icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Microsoft O365 Email Add-on for Splunk
SHA256 checksum (microsoft-o365-email-add-on-for-splunk_1040.tgz) 244c42e4046ac24e59c197c28abaf19477d3da3c0144e77d12416e57fe257d74 SHA256 checksum (microsoft-o365-email-add-on-for-splunk_1038.tgz) a16231336be57638ebc15e4c85265a0cf06968272c5176d2e38ad1c1a9dc9a56 SHA256 checksum (microsoft-o365-email-add-on-for-splunk_1036.tgz) 43591733ff920ea0b2e67c9db173ac2beb326eeec11911daa0de49f5ac28ad27
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Microsoft O365 Email Add-on for Splunk

Splunk AppInspect Passed
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Overview
Details
The Microsoft® O365® Email Add-on for Splunk® ingests O365 emails via Microsoft’s Graph API. This add-on provides various email analysis functions like; attachment info, attachment analysis, IOC extraction, mail relay reporting, amongst others.

Attributions:
https://www.crummy.com/software/BeautifulSoup/

Envelope Logo-
https://www.flaticon.com/authors/pixel-perfect

Macro Detection via python-oletools-
https://github.com/decalage2/oletools

PDF data extraction via pdfminer.six-
https://github.com/pdfminer/pdfminer.six

This license applies to the python-oletools package, apart from the thirdparty folder which contains third-party files published with their own license.

The python-oletools package is copyright (c) 2012-2020 Philippe Lagadec (http://www.decalage.info)

All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Microsoft O365 Email Add-on for Splunk Setup Instructions

The Microsoft O365 Email Add-on for Splunk ingests O365 emails via Microsoft’s Graph API. Each input interval it will attempt to ingest up to 10,000 messages from a "compliance" mailbox.

Setup

1. This add-on utilises a compliance mailbox to ingest email. In order to set up the compliance mailbox, you must first have a compliance user (a regular user account that we’ve just called compliance here) set up in O365, who also has an email account configured. This user will only be used for this purpose, so take care to limit who has access to this account.

2. Once you have the user setup with their email account, you need to configure an email flow rule as per Here. This rule will bcc every message sent to/from/within the organization to a defined compliance mailbox. After the add-on ingests the emails, they are deleted from the compliance mailbox to prevent email from building up over time (nothing touches the actual users’ mailboxes).

  • To create the email flow rule, browse to the Exchange Admin Center with a user who has permissio n to administer your O365 Exchange environment.

  • Select the mail flow option to begin setting up your email flow rule.

  • On this page, select the + icon and the click on Create a new rule...

  • Within the new rule creation window, do the following (leave the other options as they are):

    a. Name the new rule.
    b. Under Apply this rule if… select Apply to all messages (if you want to have more specific email ingest policies, you can tweak this bit to only select the messages you want to ingest.)
    c. Under Do the following… select Bcc the message to option, which will bring up the mailbox selection screen.

  • In the window that pops up, select the compliance mailbox that you created at the beginning of this process. Make sure they are in the box next to add-> and then click ok.

  • Click save on the rule creation window and in the Warning window that says “Do you want this rule to apply to all future messages?” click Yes to apply your rule. All mail should now be getting bcc’d into your compliance mailbox, ready for ingest.

3. The next step is to set up an App Registration under the Azure Portal which exposes the API for use by the Add-on.

  • Once you are logged into the Azure portal, you need to select App registrations (if you don’t see App registrations, type it into the search bar at the top and select it).

  • Select New registration to create the new application

  • Name your application and leave the other options as they are. Now click Register at the bottom to register your application.

  • In the newly registered application, select API permissions on the left, and then select Add a permission.

  • Select the Microsoft Graph API.

  • In the permissions selection area, select Application permissions as we don’t need a signed in user, then in the Select permissions search bar type mail, select the Mail permission group, and assign the Mail.ReadWrite permission (we need to read the emails, and then delete them after we’ve ingested them, hence the write permission). Then click Add permissions at the bottom of the screen to apply these.

  • You must then click Grant admin consent to allow these permissions to work.

  • Now select Certificates and secrets in the left menu bar, and then click New client secret.

  • Type in a description for the new client secret, and select an expiry (I’m selecting Never here. If you choose an expiry, remember that the Add-on will stop working when this secret expires. You’ll then need to renew it, or create a new secret and update the Add-on to get things working again). Click Add.

  • Copy the value of the client secret as soon as you create it, as it becomes obfuscated once you browse away from the app registration page.

  • Back under Overview, we want to capture the Client ID and Tenant ID values for use in the Add-on, just like the Client secret from the step above. Copy all of these values down for use in the Add-on setup next.

4. Install the Add-on on your Splunk instance and restart Splunk.

  • Open up the Add-on and select Configuration, then click on Add to create your account settings.

  • In Add Account, type in a name (this isn't taken from the Azure setup, just type in a name for reference). Then paste in the Client ID and Client Secret values from the steps above.

  • Next, click on Inputs to define your inputs for the Add-on and select Create New Input. If you have multiple compliance mailboxes, you can define multiple inputs which would allow you to ingest into different indexes for retention or security
    purposes.

  • In the new Input:

    a. Type in a name to reference this input by.
    b. Select an interval (=>60 seconds is probably ideal for API rate limitation avoidance).
    c. Define the Index you want to use within Splunk.
    d. Type in the email address for the compliance mailbox you set up at the beginning of this process.
    e. Paste in the Tenant ID from the Azure App registration setup.
    f. Select which endpoint you are using. For most this will be Worldwide. For US Government customers on GCC
    High, select USGovGCCHigh (v1.0.40 and above).
    g. If you want to ingest attachment details (file name, file type, size, id, and file hash) select the Get Attachment Info box.
    h. If you have chosen the Get Attachment Info option, select the hashing algorithm you want to use.
    i. If you want to attempt to extract IOCs (URL, domain, IPv4, and IPv6) from (PDF, CSV, XML, HTML, and email bodies) select Extract IOCs (for attachments, requires ingest attachment details to be selected).
    j. If you want to detect and analyse macros within Office file type attachments, select Macro Analysis (requires ingest attachment details to be selected).
    k. If you want to ingest the actual contents from (PDF, CSV, XML, HTML) file types, select any or all from the Attachment Data Ingest multi-dropdown (requires ingest attachment details to be selected).
    l. If you want to ingest the entire message body (observe the warning in relation to large ingest), select the Get Body option.
    m. If you just want to ingest a preview (the first 255 characters) of the message body, select the Get Body Preview Box.
    n. If you want to show the SPF and DKIM data for the message, select Ingest Auth Results.
    o. If you want to show the entire X-Headers from the message, select Ingest X Headers.
    p. To show the various MTAs that the message has hopped through before getting to the end user, select the Show Relays option.
    q. Select the App Account that you defined in the App Configuration tab.
    r. Click add to complete the Add-on setup process.

5. If the Add-on is working, any emails accumulated in the compliance mailbox should now start disappearing while being ingested into Splunk. To confirm, search in your defined index for sourcetype=ms:o365:email

For distributed installs, this must be installed on search heads, indexers and heavy forwarders. Configure the add-on on the heavy forwarder or the search head (if you aren't using heavy forwarders), but only on one of them. Leave the add-on
unconfigured on the indexing tier.

Release Notes

Version 1.0.40
Jan. 26, 2021

v1.0.40
Added in support for US Gov GCC High customers.

v1.0.38
New logic behind MTA src server parsing.

v1.0.36
Gives option to read zip file contents (used to do this by default)
Populates MTA src and dest fields properly now.
Fixed issues with MTA src and dest calculations found in v1.0.34
Fixed issue with dest field not showing correct final MTA hop in v1.0.35

v1.0.32
Built in better error handling routines.
Attempts to read zip file contents (file names and hashes)

v1.0.30
Fixed an issue with macro detection.

v1.0.29
Added support for OneDrive link attachment types (https://docs.microsoft.com/en-us/graph/api/resources/referenceattachment?view=graph-rest-1.0)

v1.0.28
Fixed handling of multiple attachment types within a single email (Thanks to Kelby Shelton)

Version 1.0.38
Jan. 8, 2021

v1.0.38
New logic behind MTA src server parsing.

v1.0.36
Gives option to read zip file contents (used to do this by default)
Populates MTA src and dest fields properly now.
Fixed issues with MTA src and dest calculations found in v1.0.34
Fixed issue with dest field not showing correct final MTA hop in v1.0.35

v1.0.32
Built in better error handling routines.
Attempts to read zip file contents (file names and hashes)

v1.0.30
Fixed an issue with macro detection.

v1.0.29
Added support for OneDrive link attachment types (https://docs.microsoft.com/en-us/graph/api/resources/referenceattachment?view=graph-rest-1.0)

v1.0.28
Fixed handling of multiple attachment types within a single email (Thanks to Kelby Shelton)

Version 1.0.36
Jan. 5, 2021

v1.0.36
Gives option to read zip file contents (used to do this by default)
Populates MTA src and dest fields properly now.
Fixed issues with MTA src and dest calculations found in v1.0.34
Fixed issue with dest field not showing correct final MTA hop in v1.0.35

v1.0.32
Built in better error handling routines.
Attempts to read zip file contents (file names and hashes)

v1.0.30
Fixed an issue with macro detection.

v1.0.29
Added support for OneDrive link attachment types (https://docs.microsoft.com/en-us/graph/api/resources/referenceattachment?view=graph-rest-1.0)

v1.0.28
Fixed handling of multiple attachment types within a single email (Thanks to Kelby Shelton)

51
Installs
115
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2021 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.