Splunk® Supported Add-ons

Splunk Add-on for Microsoft Office 365

Download manual as PDF

Download topic as PDF

Release history for the Splunk Add-on for Microsoft Office 365

Latest version

The latest version of the Splunk Add-on for Microsoft Office 365 is version 1.1.0. See Release notes for the Splunk Add-on for Office 365 for the release notes of this latest version.

Version 1.0.0

Version 1.0.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.6.X, 7.0.X, 7.1.X
CIM Not supported
Supported OS Platform independent
Vendor products Microsoft Office 365

Migration

If you are currently using the Splunk Add-on for Microsoft Cloud Services to ingest Office 365 Management API data and are migrating to the Splunk Add-on for Office 365, disable the Office 365 modular input in the Splunk Add-on for Microsoft Cloud Services.

There are three new source types in the Splunk Add-on for Microsoft Office 365 which replace the single ms:o365:management source type in the Splunk Add-on for Microsoft Cloud Services. If you are migrating from the Splunk Add-on for Microsoft Cloud Services to the Splunk Add-on for Microsoft Office 365, you will need to update your existing dashboards, panels, and SPL with the new source types. See Source types for the Splunk Add-on for Microsoft Office 365.

New features

Version 1.0.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.

  • Simple authentication with the Office 365 Management API applications.
  • Simple process for changing the registered application key.
  • Three new source types, o365:management:activity, o365:service:status, and o365:service:message.

Known issues

Version 1.0.0 of the Splunk Add-on for Microsoft Office 365 contains the following known issues.

Date filed Issue number Description
2019-02-04 ADDON-21196 splunk_ta_o365 - DLP Inputs - Date range for requested content is invalid
2018-12-24 ADDON-20704 Add-on doesn't tag authentication events from o365 audit events
2018-10-23 ADDON-20076 Data duplicating multiple times over for o365:management:activity

Workaround:
locate the lines from 117 - 119 in file splunk_ta_o365/bin/splunk_ta_o365/modinputs/management_activity.py, then change the line 117 like this:

{noformat} now = self._now() // 86400 * 86400 + 86400 end_time = datetime.utcfromtimestamp(now) start_time = end_time - timedelta(days=7){noformat} This should limit the duplicates, however, Microsoft still duplicates o365:management:activity events on their side that this doesn't catch, for that you can use dedup if needed: {noformat} sourcetype="o365:management:activity" | dedup _raw {noformat}

2018-06-11 ADDON-18373 Data ingestion may stop on Debian Linux Server

Third-party software attributions

Version 1.0.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.


See Release notes for the Splunk Add-on for Microsoft Office 365 for the release notes of this latest version.

PREVIOUS
Release notes for the Splunk Add-on for Microsoft Office 365
  NEXT
Hardware and software requirements for the Splunk Add-on for Microsoft Office 365

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters