample, env_cloud_name, modified_properties_name, src_user, RequestType, actorUPN, nCloud, env_iKey, env_cv, actorPUID, env_appId, FlowTokenScenario, resultDescription, authentication_method, env_cloud_deploymentUnit, env_os, UserAuthenticationMethod, actorObjectClass, version, KeepMeSignedIn, env_ver, actorAppID, actorObjectId, env_epoch, dest_name, env_cloud_roleVer, result, env_cloud_roleInstance, extended_properties, teamName, user_agent_change, actorContextId | object_path, modified_properties_mv |
o365:management:activity
|
Add user. | env_seqNum, modified_properties_name, authentication_service, src_name, targetName, dest_name, env_cloud_roleVer, env_appVer, actorContextId, env_cloud_role, object_attrs, extended_properties, teamName, modified_properties_new_value, modified_properties | object_id, object_path |
o365:management:activity
|
FolderDeleted, SiteCollectionQuotaModified, SecureLinkCreated, CommentCreated, ListColumnCreated, ListViewUpdated, PermissionLevelAdded, WebMembersCanShareModified, CommentDeleted, ListUpdated, WebRequestAccessModified, ListColumnUpdated, ListCreated, WebAccessRequestApproverModified, CompanyLinkCreated, FolderModified, AddedToSecureLink, FolderCreated | status, authentication_service, action, eventtype, dest_name, dataset_name, result, object_attrs, change_type, object_category, tag::eventtype, tag | |
o365:management:activity
|
SharingInheritanceBroken, ClientViewSignaled, ListViewed, PageViewed, PagePrefetched, PageViewedExtended | status, authentication_service, action, eventtype, dest_name, dataset_name, result, object_category, tag::eventtype, tag | |
o365:management:activity
|
Delete user. | actorAppID, env_osVer, modified_properties_name, authentication_service, extendedAuditEventCategory, actorObjectId, dest_name, env_cloud_roleVer, object_attrs, env_flags, env_cloud_environment, extended_properties, modified_properties_new_value, modified_properties | object_id, object_path |
o365:management:activity
|
FileCheckedOut, FileCheckedIn, FileCheckOutDiscarded, FileCopied, FileAccessed, FileDownloaded | status, authentication_service, dest_name, result, tag::object_category | change_type |
o365:management:activity
|
FilePreviewed, FileAccessedExtended | status, authentication_service, action, eventtype, dest_name, dataset_name, result, tag::object_category, object_category, tag::eventtype, tag | |
o365:management:activity
|
FileMoved, FileModified, FileDeleted, FileRestored, FileRenamed, FileUploaded | status, authentication_service, dest_name, result, tag::object_category, object_attrs | |
o365:management:activity
|
FileVersionsAllDeleted, FileModifiedExtended | status, authentication_service, action, eventtype, dest_name, dataset_name, result, tag::object_category, object_attrs, change_type, object_category, tag::eventtype, tag | |
o365:management:activity
|
SiteCollectionAdminRemoved, SharingPolicyChanged, SiteColumnCreated | status, authentication_service, action, eventtype, dest_name, dataset_name, result, object_attrs, change_type, object_category, tag::eventtype, tag | src, src_ip |
o365:management:activity
|
SiteCollectionAdminAdded | status, authentication_service, dest_name, result, object_attrs | src, src_ip |
o365:management:activity
|
Update application. | env_name, env_seqNum, authentication_service, env_cloud_ver, targetName, correlationId, resultType, env_appVer, dataset_name, ResultStatusDetail, targetIncludedUpdatedProperties, env_cloud_environment, tag, user_agent, modified_properties_new_value, env_popSample, env_time, env_cloud_name, modified_properties_name, action, RequestType, env_cloud_role, env_iKey, env_flags, tag::eventtype, env_cv, env_appId, FlowTokenScenario, authentication_method, targetContextId, env_cloud_deploymentUnit, env_os, src_name, UserAuthenticationMethod, change_type, actorObjectClass, object_category, env_ver, actorAppID, targetSPN, eventtype, additionalTargets, dest_name, env_epoch, env_cloud_roleVer, result, env_cloud_roleInstance, extended_properties, user_agent_change, actorContextId | object_id, object_path, modified_properties_mv |
o365:management:activity
|
Update device. | authentication_service, targetName, dataset_name, tag, modified_properties_new_value, auditEventCategory, modified_properties_name, action, env_iKey, tag::eventtype, env_cv, actorPUID, env_cloud_deploymentUnit, change_type, object_category, eventtype, actorObjectId, dest_name, extended_properties, env_cloud_ver | object_id, object_path, modified_properties_mv |
o365:management:activity
|
Update group. | modified_properties_name, authentication_service, env_cloud_ver, env_epoch, correlationId, dest_name, actorContextId, actorUPN, env_cloud_roleInstance, object_attrs, extended_properties, version, modified_properties_new_value, modified_properties | object_id, object_path |
o365:management:activity
|
Update user. | env_name, env_seqNum, authentication_service, targetName, correlationId, targetObjectId, targetIncludedUpdatedProperties, env_cloud_environment, user_agent, modified_properties_new_value, modified_properties, env_popSample, env_time, modified_properties_name, env_cloud_role, actorUPN, object_attrs, nCloud, env_flags, env_iKey, env_cv, actorPUID, env_appId, FlowTokenScenario, resultDescription, authentication_method, env_cloud_deploymentUnit, env_os, src_name, UserAuthenticationMethod, actorObjectClass, KeepMeSignedIn, additionalDetails, env_ver, actorAppID, targetSPN, actorObjectId, additionalTargets, dest_name, env_cloud_roleVer, env_cloud_roleInstance, UserAgent, extended_properties, teamName, extendedAuditEventCategory, actorContextId | object_path, reason |
o365:management:activity
|
UserLoggedIn | FlowTokenScenario, actorAppID, authentication_method, targetContextId, env_seqNum, targetSPN, authentication_service, RequestType, dest_name, correlationId, ResultStatusDetail, actorUPN, UserAuthenticationMethod, tag::action, extended_properties, teamName, env_ver | object_id, modified_properties, object_path, object_attrs, reason, modified_properties_mv |
o365:management:activity
|
UserLoginFailed | env_name, authentication_service, env_cloud_environment, env_osVer, env_popSample, nCloud, env_cv, env_appId, FlowTokenScenario, env_os, actorObjectClass, tag::action, KeepMeSignedIn, actorAppID, additionalTargets, dest_name, result, extended_properties, extendedAuditEventCategory | object_id, IsCompliantAndManaged, SessionId, object_path, BrowserType |
| Sourcetype | Status | Fields added | Fields removed |
|---|---|---|---|
o365:service:status
|
ServiceOperational, ServiceRestored, ServiceDegradation | tag::eventtype, signature, eventtype, type, dest, severity, app, id, tag, description |
| Sourcetype | ImpactDescription | Fields added | Fields removed |
|---|---|---|---|
o365:service:message
|
Users may be unable to view shared calendars within the Outlook client or Outlook on the web services., Admins were unable to access the Microsoft Secure Score webpage via the Microsoft 365 security center., Admins may see Microsoft 365 app usage and productivity score reports data delayed after June 30, 2021., Admins may have experienced delayed data in Productivity score reports from the Microsoft 365 admin center., Users may be unable to use the multi-language spellcheck feature of the Microsoft Teams desktop client., Users may have intermittently been unable to connect to the OneDrive for Business service., null, Admins see some users' Outlook Desktop activity isn't showing up in usage reports., Users are unable to create Skype account., Admins may experience a delay in receiving messages., Users may have been unable to use the search function in SharePoint Online., Users may have been unable to sign in to Outlook., Users may have been unable to sign in to Skype., Users are unable to create Outlook account., Admins may have been unable to install O365., Users saw an error and were unable to access the "Shared by you" tab in OneDrive for Business., Admins may have seen a delay in updated data for Skype for Business usage reports within the Microsoft 365 admin center., Admins are unable to exclude errors., Users were seeing errors when downloading records with 10,000 or more entries from the Security and Compliance Center. | tag::eventtype, signature, body, eventtype, type, dest, severity, app, id, tag, description |
| Sourcetype | isSystemAlert | Fields added | Fields removed |
|---|---|---|---|
o365:cas:api
|
true | app, signature, src, eventtype, type, dest, severity, severity_id, tag::eventtype, user, tag |
| Sourcetype | policyType | Fields added | Fields removed |
|---|---|---|---|
o365:cas:api
|
NEW_SERVICE | app, signature, src, eventtype, type, severity, severity_id, tag::eventtype, tag |
| Sourcetype | sourcetype | Fields added | Fields removed |
|---|---|---|---|
o365:graph:api
|
o365:graph:api | eventtype |
Fields modified
The following tables display the fields that have been modified in this release, listed by sourcetype.
| Sourcetype | CIM Field | Operation | Vendor Field Before | Vendor field after | Sample value before | Sample value after |
|---|---|---|---|---|---|---|
o365:management:activity
|
user | Add member to role., Add member to group. | UserId | ObjectId | abcd@27cf00f56f558d8859778b97.example.com | abcdefghi@d10b5fea7bd2276be1bba7cd.qwertyu.com |
o365:management:activity
|
user_id | UserLoggedIn, UserLoginFailed | UserId | Actor{}.ID where Actor{}.Type=3 | abcd@27cf00f56f558d8859778b97.example.com | 10037FFE8EC1E08E |
o365:management:activity
|
reason | where ResultStatus indicates "failure", such as UserLoginFailed | LogonError | resultDescription OR ResultStatusDetail | InvalidUserNameOrPassword | UserError |
o365:management:activity
|
status | All where ResultStatus IN (failed, failure, success, succeeded) | ResultStatus | ResultStatus | failure, failed, success, succeeded | failure, success |
o365:management:activity
|
dvc | where Workload=SharePoint | Workload | ObjectId | SharePoint | a830edad9050849nda3079.sharepoint.com |
o365:management:activity
|
modified_properties | Add application.,Add service principal.,Update application., Update device. | ModifiedProperties{} from the event | ModifiedProperties{} from the event | AppId, AppIdentifierUri, AvailableToOtherTenants, DisplayName, Entitlement, PublicClient, WwwHomepage | ISAD7.1|primary|a\"\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AppId, AppIdentifierUri, AvailableToOtherTenants, DisplayName, Entitlement, PublicClient, WwwHomepage","OldValue":""} |
o365:management:activity
|
object_category | Add service principal. | Static value: user | Static value: ServicePrincipal | ||
o365:management:activity
|
object_category | Update group. | Static value: user, group | Static value: group | ||
o365:management:activity
|
object_category | SiteCollectionCreated | Static value: user | Static value: site | ||
o365:management:activity
|
change_type | AccessRequestApproved,
AccessRequestRejected, SharingSet |
Static Value: user | Static Value: AAA | ||
o365:management:activity
|
change_type | SiteCollectionCreated | Static Value: user | Static Value: collection | ||
o365:management:activity
|
dest | Add application., Add user., Update user., Delete user., Add group., Add device., Update device, Update application., Add owner to application., Add service principal., Add member to group., Add member to role, etc. where env_cloud_name present inside ExtendedProperties{} in the event | ObjectId | env_cloud_name OR ObjectId | abcdef@705e62b9e1c0c47a2c4e0709.example.com | MSO-BY1 |
o365:management:activity
|
dest | UserLoggedIn, UserLoginFailed | ObjectId | Static value: Microsoft Office 365 AzureActiveDirectory | 797f4846-ba00-4fd7-ba43-dac1f8f63013 | Microsoft Office 365 AzureActiveDirectory |
o365:management:activity
|
dest | If env_cloud_name is not present in the event, then ObjectId will be dest | ObjectId | ObjectId | ||
o365:management:activity
|
action | AccessRequestRejected | Static Value: unknown | Static Value: deleted | ||
o365:management:activity
|
action | FileCheckOutDiscarded | Static Value: modified | Static Value: read | ||
o365:management:activity
|
action | FileCheckedIn | Static Value: created | Static Value: read | ||
o365:management:activity
|
action | FileCopied | Static value: read | Static value: copied | ||
o365:management:activity
|
action | FileDownloaded | Static value: read | Static value: downloaded | ||
o365:management:activity
|
action | Add group.,SharingSet | Static Value: modified | Static Value: created | ||
o365:management:activity
|
object_attrs | Add user., Update user., Add group., Add device., Add application., etc. | ModifiedProperties{} from the event, a list of attributes that were modified | ModifiedProperties{} from the event, but it will be key=value pair of relevant and necessary attributes | StsRefreshTokensValidFrom, UserType, AccountEnabled, UserPrincipalName | UserPrincipalName=abcdef@705e62b9e1c0c47a2c4e0709.example.com, AccountEnabled=true, UserType=Member |
o365:management:activity
|
object_attrs | Update group., Update application. | ModifiedProperties{} from the event, a list of attributes that were modified | object_category | LastDirSyncTime | group, application |
o365:management:activity
|
object | Add group., Update group., Add device., Update device. Add application., Update application., Add service principal. | ObjectId | targetName | Not Available | APP_User_Adobe_Sign, EBIZ_SAP_PP_USR, iPad-ABCD1234, Fraedom Flexipurchase |
o365:management:activity
|
object_id | where Workload=AzureActiveDirectory | ObjectId | targetObjectId from ExtendedProperties{} in the evnet | abcdef@705e62b9e1c0c47a2c4e0709.example.com | 93a565f6-d0fc-4ac3-9d2a-8c1de9aeed3c |
| Sourcetype | CIM Field | isSystemAlert=true | Vendor Field Before | Vendor field after | Sample value before | Sample value after |
|---|---|---|---|---|---|---|
o365:cas:api
|
description | where description="" OR isnull(description) | description | title | empty | System alert: Deprecation of Label Management in the Azure Portal,
System alert: Service health status page deprecation |
Modified data models
The following table displays the CIM data models that have been modified in this release, listed by sourcetype.
| Sourcetype | Operation | Previous CIM model | New CIM model |
|---|---|---|---|
o365:management:activity
|
FileAccessed, FileCheckedOut, FileCheckOutDiscarded, FileCopied, FileCheckedIn, FileDownloaded | Change:Endpoint_Changes | Data Access |
Fixed Issues
Version 2.2.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.
Known issues
Version 2.2.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.
| Date filed | Issue number | Description |
|---|---|---|
| 2022-03-22 | ADDON-49500 | version 2.2.0 - Duplicated Events for Management Activity and Cloud App Security inputs |
| 2019-04-09 | ADDON-21696 | Data duplication issue over multiple content URL in o365:management:activity input Workaround: Handle possible duplication at search time, for example with "| dedup Id" , or using a "| stats dc(Id) AS count" instead of a straight count of events (this is assuming that "Id" is unique in the data returned by the search) |
Third-party software attributions
Version 2.2.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.
- axios
- certifi
- chardet
- dateutil
- debug
- follow-redirects
- future
- idna
- is-buffer
- ms
- qs
- requests
- six.py
- sortedcontainers
- u-msgpack-python
- urllib3
Version 2.1.0
Version 2.1.0 of the Splunk Add-on for Microsoft Office 365 was released on June 25, 2021.
About this release
Version 2.1.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x |
| CIM | 4.18 |
| Supported OS | Platform independent |
| Vendor products | Microsoft Office 365 |
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New features
Version 2.1.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.
Two new sourcetypes:
- Cloud Application Security -
o365:cas:api- All service policies, alerts and entities visible through the Microsoft cloud application security portal.
- Graph API -
o365:graph:api- Audit events and reports visible through the microsoft graph api endpoints. This includes all log events and reports visible through the Microsoft Graph API.
Fixed Issues
Version 2.1.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.
Known issues
Version 2.1.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.
Third-party software attributions
Version 2.1.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.
- axios
- certifi
- chardet
- dateutil
- debug
- follow-redirects
- future
- idna
- is-buffer
- ms
- qs
- requests
- six.py
- sortedcontainers
- u-msgpack-python
- urllib3
Version 2.0.3
Version 2.0.3 of the Splunk Add-on for Microsoft Office 365 was released on January 15, 2021.
About this release
Version 2.0.3 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x |
| CIM | 4.16 |
| Supported OS | Platform independent |
| Vendor products | Microsoft Office 365 |
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New features
Version 2.0.3 of the Splunk Add-on for Microsoft Office 365 has the following new features.
- Security bug fixes.
Fixed Issues
Version 2.0.3 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.
Known issues
Version 2.0.3 of the Splunk Add-on for Microsoft Office 365 contains the following known issues.
Third-party software attributions
Version 2.0.3 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.
- axios
- certifi
- chardet
- dateutil
- debug
- follow-redirects
- future
- idna
- is-buffer
- ms
- qs
- requests
- six.py
- sortedcontainers
- u-msgpack-python
- urllib3
Version 2.0.2
Version 2.0.2 of the Splunk Add-on for Microsoft Office 365 was released on May 1, 2020.
About this release
Version 2.0.2 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x |
| CIM | 4.16 |
| Supported OS | Platform independent |
| Vendor products | Microsoft Office 365 |
The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.
For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.
New features
Version 2.0.2 of the Splunk Add-on for Microsoft Office 365 has the following new features.
- Improved Support for the Authentication CIM Model.
Fixed Issues
Version 2.0.2 of the Splunk Add-on for Microsoft Office 365 contains the following fixed issues.
Known issues
Version 2.0.2 of the Splunk Add-on for Microsoft Office 365 contains the following known issues.
Third-party software attributions
Version 2.0.2 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.
- axios
- certifi
- chardet
- dateutil
- debug
- follow-redirects
- future
- idna
- is-buffer
- ms
- qs
- requests
- six.py
- sortedcontainers
- u-msgpack-python
- urllib3
Version 2.0.1
Version 2.0.1 of the Splunk Add-on for Microsoft Office 365 was released on March 14, 2020.
About this release
Version 2.0.1 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x |
| CIM | 4.12 |
| Supported OS | Platform independent |
| Vendor products | Microsoft Office 365 |
New features
Version 2.0.1 of the Splunk Add-on for Microsoft Office 365 has the following new features.
- Default Python3 support.
Fixed Issues
Version 2.0.1 of the Splunk Add-on for Microsoft Office 365 contains the following fixed issues.
| Date resolved | Issue number | Description |
|---|---|---|
| 2019-09-10 | ADDON-22238 | web.conf settings cause other apps settings pages not to load properly |
Known issues
Version 2.0.1 of the Splunk Add-on for Microsoft Office 365 contains the following known issues.
| Date filed | Issue number | Description |
|---|---|---|
| 2019-04-09 | ADDON-21696 | Data duplication issue over multiple content URL in o365:management:activity input Workaround: Handle possible duplication at search time, for example with "| dedup Id" , or using a "| stats dc(Id) AS count" instead of a straight count of events (this is assuming that "Id" is unique in the data returned by the search) |
Third-party software attributions
Version 2.0.1 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.
- axios
- certifi
- chardet
- dateutil
- debug
- follow-redirects
- future
- idna
- is-buffer
- ms
- qs
- requests
- six.py
- sortedcontainers
- u-msgpack-python
- urllib3
Version 2.0.0
Version 2.0.0 of the Splunk Add-on for Microsoft Office 365 was released on October 21, 2019.
About this release
Version 2.0.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x |
| CIM | 4.12 |
| Supported OS | Platform independent |
| Vendor products | Microsoft Office 365 |
New features
Version 2.0.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.
- Python 3 support.
- Enhanced role and capability functionality. Regular users now need additional permissions to use the UI to see input configurations and tenant associations.
- FIPS compliance encryption changes.
Fixed Issues
Version 2.0.0 of the Splunk Add-on for Microsoft Office 365 contains the following fixed issues.
| Date resolved | Issue number | Description |
|---|---|---|
| 2019-09-10 | ADDON-22238 | web.conf settings cause other apps settings pages not to load properly |
Known issues
Version 2.0.0 of the Splunk Add-on for Microsoft Office 365 contains the following known issues.
| Date filed | Issue number | Description |
|---|---|---|
| 2019-04-09 | ADDON-21696 | Data duplication issue over multiple content URL in o365:management:activity input Workaround: Handle possible duplication at search time, for example with "| dedup Id" , or using a "| stats dc(Id) AS count" instead of a straight count of events (this is assuming that "Id" is unique in the data returned by the search) |
Third-party software attributions
Version 2.0.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.
- axios
- certifi
- chardet
- dateutil
- debug
- follow-redirects
- future
- idna
- is-buffer
- ms
- qs
- requests
- six.py
- sortedcontainers
- u-msgpack-python
- urllib3
Version 1.1.0
Version 1.1.0 of the Splunk Add-on for Microsoft Office 365 was released on May 23, 2019.
About this release
Version 1.1.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 6.6.x, 7.0.x, 7.1.x, 7.2.x, 7.3.x |
| CIM | 4.12 |
| Supported OS | Platform independent |
| Vendor products | Microsoft Office 365 |
New features
Version 1.1.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.
- Configurable Token Refresh Window for the Management Activity inputs to support uninterrupted data ingestion.
Fixed Issues
Version 1.1.0 of the Splunk Add-on for Microsoft Office 365 contains the following fixed issues.
| Date resolved | Issue number | Description |
|---|---|---|
| 2019-04-17 | ADDON-20704 | Add-on doesn't tag authentication events from o365 audit events |
| 2019-04-14 | ADDON-20616 | Modular input hang on calling O365 Management API |
| 2019-04-12 | ADDON-20076 | Data duplicating multiple times over for o365:management:activity |
| 2019-04-11 | ADDON-21196 | splunk_ta_o365 - DLP Inputs - Date range for requested content is invalid |
| 2018-10-12 | ADDON-18373 | Data ingestion may stop on Debian Linux Server |
Known issues
Version 1.1.0 of the Splunk Add-on for Microsoft Office 365 contains the following known issues.
| Date filed | Issue number | Description |
|---|---|---|
| 2019-06-25 | ADDON-22238 | web.conf settings cause other apps settings pages not to load properly Workaround: change the permission for setting(view) of Microsoft O365 to "this app only" Or
[views]
export = none |
| 2019-04-09 | ADDON-21696 | Data duplication issue over multiple content URL in o365:management:activity input Workaround: Handle possible duplication at search time, for example with "| dedup Id" , or using a "| stats dc(Id) AS count" instead of a straight count of events (this is assuming that "Id" is unique in the data returned by the search) |
Third-party software attributions
Version 1.1.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.
- axios
- certifi
- dateutil
- debug
- follow-redirects
- idna
- is-buffer
- ms
- qs
- requests
- six.py
- sortedcontainers
- u-msgpack-python
- urllib3
Version 1.0.0
Version 1.0.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 6.6.X, 7.0.X, 7.1.X |
| CIM | Not supported |
| Supported OS | Platform independent |
| Vendor products | Microsoft Office 365 |
Migration
If you are currently using the Splunk Add-on for Microsoft Cloud Services to ingest Office 365 Management API data and are migrating to the Splunk Add-on for Office 365, disable the Office 365 modular input in the Splunk Add-on for Microsoft Cloud Services.
There are three new source types in the Splunk Add-on for Microsoft Office 365 which replace the single ms:o365:management source type in the Splunk Add-on for Microsoft Cloud Services. If you are migrating from the Splunk Add-on for Microsoft Cloud Services to the Splunk Add-on for Microsoft Office 365, you will need to update your existing dashboards, panels, and SPL with the new source types. See Source types for the Splunk Add-on for Microsoft Office 365.
New features
Version 1.0.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.
- Simple authentication with the Office 365 Management API applications.
- Simple process for changing the registered application key.
- Three new source types,
o365:management:activity,o365:service:status, ando365:service:message.
Known issues
Version 1.0.0 of the Splunk Add-on for Microsoft Office 365 contains the following known issues.
| Date filed | Issue number | Description |
|---|---|---|
| 2019-02-04 | ADDON-21196 | splunk_ta_o365 - DLP Inputs - Date range for requested content is invalid |
| 2018-12-24 | ADDON-20704 | Add-on doesn't tag authentication events from o365 audit events |
| 2018-12-17 | ADDON-20616 | Modular input hang on calling O365 Management API |
| 2018-10-23 | ADDON-20076 | Data duplicating multiple times over for o365:management:activity Workaround: locate the lines from 117 - 119 in file splunk_ta_o365/bin/splunk_ta_o365/modinputs/management_activity.py, then change the line 117 like this: {noformat}
now = self._now() // 86400 * 86400 + 86400
end_time = datetime.utcfromtimestamp(now)
start_time = end_time - timedelta(days=7){noformat}
This should limit the duplicates, however, Microsoft still duplicates o365:management:activity events on their side that this doesn't catch, for that you can use dedup if needed:
{noformat}
sourcetype="o365:management:activity" | dedup _raw {noformat} |
| 2018-06-11 | ADDON-18373 | Data ingestion may stop on Debian Linux Server |
Third-party software attributions
Version 1.0.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.
- axios
- certifi
- dateutil
- debug
- follow-redirects
- idna
- is-buffer
- ms
- qs
- requests
- six.py
- sortedcontainers
- u-msgpack-python
- urllib3
See Release notes for the Splunk Add-on for Microsoft Office 365 for the release notes of this latest version.
|
PREVIOUS Release notes for the Splunk Add-on for Microsoft Office 365 |
NEXT Hardware and software requirements for the Splunk Add-on for Microsoft Office 365 |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!