Splunk® Supported Add-ons

Splunk Add-on for Microsoft Office 365

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Release history for the Splunk Add-on for Microsoft Office 365

Latest version

The latest version of the Splunk Add-on for Microsoft Office 365 is version 4.2.1. See Release notes for the Splunk Add-on for Office 365 for the release notes of this latest version.

Version 4.2.0

After upgrading the Splunk Add-on for Microsoft Office 365 from 4.0.0 and higher to version 4.2.0 or higher, your Splunk platform deployment might receive duplicate events for a maximum of 7 days, due to a change in checkpoint logic. Duplicate events will stop ingesting after 7 days.

Version 4.2.0 of the Splunk Add-on for Microsoft Office 365 contains changes to the checkpoint mechanism for the Management activity input. See the Upgrade Steps section of the Upgrade topic in this manual.

Version 4.2.0 of the Splunk Add-on for Microsoft Office 365 was released on October 22nd, 2022.

About this release

Version 4.2.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 8.1.x, 8.2.x, 9.0.0
CIM 5.0.0
Supported OS Platform independent
Vendor products Microsoft Office 365

New features

Version 4.2.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.

  • Added support of Message Trace to collect Message Trace data from Microsoft Office 365.
  • Optimized Memory utilization for the Management Activity Input.
  • Improved user experience by adding validations

Fixed Issues

Version 4.2.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.


Known issues

Version 4.2.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.


Date filed Issue number Description
2022-12-13 ADDON-59068 Getting 401 Authorization error for management activity inputs

Third-party software attributions

Version 4.2.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.

Third-party software attributions for the Splunk Add-on for Microsoft Office 365

Version 4.1.1

Version 4.1.1 of the Splunk Add-on for Microsoft Office 365 was released on January 24, 2023.

About this release

Version 4.1.1 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 8.1.x, 8.2.x, 9.0.0
CIM 5.0.0
Supported OS Platform independent
Vendor products Microsoft Office 365

New features

Version 4.1.1 of the Splunk Add-on for Microsoft Office 365 has the following new features.

  • Resolved the Token refresh issue for Management Activity Input.

Fixed Issues

Version 4.1.1 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.


Date resolved Issue number Description
2023-01-23 ADDON-59841 Fix token refresh issue on top of O365 v4.1.0

Known issues

Version 4.1.1 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.


Third-party software attributions

Version 4.1.1 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.

Third-party software attributions for the Splunk Add-on for Microsoft Office 365

Version 4.1.0

Version 4.1.0 of the Splunk Add-on for Microsoft Office 365 was released on July 28th, 2022.

About this release

Version 4.1.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 8.1.x, 8.2.x, 9.0.0
CIM 5.0.0
Supported OS Platform independent
Vendor products Microsoft Office 365

New features

Version 4.1.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.

  • For Management Activity Input, migrated from legacy authentication AADL to MSAL.
  • Enhancements and improved user experience in Tenant configuration.
  • Security fix for Cloud App Security. This requires upgrading to version 4.1.0 and higher of this add-on. See the upgrade topic in this manual.
  • Duplicate events fix for Cloud App Security and Management Activity:

    After upgrading the Splunk Add-on for Microsoft Office 365 to version 4.1.0, due to a change in checkpoint logic, your Splunk platform deployment might receive duplicate events for a maximum of 7 days. Duplicate events will stop ingesting after 7 days. You may observe a rise in the usage of your deployment's memory/CPU resources.

Fixed Issues

Version 4.1.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.


Date resolved Issue number Description
2022-08-01 ADDON-50559 Cannot reset expired Client Secret for Splunk Add-on for Microsoft Office 365
2022-07-13 ADDON-49500 version 2.2.0 - Duplicated Events for Management Activity and Cloud App Security inputs

Known issues

Version 4.1.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.


Date filed Issue number Description
2023-01-18 ADDON-59841 Fix token refresh issue on top of O365 v4.1.0
2022-05-09 ADDON-51460 O365 TA - Cloud App Security -> Cloud Discovery Input is not working

Third-party software attributions

Version 4.1.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.

Third-party software attributions for the Splunk Add-on for Microsoft Office 365

Version 4.0.0

Version 4.0.0 of the Splunk Add-on for Microsoft Office 365 was released on May 18, 2022.

About this release

Version 4.0.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 8.0.x, 8.1.x, 8.2.x
CIM 5.0.0
Supported OS Platform independent
Vendor products Microsoft Office 365

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 4.0.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.

  • Enhanced CIM support for below listed workloads of sourcetype o365:management:activity.
    AzureActiveDirectory
    Exchange
    SecurityComplianceCenter
    SharePoint
    OneDrive
    MicrosoftTeams
    MicrosoftForms
    Yammer
    SkypeForBusiness
  • Fixed Timestamp extractions issue for the o365:management:activity sourcetype.
  • Fixed CIM tagging issues for the Authentication events of o365:management:activity sourcetype.

CIM field changes

Splunk Add-On for Microsoft Office 365 version 4.0.0 includes updated Common Information Model even tagging for o365:management:activity sourcetype events. These changes were made to more accurately match the nature of the events with the appropriate data model fields. Any search content that executes against the Common Information Model fields mapped to o365:management:activity events must be updated. Utilize this table of event field changes to inform updates to your search content.

See the following tables for information on field changes between 3.0.0 and 4.0.0 :

Source-type Workload Operation Fields added Fields removed
['o365:management:activity'] AzureActiveDirectory Add EligibleRoleAssignement to RoleDefinition., Add contact., Add policy., Finish applying group based license to users., Set directory feature on tenant., Set group license., Start applying group based license to users., Update service principal. change_type, object_id, tenant_id, object_category, action, result
['o365:management:activity'] Add application., Add device., Add group., Add member to group., Add member to role., Add user., Delete user., Update application., Update device., Update group., Update user. tenant_id, result
['o365:management:activity'] Add eligible member to role., Disable account., Remove member from role. change_type, src_user_type, object_id, src_user, tenant_id, object_category, action, result user_type
['o365:management:activity'] Add owner to application. tenant_id, result object_id
['o365:management:activity'] Add owner to group., Remove member from group., Remove service principal. src_user_type, object_id, src_user, tenant_id, result user_type
['o365:management:activity'] Add role definition., Create company settings, Delete application., Delete contact., Delete role definition., Hard Delete group., Restore Group., pdate company settings, Update policy. change_type, object_attrs, object_id, tenant_id, object_category, action, result
['o365:management:activity'] Add service principal. tenant_id, result, src_user_type user_type
['o365:management:activity'] Add unverified domain. change_type, object, tenant_id, object_category, action, result
['o365:management:activity'] Change user password., Reset user password. tenant_id, result, src_user_type, object_id user_type
['o365:management:activity'] Delete group. tenant_id, result, object_id
['o365:management:activity'] Remove eligible member from role., Remove owner from application., Remove owner from group., Update StsRefreshTokenValidFrom Timestamp. change_type, object_attrs, src_user_type, object_id, src_user, tenant_id, object_category, action, result user_type
['o365:management:activity'] Remove unverified domain. change_type, object, object_attrs, tenant_id, object_category, action, result
['o365:management:activity'] Restore user. change_type, object_attrs, src_user_type, object_id, tenant_id, object_category, action, result user_type
['o365:management:activity'] Set user manager. change_type, src_user_type, object_id, tenant_id, object_category, action, result user_type
['o365:management:activity'] UserLoggedIn, UserLoginFailed tenant_id object
['o365:management:activity'] Verify domain. object, tenant_id, result action, object_attrs, change_type, object_category
['o365:management:activity'] SharePoint All tenant_id
['o365:management:activity'] AddAnAppNewListCreateButtonClick, LaunchPowerApp object
['o365:management:activity'] AddedToGroup src_user_type object_id
['o365:management:activity'] AnonymousLinkCreated, AnonymousLinkUpdated, CommentsDisabled, FileDeletedFirstStageRecycleBin, FileRecycled, FileTranscriptRequested, FolderDeletedFirstStageRecycleBin, FolderRecycled, FolderRenamed, FolderRestored, ListDeleted, ListItemRecycled, ListItemRestored, ListRestored, SiteDesignInvoked, SiteLocksChanged action, object_category
['o365:management:activity'] AppStoreStorefrontLaunchAppStorePage, AppStoreStorefrontShowAppDetailsPage, SharingInheritanceBroken object, object_id
['o365:management:activity'] CommentCreated object_attrs, object, change_type
['o365:management:activity'] CompanyLinkCreated, FileDeleted, FileModified, FileModifiedExtended, FileMoved, FolderCreated, FolderDeleted, FolderModified, SharingSet change_type, object_attrs, object_id
['o365:management:activity'] DLPRuleMatch object_category, category, dlp_type, severity, src_user, action object_id
['o365:management:activity'] FileAccessed, FileAccessedExtended, FileCheckOutDiscarded, FileCheckedIn, FileCopied, FilePreviewed, FileRenamed, FileRestored, FileVersionsAllDeleted, PageViewed, PageViewedExtended, SecureLinkCreated, SharingRevoked object_id
['o365:management:activity'] FileUploaded object_size change_type, object_attrs, object_id
['o365:management:activity'] FolderCopied, FolderMoved action, object_category object
['o365:management:activity'] HubSiteRegistered, HubSiteUnregistered, ListContentTypeDeleted, ListContentTypeUpdated, ListViewCreated, PermissionLevelRemoved, SecureLinkUpdated, SiteContentTypeCreated, SiteDeleted, SiteIBModeSet, SiteRenameScheduled object_category, change_type, object_attrs, action
['o365:management:activity'] ListColumnCreated, ListColumnUpdated, ListCreated, ListUpdated object_attrs, change_type
['o365:management:activity'] ListColumnDeleted, ListItemCreated action, object_category, object_attrs
['o365:management:activity'] RemovedFromSecureLink, RemovedFromSiteCollection object_category, change_type, object_attrs, src_user, action, src_user_type user_type
['o365:management:activity'] SearchQueryPerformed action, object_category object_path, object
['o365:management:activity'] OneDrive All tenant_id, result, action, object_category
['o365:management:activity'] AddedToGroup, GroupAdded, PermissionLevelAdded, SiteCollectionCreated, SharingPolicyChanged, ShortcutAdded, SiteCollectionAdminRemoved, SiteCollectionAdminAdded, SiteCollectionQuotaModified change_type
['o365:management:activity'] AddedToGroup, AnonymousLinkCreated, GroupAdded, PermissionLevelAdded, SiteCollectionCreated, ShortcutAdded, SiteCollectionAdminRemoved, SiteCollectionQuotaModified object_attrs
['o365:management:activity'] AddedToGroup src_user, src_user_type user_type
['o365:management:activity'] AnonymousLinkCreated, PermissionLevelAdded, SiteCollectionCreated, ListColumnCreated, ListItemCreated, SharingPolicyChanged object_path
['o365:management:activity'] DLPRuleMatch, DLPRuleUndo dlp_type, category, severity, src_user, object_path
['o365:management:activity'] FileDownloaded, FileModified, FileModifiedExtended object_size
['o365:management:activity'] GroupAdded, ListColumnCreated, ListItemCreated, ListCreated, ListViewed, SharingInheritanceBroken object_id
['o365:management:activity'] PermissionLevelAdded, SiteCollectionCreated, SearchQueryPerformed, SharingPolicyChanged, SiteCollectionQuotaModified object_id object
['o365:management:activity'] SiteLocksChanged object_id object, object_attrs
['o365:management:activity'] Exchange All tenant_id, result, object_id
['o365:management:activity'] Add-RecipientPermission, New-MailContact, New-Mailbox, Remove-MailContact, Remove-RoleGroupMember, Set-AdminAuditLogConfig, Set-Mailbox, Set-User object_category, src_user_type, object_attrs, change_type, action, src_user user_type
['o365:management:activity'] AddFolderPermissions, ModifyFolderPermissions object_category, object_attrs, dest, change_type, user_agent, dest_name, action, object, client_info_str
['o365:management:activity'] Create, Update object_category, owner_id, parent_object, owner, object_path, dest, object, user_agent, object_size, action, owner_email, dest_name, app_id, parent_object_id, client_info_str
['o365:management:activity'] DlpRuleMatch recipient_domain, file_name, subject, orig_src, recipient_count, src_user_domain, action, src_user, message_id, recipient, file_size, size
['o365:management:activity'] Enable-AddressListPaging, New-App, New-ManagementRoleAssignment, New-RoleGroup, Remove-Mailbox, Remove-RoleGroup, Remove-UnifiedGroup, Set-ConditionalAccessPolicy, Set-ExchangeAssistanceConfig, Set-OrganizationConfig, Set-RoleGroup, Set-TransportConfig object_category, object_attrs, change_type, action
['o365:management:activity'] MailboxLogin dest, user_agent, dest_name, action, object, client_info_str
['o365:management:activity'] Move, MoveToDeletedItems object_category, owner_id, parent_object, owner, object_path, dest, object, user_agent, dest_name, action, owner_email, app_id, parent_object_id, client_info_str
['o365:management:activity'] SoftDelete object_category, owner_id, parent_object, owner, dest, object, user_agent, dest_name, action, owner_email, app_id, parent_object_id, client_info_str
['o365:management:activity'] SecurityComplianceCenter All tenant_id, result object
['o365:management:activity'] AlertEntityGenerated, AlertTriggered, AlertUpdated signature_id, description, id, type, severity, body object
['o365:management:activity'] AuthorizeDataInsightsSubscription, SearchAlert, SearchAlertAggregate, SearchConnectorReportData, SearchCustomTag, SearchCustomerInsight, SearchDataInsightsSubscription, SearchMailflowForwardingData, SearchMtpRoleInfo, SearchMtpStatus, SearchNonAcceptedDomainDetailData, SearchSecurityRedirection, SearchTrialOffer, ValidaterbacAccessCheck dest_name, dest
['o365:management:activity'] Get-ComplianceTag, Get-DlpCompliancePolicy, Get-DlpComplianceRule, Get-DlpDetectionsReport, Get-DlpSiDetectionsReport, Get-Label, Get-PolicyConfig, Get-ProtectionAlert, Get-RetentionCompliancePolicy object
['o365:management:activity'] Get-DlpSensitiveInformationType, New-ProtectionAlert, Remove-DlpCompliancePolicy, Remove-DlpComplianceRule action, change_type, object_category, object_attrs
['o365:management:activity'] InsightGenerated description, id, type, severity, body object
['o365:management:activity'] New-DlpCompliancePolicy, New-DlpComplianceRule, Set-DlpCompliancePolicy, Set-DlpComplianceRule action, change_type, object_category, object_attrs, object_id
['o365:management:activity'] MicrosoftTeams AppInstalled, BotAddedToTeam, ChannelAdded, ChannelDeleted, ConnectorAdded, MemberAdded, MessageCreatedHasLink, MessageDeleted, OpenShiftAdded, OpenShiftDeleted, RequestAdded, RequestRespondedTo, ScheduleGroupAdded, ScheduleGroupEdited, ScheduleSettingChanged, ShiftAdded, TabAdded, TabUpdated, TeamCreated, TeamDeleted, TeamSettingChanged, TimeOffAdded, TimeOffDeleted, TimeOffEdited result, tenant_id, change_type, object, dest, object_attrs, object_category, action, object_id, dest_name
['o365:management:activity'] CreatedApproval tenant_id, change_type, object_attrs, object_category, action, object_id, result
['o365:management:activity'] TeamsSessionStarted action, tenant_id, result object, authentication_service
['o365:management:activity'] MicrosoftForms AllowAnonymousResponse, AllowShareFormForCopy, CreateForm, CreateResponse, DeleteAllResponses, DeleteResponse, DeleteSummaryLink, DisableSpecificResponse, DisallowAnonymousResponse, EditForm, EnableSpecificResponse, EnableWorkOrSchoolCollaboration, GetSummaryLink, UpdateFormSetting, UpdateResponse, ViewForm, ViewResponses, ViewRuntimeForm tenant_id, action, object_category, result, object_id
['o365:management:activity'] ListForms tenant_id, action, dest_name, dest, result, object_category
['o365:management:activity'] SkypeForBusiness Get-CsTeamsUpgradeOverridePolicy change_type, result, dest_name, dest, object_id, object_category, tenant_id, object_attrs, action, object
['o365:management:activity'] Yammer GroupCreation, MessageDeleted result, object_id, owner_email, tenant_id, object_category, email, action

CIM model changes

See the following CIM model changes between 3.0.0 and 4.0.0:

WorkLoad Operation Previous CIM model New CIM model
AzureActiveDirectory Add application., Add group., Delete group., Update application – Certificates and secrets management , Update application., Update group. Change.Account_Management Change.All_Changes
Verify domain. Change.Account_Management
Add EligibleRoleAssignement to RoleDefinition., Add contact., Add policy., Add role definition., Add unverified domain., Create company settings, Delete application., Delete contact., Delete role definition., Finish applying group based license to users., Hard Delete group., Remove unverified domain., Restore Group., Set directory feature on tenant., Set group license., Start applying group based license to users., Update company settings, Update policy., Update service principal. Change.All_Changes
Add eligible member to role., Disable account., Remove eligible member from role., Remove member from role., Remove owner from application., Remove owner from group., Restore user., Set user manager., Update StsRefreshTokenValidFrom Timestamp. Change.Account_Management
SharePoint AddedToGroup, GroupAdded, GroupRemoved, GroupUpdated, PermissionLevelAdded, SharingPolicyChanged, SiteCollectionAdminAdded, SiteCollectionAdminRemoved, SiteCollectionCreated, SiteCollectionQuotaModified, SiteRenamed Change.Endpoint_Changes Change.All_Changes
CommentCreated, CompanyLinkCreated, FileDeleted, FileModified, FileModifiedExtended, FileMoved, FileUploaded, FolderCreated, FolderDeleted, FolderModified, ListColumnCreated, ListColumnUpdated, ListCreated, ListUpdated, SharingSet Change.Endpoint_Changes
DLPRuleMatch DLP
HubSiteRegistered, HubSiteUnregistered, ListContentTypeDeleted, ListContentTypeUpdated, ListViewCreated, PermissionLevelRemoved, SecureLinkUpdated, SiteContentTypeCreated, SiteDeleted, SiteIBModeSet, SiteRenameScheduled Change.All_Changes
RemovedFromSecureLink, RemovedFromSiteCollection Change.Account_Management
OneDrive AddedToGroup Change.Account_Management
DLPRuleMatch, DLPRuleUndo DLP
GroupAdded, PermissionLevelAdded, SharingPolicyChanged, ShortcutAdded, SiteCollectionAdminAdded, SiteCollectionAdminRemoved, SiteCollectionCreated, SiteCollectionQuotaModified Change.All_Changes
Exchange Add-RecipientPermission, New-MailContact, New-Mailbox, Remove-MailContact, Remove-RoleGroupMember, Set-AdminAuditLogConfig, Set-Mailbox, Set-User Change.Account_Management
AddFolderPermissions, Enable-AddressListPaging, ModifyFolderPermissions, New-App, New-ManagementRoleAssignment, New-RoleGroup, Remove-Mailbox, Remove-RoleGroup, Remove-UnifiedGroup, Set-ConditionalAccessPolicy, Set-ExchangeAssistanceConfig, Set-OrganizationConfig, Set-RoleGroup, Set-TransportConfig Change.All_Changes
DlpRuleMatch Email.Filtering
MailboxLogin Authentication
SecurityComplianceCenter AlertEntityGenerated, AlertTriggered, AlertUpdated, InsightGenerated Alerts
Get-DlpSensitiveInformationType, New-DlpCompliancePolicy, New-DlpComplianceRule, New-ProtectionAlert, Remove-DlpCompliancePolicy, Remove-DlpComplianceRule, Set-DlpCompliancePolicy, Set-DlpComplianceRule Change.All_Changes
MicrosoftTeams AppInstalled, BotAddedToTeam, ChannelAdded, ChannelDeleted, ConnectorAdded, CreatedApproval, MemberAdded, MessageCreatedHasLink, MessageDeleted, OpenShiftAdded, OpenShiftDeleted, RequestAdded, RequestRespondedTo, ScheduleGroupAdded, ScheduleGroupEdited, ScheduleSettingChanged, ShiftAdded, ShiftDeleted, TabAdded, TabUpdated, TeamCreated, TeamDeleted, TeamSettingChanged, TimeOffAdded, TimeOffDeleted, TimeOffEdited Change.All_Changes
TeamsSessionStarted Authentication
SkypeForBusiness Get-CsTeamsUpgradeOverridePolicy Change.All_Changes



Fixed Issues

Version 4.0.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.

Known issues

Version 4.0.0of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.

Third-party software attributions

Version 4.0.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.


Version 3.0.0

Version 3.0.0 of the Splunk Add-on for Microsoft Office 365 was released on February 11, 2022.

About this release

Version 3.0.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 8.0.x, 8.1.x, 8.2.x
CIM 4.20
Supported OS Platform independent
Vendor products Microsoft Office 365

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 3.0.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.

  • Changed from using the Service Communications API (now deprecated by Microsoft) to using the new Microsoft Graph API for Service Health & Communication events.
    This new API changes the structure how data is ingested by the Splunk software. The following source types have had to be updated:
    Retired source types:
    o365:service:status o365:service:message
    New source types:
    o365:service:healthIssue o365:service:updateMessage
    To learn about the type of data these new source types represent coming through the Graph API, see the Overview for accessing service health and communications in Microsoft Graph topic in the Microsoft's Graph API documentation.

    If upgrading to version 3.0.0 or later, disable ServiceHealth.Read.All in Office 365 Management APIs, and enable ServiceHealth.Read.All in Microsoft Graph.

  • Enhanced the Add Input menu for ease of use. This menu includes the new Microsoft Graph API for Service Health & Communication events, and also reflects the various Graph API data categories we already support, in a more logical taxonomy.
  • Added API request throttling when making too many requests to the Microsoft APIs.

Fixed Issues

Version 3.0.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.


Known issues

Version 3.0.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.


Third-party software attributions

Version 3.0.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.

Version 2.2.0

Version 2.2.0 of the Splunk Add-on for Microsoft Office 365 was released on October 13, 2021.

About this release

Version 2.2.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x, 8.1.x
CIM 4.20
Supported OS Platform independent
Vendor products Microsoft Office 365

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 2.2.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.

  • Common Information Model (CIM) version 4.20 compatibility and enhanced CIM mapping.
  • Enhanced CIM mapping for the following sourcetypes:
    • o365:management:activity
    • o365:service:status
    • o365:service:message
    • o365:cas:api
    • o365:graph:api
  • Added support for the Alerts CIM data model for the following sourcetypes:
    • o365:service:status
    • o365:service:message
    • o365:cas:api
  • Updates to the lookup splunk_ta_o365_cim_change_analysis.csv
  • Updates to the lookup splunk_ta_o365_cim_data_access.csv
  • Self-service app install (SSAI) upgrades do not automatically update the lookups with the latest values. To fix this, upgrade the add-on, then manually update the lookup files using the lookup files from the latest version of this add-on.

Field changes

The following sections contain information on fields and data models that have been added, modified, or removed in this release.

Fields added and removed

The following tables display the fields that have been added and removed in this release, listed by sourcetype.

Sourcetype Operation Fields added Fields removed
o365:management:activity AccessRequestCreated, GroupRemoved, GroupUpdated, SiteCollectionCreated, AccessRequestRejected, SharingSet, RemovedFromGroup, AccessRequestApproved, AddedToGroup, GroupAdded, SharingRevoked status, authentication_service, dest_name, result, object_attrs
o365:management:activity Add application. env_name, env_seqNum, authentication_service, targetName, correlationId, env_appVer, dataset_name, targetObjectId, ResultStatusDetail, user_agent, tag, modified_properties_new_value, auditEventCategory, env_popSample, env_time, env_cloud_name, modified_properties_name, action, actorUPN, nCloud, env_iKey, env_flags, tag::eventtype, env_cv, actorPUID, FlowTokenScenario, authentication_method, targetContextId, env_cloud_deploymentUnit, UserAuthenticationMethod, change_type, actorObjectClass, object_category, version, KeepMeSignedIn, actorAppID, targetSPN, eventtype, actorObjectId, additionalTargets, dest_name, env_epoch, env_cloud_roleVer, UserAgent, extended_properties, user_agent_change, env_cloud_ver object_path, reason, modified_properties_mv
o365:management:activity Add device. authentication_service, correlationId, dataset_name, tag, modified_properties_new_value, env_cloud_name, modified_properties_name, action, actorContextId, object_attrs, tag::eventtype, actorPUID, change_type, object_category, env_ver, actorAppID, targetSPN, eventtype, dest_name, extended_properties, modified_properties object_id, object_path
o365:management:activity Add group. auditEventCategory, modified_properties, targetContextId, modified_properties_name, authentication_service, additionalDetails, env_ver, env_cv, dest_name, env_cloud_roleVer, object_attrs, extended_properties, targetIncludedUpdatedProperties, user_agent, modified_properties_new_value, user_agent_change object_id, object_path
o365:management:activity Add member to group. actorAppID, env_time, env_cloud_name, modified_properties_name, authentication_service, targetSPN, src_user, dest_name, actorUPN, object_attrs, extended_properties, teamName, env_cv, modified_properties_new_value, modified_properties object_id, object_path
o365:management:activity Add member to role. modified_properties, targetContextId, modified_properties_name, authentication_service, env_cloud_deploymentUnit, additionalDetails, targetName, correlationId, dest_name, nCloud, object_attrs, extended_properties, user_agent, modified_properties_new_value, env_appId, user_agent_change object_id, object_path
o365:management:activity Add owner to application. modified_properties, modified_properties_name, authentication_service, env_cloud_deploymentUnit, targetSPN, env_epoch, dest_name, env_cloud_roleVer, object_attrs, extended_properties, version, env_cloud_environment, user_agent, modified_properties_new_value, user_agent_change object_id, object_path
o365:management:activity Add owner to service principal. authentication_service, dest_name, object_attrs, extended_properties, user_agent, user_agent_change object_id, object_path
o365:management:activity Add service principal. env_name, env_seqNum, authentication_service, targetName, targetObjectId, ResultStatusDetail, targetIncludedUpdatedProperties, env_cloud_environment, user_agent, modified_properties_new_value, auditEventCategory, env_osVer, env_popSample, env_cloud_name, modified_properties_name, src_user, RequestType, actorUPN, nCloud, env_iKey, env_cv, actorPUID, env_appId, FlowTokenScenario, resultDescription, authentication_method, env_cloud_deploymentUnit, env_os, UserAuthenticationMethod, actorObjectClass, version, KeepMeSignedIn, env_ver, actorAppID, actorObjectId, env_epoch, dest_name, env_cloud_roleVer, result, env_cloud_roleInstance, extended_properties, teamName, user_agent_change, actorContextId object_path, modified_properties_mv
o365:management:activity Add user. env_seqNum, modified_properties_name, authentication_service, src_name, targetName, dest_name, env_cloud_roleVer, env_appVer, actorContextId, env_cloud_role, object_attrs, extended_properties, teamName, modified_properties_new_value, modified_properties object_id, object_path
o365:management:activity FolderDeleted, SiteCollectionQuotaModified, SecureLinkCreated, CommentCreated, ListColumnCreated, ListViewUpdated, PermissionLevelAdded, WebMembersCanShareModified, CommentDeleted, ListUpdated, WebRequestAccessModified, ListColumnUpdated, ListCreated, WebAccessRequestApproverModified, CompanyLinkCreated, FolderModified, AddedToSecureLink, FolderCreated status, authentication_service, action, eventtype, dest_name, dataset_name, result, object_attrs, change_type, object_category, tag::eventtype, tag
o365:management:activity SharingInheritanceBroken, ClientViewSignaled, ListViewed, PageViewed, PagePrefetched, PageViewedExtended status, authentication_service, action, eventtype, dest_name, dataset_name, result, object_category, tag::eventtype, tag
o365:management:activity Delete user. actorAppID, env_osVer, modified_properties_name, authentication_service, extendedAuditEventCategory, actorObjectId, dest_name, env_cloud_roleVer, object_attrs, env_flags, env_cloud_environment, extended_properties, modified_properties_new_value, modified_properties object_id, object_path
o365:management:activity FileCheckedOut, FileCheckedIn, FileCheckOutDiscarded, FileCopied, FileAccessed, FileDownloaded status, authentication_service, dest_name, result, tag::object_category change_type
o365:management:activity FilePreviewed, FileAccessedExtended status, authentication_service, action, eventtype, dest_name, dataset_name, result, tag::object_category, object_category, tag::eventtype, tag
o365:management:activity FileMoved, FileModified, FileDeleted, FileRestored, FileRenamed, FileUploaded status, authentication_service, dest_name, result, tag::object_category, object_attrs
o365:management:activity FileVersionsAllDeleted, FileModifiedExtended status, authentication_service, action, eventtype, dest_name, dataset_name, result, tag::object_category, object_attrs, change_type, object_category, tag::eventtype, tag
o365:management:activity SiteCollectionAdminRemoved, SharingPolicyChanged, SiteColumnCreated status, authentication_service, action, eventtype, dest_name, dataset_name, result, object_attrs, change_type, object_category, tag::eventtype, tag src, src_ip
o365:management:activity SiteCollectionAdminAdded status, authentication_service, dest_name, result, object_attrs src, src_ip
o365:management:activity Update application. env_name, env_seqNum, authentication_service, env_cloud_ver, targetName, correlationId, resultType, env_appVer, dataset_name, ResultStatusDetail, targetIncludedUpdatedProperties, env_cloud_environment, tag, user_agent, modified_properties_new_value, env_popSample, env_time, env_cloud_name, modified_properties_name, action, RequestType, env_cloud_role, env_iKey, env_flags, tag::eventtype, env_cv, env_appId, FlowTokenScenario, authentication_method, targetContextId, env_cloud_deploymentUnit, env_os, src_name, UserAuthenticationMethod, change_type, actorObjectClass, object_category, env_ver, actorAppID, targetSPN, eventtype, additionalTargets, dest_name, env_epoch, env_cloud_roleVer, result, env_cloud_roleInstance, extended_properties, user_agent_change, actorContextId object_id, object_path, modified_properties_mv
o365:management:activity Update device. authentication_service, targetName, dataset_name, tag, modified_properties_new_value, auditEventCategory, modified_properties_name, action, env_iKey, tag::eventtype, env_cv, actorPUID, env_cloud_deploymentUnit, change_type, object_category, eventtype, actorObjectId, dest_name, extended_properties, env_cloud_ver object_id, object_path, modified_properties_mv
o365:management:activity Update group. modified_properties_name, authentication_service, env_cloud_ver, env_epoch, correlationId, dest_name, actorContextId, actorUPN, env_cloud_roleInstance, object_attrs, extended_properties, version, modified_properties_new_value, modified_properties object_id, object_path
o365:management:activity Update user. env_name, env_seqNum, authentication_service, targetName, correlationId, targetObjectId, targetIncludedUpdatedProperties, env_cloud_environment, user_agent, modified_properties_new_value, modified_properties, env_popSample, env_time, modified_properties_name, env_cloud_role, actorUPN, object_attrs, nCloud, env_flags, env_iKey, env_cv, actorPUID, env_appId, FlowTokenScenario, resultDescription, authentication_method, env_cloud_deploymentUnit, env_os, src_name, UserAuthenticationMethod, actorObjectClass, KeepMeSignedIn, additionalDetails, env_ver, actorAppID, targetSPN, actorObjectId, additionalTargets, dest_name, env_cloud_roleVer, env_cloud_roleInstance, UserAgent, extended_properties, teamName, extendedAuditEventCategory, actorContextId object_path, reason
o365:management:activity UserLoggedIn FlowTokenScenario, actorAppID, authentication_method, targetContextId, env_seqNum, targetSPN, authentication_service, RequestType, dest_name, correlationId, ResultStatusDetail, actorUPN, UserAuthenticationMethod, tag::action, extended_properties, teamName, env_ver object_id, modified_properties, object_path, object_attrs, reason, modified_properties_mv
o365:management:activity UserLoginFailed env_name, authentication_service, env_cloud_environment, env_osVer, env_popSample, nCloud, env_cv, env_appId, FlowTokenScenario, env_os, actorObjectClass, tag::action, KeepMeSignedIn, actorAppID, additionalTargets, dest_name, result, extended_properties, extendedAuditEventCategory object_id, IsCompliantAndManaged, SessionId, object_path, BrowserType
Sourcetype Status Fields added Fields removed
o365:service:status ServiceOperational, ServiceRestored, ServiceDegradation tag::eventtype, signature, eventtype, type, dest, severity, app, id, tag, description
Sourcetype ImpactDescription Fields added Fields removed
o365:service:message Users may be unable to view shared calendars within the Outlook client or Outlook on the web services., Admins were unable to access the Microsoft Secure Score webpage via the Microsoft 365 security center., Admins may see Microsoft 365 app usage and productivity score reports data delayed after June 30, 2021., Admins may have experienced delayed data in Productivity score reports from the Microsoft 365 admin center., Users may be unable to use the multi-language spellcheck feature of the Microsoft Teams desktop client., Users may have intermittently been unable to connect to the OneDrive for Business service., null, Admins see some users' Outlook Desktop activity isn't showing up in usage reports., Users are unable to create Skype account., Admins may experience a delay in receiving messages., Users may have been unable to use the search function in SharePoint Online., Users may have been unable to sign in to Outlook., Users may have been unable to sign in to Skype., Users are unable to create Outlook account., Admins may have been unable to install O365., Users saw an error and were unable to access the "Shared by you" tab in OneDrive for Business., Admins may have seen a delay in updated data for Skype for Business usage reports within the Microsoft 365 admin center., Admins are unable to exclude errors., Users were seeing errors when downloading records with 10,000 or more entries from the Security and Compliance Center. tag::eventtype, signature, body, eventtype, type, dest, severity, app, id, tag, description
Sourcetype isSystemAlert Fields added Fields removed
o365:cas:api true app, signature, src, eventtype, type, dest, severity, severity_id, tag::eventtype, user, tag
Sourcetype policyType Fields added Fields removed
o365:cas:api NEW_SERVICE app, signature, src, eventtype, type, severity, severity_id, tag::eventtype, tag
Sourcetype sourcetype Fields added Fields removed
o365:graph:api o365:graph:api eventtype

Fields modified

The following tables display the fields that have been modified in this release, listed by sourcetype.

Sourcetype CIM Field Operation Vendor Field Before Vendor field after Sample value before Sample value after
o365:management:activity user Add member to role., Add member to group. UserId ObjectId abcd@27cf00f56f558d8859778b97.example.com abcdefghi@d10b5fea7bd2276be1bba7cd.qwertyu.com
o365:management:activity user_id UserLoggedIn, UserLoginFailed UserId Actor{}.ID where Actor{}.Type=3 abcd@27cf00f56f558d8859778b97.example.com 10037FFE8EC1E08E
o365:management:activity reason where ResultStatus indicates "failure", such as UserLoginFailed LogonError resultDescription OR ResultStatusDetail InvalidUserNameOrPassword UserError
o365:management:activity status All where ResultStatus IN (failed, failure, success, succeeded) ResultStatus ResultStatus failure, failed, success, succeeded failure, success
o365:management:activity dvc where Workload=SharePoint Workload ObjectId SharePoint a830edad9050849nda3079.sharepoint.com
o365:management:activity modified_properties Add application.,Add service principal.,Update application., Update device. ModifiedProperties{} from the event ModifiedProperties{} from the event AppId, AppIdentifierUri, AvailableToOtherTenants, DisplayName, Entitlement, PublicClient, WwwHomepage ISAD7.1|primary|a\"\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AppId, AppIdentifierUri, AvailableToOtherTenants, DisplayName, Entitlement, PublicClient, WwwHomepage","OldValue":""}
o365:management:activity object_category Add service principal. Static value: user Static value: ServicePrincipal
o365:management:activity object_category Update group. Static value: user, group Static value: group
o365:management:activity object_category SiteCollectionCreated Static value: user Static value: site
o365:management:activity change_type AccessRequestApproved,

AccessRequestRejected, SharingSet

Static Value: user Static Value: AAA
o365:management:activity change_type SiteCollectionCreated Static Value: user Static Value: collection
o365:management:activity dest Add application., Add user., Update user., Delete user., Add group., Add device., Update device, Update application., Add owner to application., Add service principal., Add member to group., Add member to role, etc. where env_cloud_name present inside ExtendedProperties{} in the event ObjectId env_cloud_name OR ObjectId abcdef@705e62b9e1c0c47a2c4e0709.example.com MSO-BY1
o365:management:activity dest UserLoggedIn, UserLoginFailed ObjectId Static value: Microsoft Office 365 AzureActiveDirectory 797f4846-ba00-4fd7-ba43-dac1f8f63013 Microsoft Office 365 AzureActiveDirectory
o365:management:activity dest If env_cloud_name is not present in the event, then ObjectId will be dest ObjectId ObjectId
o365:management:activity action AccessRequestRejected Static Value: unknown Static Value: deleted
o365:management:activity action FileCheckOutDiscarded Static Value: modified Static Value: read
o365:management:activity action FileCheckedIn Static Value: created Static Value: read
o365:management:activity action FileCopied Static value: read Static value: copied
o365:management:activity action FileDownloaded Static value: read Static value: downloaded
o365:management:activity action Add group.,SharingSet Static Value: modified Static Value: created
o365:management:activity object_attrs Add user., Update user., Add group., Add device., Add application., etc. ModifiedProperties{} from the event, a list of attributes that were modified ModifiedProperties{} from the event, but it will be key=value pair of relevant and necessary attributes StsRefreshTokensValidFrom, UserType, AccountEnabled, UserPrincipalName UserPrincipalName=abcdef@705e62b9e1c0c47a2c4e0709.example.com, AccountEnabled=true, UserType=Member
o365:management:activity object_attrs Update group., Update application. ModifiedProperties{} from the event, a list of attributes that were modified object_category LastDirSyncTime group, application
o365:management:activity object Add group., Update group., Add device., Update device. Add application., Update application., Add service principal. ObjectId targetName Not Available APP_User_Adobe_Sign, EBIZ_SAP_PP_USR, iPad-ABCD1234, Fraedom Flexipurchase
o365:management:activity object_id where Workload=AzureActiveDirectory ObjectId targetObjectId from ExtendedProperties{} in the evnet abcdef@705e62b9e1c0c47a2c4e0709.example.com 93a565f6-d0fc-4ac3-9d2a-8c1de9aeed3c
Sourcetype CIM Field isSystemAlert=true Vendor Field Before Vendor field after Sample value before Sample value after
o365:cas:api description where description="" OR isnull(description) description title empty System alert: Deprecation of Label Management in the Azure Portal,

System alert: Service health status page deprecation

Modified data models

The following table displays the CIM data models that have been modified in this release, listed by sourcetype.

Sourcetype Operation Previous CIM model New CIM model
o365:management:activity FileAccessed, FileCheckedOut, FileCheckOutDiscarded, FileCopied, FileCheckedIn, FileDownloaded Change:Endpoint_Changes Data Access

Fixed Issues

Version 2.2.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.

Known issues

Version 2.2.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.


Date filed Issue number Description
2022-03-22 ADDON-49500 version 2.2.0 - Duplicated Events for Management Activity and Cloud App Security inputs
2019-04-09 ADDON-21696 Data duplication issue over multiple content URL in o365:management:activity input

Workaround:
Handle possible duplication at search time, for example with "| dedup Id" , or using a "| stats dc(Id) AS count" instead of a straight count of events

(this is assuming that "Id" is unique in the data returned by the search)

Third-party software attributions

Version 2.2.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.

Version 2.1.0

Version 2.1.0 of the Splunk Add-on for Microsoft Office 365 was released on June 25, 2021.

About this release

Version 2.1.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM 4.18
Supported OS Platform independent
Vendor products Microsoft Office 365

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 2.1.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.

Two new sourcetypes:

  • Cloud Application Security - o365:cas:api - All service policies, alerts and entities visible through the Microsoft cloud application security portal.
  • Graph API - o365:graph:api - Audit events and reports visible through the microsoft graph api endpoints. This includes all log events and reports visible through the Microsoft Graph API.

Fixed Issues

Version 2.1.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.

Known issues

Version 2.1.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.

Third-party software attributions

Version 2.1.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.

Version 2.0.3

Version 2.0.3 of the Splunk Add-on for Microsoft Office 365 was released on January 15, 2021.

About this release

Version 2.0.3 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM 4.16
Supported OS Platform independent
Vendor products Microsoft Office 365

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 2.0.3 of the Splunk Add-on for Microsoft Office 365 has the following new features.

  • Security bug fixes.

Fixed Issues

Version 2.0.3 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.

Known issues

Version 2.0.3 of the Splunk Add-on for Microsoft Office 365 contains the following known issues.

Third-party software attributions

Version 2.0.3 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.

Version 2.0.2

Version 2.0.2 of the Splunk Add-on for Microsoft Office 365 was released on May 1, 2020.

About this release

Version 2.0.2 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM 4.16
Supported OS Platform independent
Vendor products Microsoft Office 365

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 2.0.2 of the Splunk Add-on for Microsoft Office 365 has the following new features.

  • Improved Support for the Authentication CIM Model.

Fixed Issues

Version 2.0.2 of the Splunk Add-on for Microsoft Office 365 contains the following fixed issues.

Known issues

Version 2.0.2 of the Splunk Add-on for Microsoft Office 365 contains the following known issues.

Third-party software attributions

Version 2.0.2 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.

Version 2.0.1

Version 2.0.1 of the Splunk Add-on for Microsoft Office 365 was released on March 14, 2020.

About this release

Version 2.0.1 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM 4.12
Supported OS Platform independent
Vendor products Microsoft Office 365

New features

Version 2.0.1 of the Splunk Add-on for Microsoft Office 365 has the following new features.

  • Default Python3 support.

Fixed Issues

Version 2.0.1 of the Splunk Add-on for Microsoft Office 365 contains the following fixed issues.


Date resolved Issue number Description
2019-09-10 ADDON-22238 web.conf settings cause other apps settings pages not to load properly

Known issues

Version 2.0.1 of the Splunk Add-on for Microsoft Office 365 contains the following known issues.


Date filed Issue number Description
2019-04-09 ADDON-21696 Data duplication issue over multiple content URL in o365:management:activity input

Workaround:
Handle possible duplication at search time, for example with "| dedup Id" , or using a "| stats dc(Id) AS count" instead of a straight count of events

(this is assuming that "Id" is unique in the data returned by the search)

Third-party software attributions

Version 2.0.1 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.


Version 2.0.0

Version 2.0.0 of the Splunk Add-on for Microsoft Office 365 was released on October 21, 2019.

About this release

Version 2.0.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM 4.12
Supported OS Platform independent
Vendor products Microsoft Office 365

New features

Version 2.0.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.

  • Python 3 support.
  • Enhanced role and capability functionality. Regular users now need additional permissions to use the UI to see input configurations and tenant associations.
  • FIPS compliance encryption changes.

Fixed Issues

Version 2.0.0 of the Splunk Add-on for Microsoft Office 365 contains the following fixed issues.


Date resolved Issue number Description
2019-09-10 ADDON-22238 web.conf settings cause other apps settings pages not to load properly

Known issues

Version 2.0.0 of the Splunk Add-on for Microsoft Office 365 contains the following known issues.


Date filed Issue number Description
2019-04-09 ADDON-21696 Data duplication issue over multiple content URL in o365:management:activity input

Workaround:
Handle possible duplication at search time, for example with "| dedup Id" , or using a "| stats dc(Id) AS count" instead of a straight count of events

(this is assuming that "Id" is unique in the data returned by the search)

Third-party software attributions

Version 2.0.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.

Version 1.1.0

Version 1.1.0 of the Splunk Add-on for Microsoft Office 365 was released on May 23, 2019.

About this release

Version 1.1.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.6.x, 7.0.x, 7.1.x, 7.2.x, 7.3.x
CIM 4.12
Supported OS Platform independent
Vendor products Microsoft Office 365

New features

Version 1.1.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.

  • Configurable Token Refresh Window for the Management Activity inputs to support uninterrupted data ingestion.

Fixed Issues

Version 1.1.0 of the Splunk Add-on for Microsoft Office 365 contains the following fixed issues.


Date resolved Issue number Description
2019-04-17 ADDON-20704 Add-on doesn't tag authentication events from o365 audit events
2019-04-14 ADDON-20616 Modular input hang on calling O365 Management API
2019-04-12 ADDON-20076 Data duplicating multiple times over for o365:management:activity
2019-04-11 ADDON-21196 splunk_ta_o365 - DLP Inputs - Date range for requested content is invalid
2018-10-12 ADDON-18373 Data ingestion may stop on Debian Linux Server

Known issues

Version 1.1.0 of the Splunk Add-on for Microsoft Office 365 contains the following known issues.


Date filed Issue number Description
2019-06-25 ADDON-22238 web.conf settings cause other apps settings pages not to load properly

Workaround:
change the permission for setting(view) of Microsoft O365 to "this app only"

Or [views] export = none

2019-04-09 ADDON-21696 Data duplication issue over multiple content URL in o365:management:activity input

Workaround:
Handle possible duplication at search time, for example with "| dedup Id" , or using a "| stats dc(Id) AS count" instead of a straight count of events

(this is assuming that "Id" is unique in the data returned by the search)

Third-party software attributions

Version 1.1.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.


Version 1.0.0

Version 1.0.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.6.X, 7.0.X, 7.1.X
CIM Not supported
Supported OS Platform independent
Vendor products Microsoft Office 365

Migration

If you are currently using the Splunk Add-on for Microsoft Cloud Services to ingest Office 365 Management API data and are migrating to the Splunk Add-on for Office 365, disable the Office 365 modular input in the Splunk Add-on for Microsoft Cloud Services.

There are three new source types in the Splunk Add-on for Microsoft Office 365 which replace the single ms:o365:management source type in the Splunk Add-on for Microsoft Cloud Services. If you are migrating from the Splunk Add-on for Microsoft Cloud Services to the Splunk Add-on for Microsoft Office 365, you will need to update your existing dashboards, panels, and SPL with the new source types. See Source types for the Splunk Add-on for Microsoft Office 365.

New features

Version 1.0.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.

  • Simple authentication with the Office 365 Management API applications.
  • Simple process for changing the registered application key.
  • Three new source types, o365:management:activity, o365:service:status, and o365:service:message.

Known issues

Version 1.0.0 of the Splunk Add-on for Microsoft Office 365 contains the following known issues.


Date filed Issue number Description
2019-02-04 ADDON-21196 splunk_ta_o365 - DLP Inputs - Date range for requested content is invalid
2018-12-24 ADDON-20704 Add-on doesn't tag authentication events from o365 audit events
2018-12-17 ADDON-20616 Modular input hang on calling O365 Management API
2018-10-23 ADDON-20076 Data duplicating multiple times over for o365:management:activity

Workaround:
locate the lines from 117 - 119 in file splunk_ta_o365/bin/splunk_ta_o365/modinputs/management_activity.py, then change the line 117 like this:

{noformat} now = self._now() // 86400 * 86400 + 86400 end_time = datetime.utcfromtimestamp(now) start_time = end_time - timedelta(days=7){noformat} This should limit the duplicates, however, Microsoft still duplicates o365:management:activity events on their side that this doesn't catch, for that you can use dedup if needed: {noformat} sourcetype="o365:management:activity" | dedup _raw {noformat}

2018-06-11 ADDON-18373 Data ingestion may stop on Debian Linux Server

Third-party software attributions

Version 1.0.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.


See Release notes for the Splunk Add-on for Microsoft Office 365 for the release notes of this latest version.

Last modified on 01 February, 2023
PREVIOUS
Release notes for the Splunk Add-on for Microsoft Office 365
  NEXT
Hardware and software requirements for the Splunk Add-on for Microsoft Office 365

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters