Splunk® Supported Add-ons

Splunk Add-on for Microsoft Office 365

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Release notes for the Splunk Add-on for Microsoft Office 365

Version 2.2.0 of the Splunk Add-on for Microsoft Office 365 was released on October 13, 2021.

About this release

Version 2.2.0 of the Splunk Add-on for Microsoft Office 365 is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x, 8.1.x
CIM 4.20
Supported OS Platform independent
Vendor products Microsoft Office 365

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

New features

Version 2.2.0 of the Splunk Add-on for Microsoft Office 365 has the following new features.

  • Common Information Model (CIM) version 4.20 compatibility and enhanced CIM mapping.
  • Enhanced CIM mapping for the following sourcetypes:
    • o365:management:activity
    • o365:service:status
    • o365:service:message
    • o365:cas:api
    • o365:graph:api
  • Added support for the Alerts CIM data model for the following sourcetypes:
    • o365:service:status
    • o365:service:message
    • o365:cas:api
  • Updates to the lookup splunk_ta_o365_cim_change_analysis.csv
  • Updates to the lookup splunk_ta_o365_cim_data_access.csv

    • Self-service app install (SSAI) upgrades do not automatically update the lookups with the latest values. To fix this, upgrade the add-on, then manually update the lookup files using the lookup files from the latest version of this add-on.

Field changes

The following sections contain information on fields and data models that have been added, modified, or removed in this release.

Fields added and removed

The following tables display the fields that have been added and removed in this release, listed by sourcetype.

Sourcetype Operation Fields added Fields removed
o365:management:activity AccessRequestCreated, GroupRemoved, GroupUpdated, SiteCollectionCreated, AccessRequestRejected, SharingSet, RemovedFromGroup, AccessRequestApproved, AddedToGroup, GroupAdded, SharingRevoked status, authentication_service, dest_name, result, object_attrs
o365:management:activity Add application. env_name, env_seqNum, authentication_service, targetName, correlationId, env_appVer, dataset_name, targetObjectId, ResultStatusDetail, user_agent, tag, modified_properties_new_value, auditEventCategory, env_popSample, env_time, env_cloud_name, modified_properties_name, action, actorUPN, nCloud, env_iKey, env_flags, tag::eventtype, env_cv, actorPUID, FlowTokenScenario, authentication_method, targetContextId, env_cloud_deploymentUnit, UserAuthenticationMethod, change_type, actorObjectClass, object_category, version, KeepMeSignedIn, actorAppID, targetSPN, eventtype, actorObjectId, additionalTargets, dest_name, env_epoch, env_cloud_roleVer, UserAgent, extended_properties, user_agent_change, env_cloud_ver object_path, reason, modified_properties_mv
o365:management:activity Add device. authentication_service, correlationId, dataset_name, tag, modified_properties_new_value, env_cloud_name, modified_properties_name, action, actorContextId, object_attrs, tag::eventtype, actorPUID, change_type, object_category, env_ver, actorAppID, targetSPN, eventtype, dest_name, extended_properties, modified_properties object_id, object_path
o365:management:activity Add group. auditEventCategory, modified_properties, targetContextId, modified_properties_name, authentication_service, additionalDetails, env_ver, env_cv, dest_name, env_cloud_roleVer, object_attrs, extended_properties, targetIncludedUpdatedProperties, user_agent, modified_properties_new_value, user_agent_change object_id, object_path
o365:management:activity Add member to group. actorAppID, env_time, env_cloud_name, modified_properties_name, authentication_service, targetSPN, src_user, dest_name, actorUPN, object_attrs, extended_properties, teamName, env_cv, modified_properties_new_value, modified_properties object_id, object_path
o365:management:activity Add member to role. modified_properties, targetContextId, modified_properties_name, authentication_service, env_cloud_deploymentUnit, additionalDetails, targetName, correlationId, dest_name, nCloud, object_attrs, extended_properties, user_agent, modified_properties_new_value, env_appId, user_agent_change object_id, object_path
o365:management:activity Add owner to application. modified_properties, modified_properties_name, authentication_service, env_cloud_deploymentUnit, targetSPN, env_epoch, dest_name, env_cloud_roleVer, object_attrs, extended_properties, version, env_cloud_environment, user_agent, modified_properties_new_value, user_agent_change object_id, object_path
o365:management:activity Add owner to service principal. authentication_service, dest_name, object_attrs, extended_properties, user_agent, user_agent_change object_id, object_path
o365:management:activity Add service principal. env_name, env_seqNum, authentication_service, targetName, targetObjectId, ResultStatusDetail, targetIncludedUpdatedProperties, env_cloud_environment, user_agent, modified_properties_new_value, auditEventCategory, env_osVer, env_popSample, env_cloud_name, modified_properties_name, src_user, RequestType, actorUPN, nCloud, env_iKey, env_cv, actorPUID, env_appId, FlowTokenScenario, resultDescription, authentication_method, env_cloud_deploymentUnit, env_os, UserAuthenticationMethod, actorObjectClass, version, KeepMeSignedIn, env_ver, actorAppID, actorObjectId, env_epoch, dest_name, env_cloud_roleVer, result, env_cloud_roleInstance, extended_properties, teamName, user_agent_change, actorContextId object_path, modified_properties_mv
o365:management:activity Add user. env_seqNum, modified_properties_name, authentication_service, src_name, targetName, dest_name, env_cloud_roleVer, env_appVer, actorContextId, env_cloud_role, object_attrs, extended_properties, teamName, modified_properties_new_value, modified_properties object_id, object_path
o365:management:activity FolderDeleted, SiteCollectionQuotaModified, SecureLinkCreated, CommentCreated, ListColumnCreated, ListViewUpdated, PermissionLevelAdded, WebMembersCanShareModified, CommentDeleted, ListUpdated, WebRequestAccessModified, ListColumnUpdated, ListCreated, WebAccessRequestApproverModified, CompanyLinkCreated, FolderModified, AddedToSecureLink, FolderCreated status, authentication_service, action, eventtype, dest_name, dataset_name, result, object_attrs, change_type, object_category, tag::eventtype, tag
o365:management:activity SharingInheritanceBroken, ClientViewSignaled, ListViewed, PageViewed, PagePrefetched, PageViewedExtended status, authentication_service, action, eventtype, dest_name, dataset_name, result, object_category, tag::eventtype, tag
o365:management:activity Delete user. actorAppID, env_osVer, modified_properties_name, authentication_service, extendedAuditEventCategory, actorObjectId, dest_name, env_cloud_roleVer, object_attrs, env_flags, env_cloud_environment, extended_properties, modified_properties_new_value, modified_properties object_id, object_path
o365:management:activity FileCheckedOut, FileCheckedIn, FileCheckOutDiscarded, FileCopied, FileAccessed, FileDownloaded status, authentication_service, dest_name, result, tag::object_category change_type
o365:management:activity FilePreviewed, FileAccessedExtended status, authentication_service, action, eventtype, dest_name, dataset_name, result, tag::object_category, object_category, tag::eventtype, tag
o365:management:activity FileMoved, FileModified, FileDeleted, FileRestored, FileRenamed, FileUploaded status, authentication_service, dest_name, result, tag::object_category, object_attrs
o365:management:activity FileVersionsAllDeleted, FileModifiedExtended status, authentication_service, action, eventtype, dest_name, dataset_name, result, tag::object_category, object_attrs, change_type, object_category, tag::eventtype, tag
o365:management:activity SiteCollectionAdminRemoved, SharingPolicyChanged, SiteColumnCreated status, authentication_service, action, eventtype, dest_name, dataset_name, result, object_attrs, change_type, object_category, tag::eventtype, tag src, src_ip
o365:management:activity SiteCollectionAdminAdded status, authentication_service, dest_name, result, object_attrs src, src_ip
o365:management:activity Update application. env_name, env_seqNum, authentication_service, env_cloud_ver, targetName, correlationId, resultType, env_appVer, dataset_name, ResultStatusDetail, targetIncludedUpdatedProperties, env_cloud_environment, tag, user_agent, modified_properties_new_value, env_popSample, env_time, env_cloud_name, modified_properties_name, action, RequestType, env_cloud_role, env_iKey, env_flags, tag::eventtype, env_cv, env_appId, FlowTokenScenario, authentication_method, targetContextId, env_cloud_deploymentUnit, env_os, src_name, UserAuthenticationMethod, change_type, actorObjectClass, object_category, env_ver, actorAppID, targetSPN, eventtype, additionalTargets, dest_name, env_epoch, env_cloud_roleVer, result, env_cloud_roleInstance, extended_properties, user_agent_change, actorContextId object_id, object_path, modified_properties_mv
o365:management:activity Update device. authentication_service, targetName, dataset_name, tag, modified_properties_new_value, auditEventCategory, modified_properties_name, action, env_iKey, tag::eventtype, env_cv, actorPUID, env_cloud_deploymentUnit, change_type, object_category, eventtype, actorObjectId, dest_name, extended_properties, env_cloud_ver object_id, object_path, modified_properties_mv
o365:management:activity Update group. modified_properties_name, authentication_service, env_cloud_ver, env_epoch, correlationId, dest_name, actorContextId, actorUPN, env_cloud_roleInstance, object_attrs, extended_properties, version, modified_properties_new_value, modified_properties object_id, object_path
o365:management:activity Update user. env_name, env_seqNum, authentication_service, targetName, correlationId, targetObjectId, targetIncludedUpdatedProperties, env_cloud_environment, user_agent, modified_properties_new_value, modified_properties, env_popSample, env_time, modified_properties_name, env_cloud_role, actorUPN, object_attrs, nCloud, env_flags, env_iKey, env_cv, actorPUID, env_appId, FlowTokenScenario, resultDescription, authentication_method, env_cloud_deploymentUnit, env_os, src_name, UserAuthenticationMethod, actorObjectClass, KeepMeSignedIn, additionalDetails, env_ver, actorAppID, targetSPN, actorObjectId, additionalTargets, dest_name, env_cloud_roleVer, env_cloud_roleInstance, UserAgent, extended_properties, teamName, extendedAuditEventCategory, actorContextId object_path, reason
o365:management:activity UserLoggedIn FlowTokenScenario, actorAppID, authentication_method, targetContextId, env_seqNum, targetSPN, authentication_service, RequestType, dest_name, correlationId, ResultStatusDetail, actorUPN, UserAuthenticationMethod, tag::action, extended_properties, teamName, env_ver object_id, modified_properties, object_path, object_attrs, reason, modified_properties_mv
o365:management:activity UserLoginFailed env_name, authentication_service, env_cloud_environment, env_osVer, env_popSample, nCloud, env_cv, env_appId, FlowTokenScenario, env_os, actorObjectClass, tag::action, KeepMeSignedIn, actorAppID, additionalTargets, dest_name, result, extended_properties, extendedAuditEventCategory object_id, IsCompliantAndManaged, SessionId, object_path, BrowserType
Sourcetype Status Fields added Fields removed
o365:service:status ServiceOperational, ServiceRestored, ServiceDegradation tag::eventtype, signature, eventtype, type, dest, severity, app, id, tag, description
Sourcetype ImpactDescription Fields added Fields removed
o365:service:message Users may be unable to view shared calendars within the Outlook client or Outlook on the web services., Admins were unable to access the Microsoft Secure Score webpage via the Microsoft 365 security center., Admins may see Microsoft 365 app usage and productivity score reports data delayed after June 30, 2021., Admins may have experienced delayed data in Productivity score reports from the Microsoft 365 admin center., Users may be unable to use the multi-language spellcheck feature of the Microsoft Teams desktop client., Users may have intermittently been unable to connect to the OneDrive for Business service., null, Admins see some users' Outlook Desktop activity isn't showing up in usage reports., Users are unable to create Skype account., Admins may experience a delay in receiving messages., Users may have been unable to use the search function in SharePoint Online., Users may have been unable to sign in to Outlook., Users may have been unable to sign in to Skype., Users are unable to create Outlook account., Admins may have been unable to install O365., Users saw an error and were unable to access the "Shared by you" tab in OneDrive for Business., Admins may have seen a delay in updated data for Skype for Business usage reports within the Microsoft 365 admin center., Admins are unable to exclude errors., Users were seeing errors when downloading records with 10,000 or more entries from the Security and Compliance Center. tag::eventtype, signature, body, eventtype, type, dest, severity, app, id, tag, description
Sourcetype isSystemAlert Fields added Fields removed
o365:cas:api true app, signature, src, eventtype, type, dest, severity, severity_id, tag::eventtype, user, tag
Sourcetype policyType Fields added Fields removed
o365:cas:api NEW_SERVICE app, signature, src, eventtype, type, severity, severity_id, tag::eventtype, tag
Sourcetype sourcetype Fields added Fields removed
o365:graph:api o365:graph:api eventtype

Fields modified

The following tables display the fields that have been modified in this release, listed by sourcetype.

Sourcetype CIM Field Operation Vendor Field Before Vendor field after Sample value before Sample value after
o365:management:activity user Add member to role., Add member to group. UserId ObjectId abcd@27cf00f56f558d8859778b97.example.com abcdefghi@d10b5fea7bd2276be1bba7cd.qwertyu.com
o365:management:activity user_id UserLoggedIn, UserLoginFailed UserId Actor{}.ID where Actor{}.Type=3 abcd@27cf00f56f558d8859778b97.example.com 10037FFE8EC1E08E
o365:management:activity reason where ResultStatus indicates "failure", such as UserLoginFailed LogonError resultDescription OR ResultStatusDetail InvalidUserNameOrPassword UserError
o365:management:activity status All where ResultStatus IN (failed, failure, success, succeeded) ResultStatus ResultStatus failure, failed, success, succeeded failure, success
o365:management:activity dvc where Workload=SharePoint Workload ObjectId SharePoint a830edad9050849nda3079.sharepoint.com
o365:management:activity modified_properties Add application.,Add service principal.,Update application., Update device. ModifiedProperties{} from the event ModifiedProperties{} from the event AppId, AppIdentifierUri, AvailableToOtherTenants, DisplayName, Entitlement, PublicClient, WwwHomepage ISAD7.1|primary|a\"\r\n]","OldValue":"[]"},{"Name":"Included Updated Properties","NewValue":"AppId, AppIdentifierUri, AvailableToOtherTenants, DisplayName, Entitlement, PublicClient, WwwHomepage","OldValue":""}
o365:management:activity object_category Add service principal. Static value: user Static value: ServicePrincipal
o365:management:activity object_category Update group. Static value: user, group Static value: group
o365:management:activity object_category SiteCollectionCreated Static value: user Static value: site
o365:management:activity change_type AccessRequestApproved,

AccessRequestRejected, SharingSet

Static Value: user Static Value: AAA
o365:management:activity change_type SiteCollectionCreated Static Value: user Static Value: collection
o365:management:activity dest Add application., Add user., Update user., Delete user., Add group., Add device., Update device, Update application., Add owner to application., Add service principal., Add member to group., Add member to role, etc. where env_cloud_name present inside ExtendedProperties{} in the event ObjectId env_cloud_name OR ObjectId abcdef@705e62b9e1c0c47a2c4e0709.example.com MSO-BY1
o365:management:activity dest UserLoggedIn, UserLoginFailed ObjectId Static value: Microsoft Office 365 AzureActiveDirectory 797f4846-ba00-4fd7-ba43-dac1f8f63013 Microsoft Office 365 AzureActiveDirectory
o365:management:activity dest If env_cloud_name is not present in the event, then ObjectId will be dest ObjectId ObjectId
o365:management:activity action AccessRequestRejected Static Value: unknown Static Value: deleted
o365:management:activity action FileCheckOutDiscarded Static Value: modified Static Value: read
o365:management:activity action FileCheckedIn Static Value: created Static Value: read
o365:management:activity action FileCopied Static value: read Static value: copied
o365:management:activity action FileDownloaded Static value: read Static value: downloaded
o365:management:activity action Add group.,SharingSet Static Value: modified Static Value: created
o365:management:activity object_attrs Add user., Update user., Add group., Add device., Add application., etc. ModifiedProperties{} from the event, a list of attributes that were modified ModifiedProperties{} from the event, but it will be key=value pair of relevant and necessary attributes StsRefreshTokensValidFrom, UserType, AccountEnabled, UserPrincipalName UserPrincipalName=abcdef@705e62b9e1c0c47a2c4e0709.example.com, AccountEnabled=true, UserType=Member
o365:management:activity object_attrs Update group., Update application. ModifiedProperties{} from the event, a list of attributes that were modified object_category LastDirSyncTime group, application
o365:management:activity object Add group., Update group., Add device., Update device. Add application., Update application., Add service principal. ObjectId targetName Not Available APP_User_Adobe_Sign, EBIZ_SAP_PP_USR, iPad-ABCD1234, Fraedom Flexipurchase
o365:management:activity object_id where Workload=AzureActiveDirectory ObjectId targetObjectId from ExtendedProperties{} in the evnet abcdef@705e62b9e1c0c47a2c4e0709.example.com 93a565f6-d0fc-4ac3-9d2a-8c1de9aeed3c
Sourcetype CIM Field isSystemAlert=true Vendor Field Before Vendor field after Sample value before Sample value after
o365:cas:api description where description="" OR isnull(description) description title empty System alert: Deprecation of Label Management in the Azure Portal,

System alert: Service health status page deprecation

Modified data models

The following table displays the CIM data models that have been modified in this release, listed by sourcetype.

Sourcetype Operation Previous CIM model New CIM model
o365:management:activity FileAccessed, FileCheckedOut, FileCheckOutDiscarded, FileCopied, FileCheckedIn, FileDownloaded Change:Endpoint_Changes Data Access

Fixed Issues

Version 2.2.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, fixed issues.

Known issues

Version 2.2.0 of the Splunk Add-on for Microsoft Office 365 contains the following, if any, known issues.

Third-party software attributions

Version 2.2.0 of the Splunk Add-on for Microsoft Office 365 incorporates the following third-party software or libraries.

Last modified on 14 October, 2021
PREVIOUS
Source types for the Splunk Add-on for Microsoft Office 365 		  NEXT
Release history for the Splunk Add-on for Microsoft Office 365

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters