Hello, I've been noticing email raw logs from Office 365 does not contain the recipient email address or user name. How to resolved this issue or are there configurations needs to be fixed?
Page 1 / 1
We are just taking what is given when it is raw. What I see is that there is a audit component on the MS side. I'd recommend starting there, see if that gets what you need, then come back here.
1. Enabling and Accessing Audit Logs:
Purview Compliance Portal:
.Opens in new tab
You'll need to access the Microsoft Purview compliance portal (accessible through the Office 365 Admin Center) to enable and manage audit logging.
Audit Log Search:
.Opens in new tab
Within the compliance portal, you'll navigate to the "Audit" solution and search the audit log.
2. Identifying Relevant Fields in Audit Logs:
Recipient:
When auditing email-related activities (e.g., email sending, receiving, deletion), the recipient's email address will be recorded in the audit log.
Username:
The user's username (or User Principal Name - UPN) is usually included in audit log entries related to user activities, such as file downloads, deletions, or login attempts.
We are looking into this same issue. We currently use Mimecast and pull our logs from there. However, we are moving away from Mimecast. How can we pull the same email trace logs into Chronicle? We are not on SecOPs, we are on the older Platform.
Hi,
Based on your description, it sounds like you're referring to the Message Trace report, rather than the Microsoft 365 logs.
To access this data, you'll need to configure a new ingestion pipeline. (I typically ingest these logs via Microsoft Defender for Office 365.)
Could you confirm if this is the issue you're encountering?
Hi,
Based on your description, it sounds like you're referring to the Message Trace report, rather than the Microsoft 365 logs.
To access this data, you'll need to configure a new ingestion pipeline. (I typically ingest these logs via Microsoft Defender for Office 365.)
Could you confirm if this is the issue you're encountering?
Is this a feed that you have configured? Are you able to share the details of what you have configured?
Hi,
Based on your description, it sounds like you're referring to the Message Trace report, rather than the Microsoft 365 logs.
To access this data, you'll need to configure a new ingestion pipeline. (I typically ingest these logs via Microsoft Defender for Office 365.)
Could you confirm if this is the issue you're encountering?
Shaun is the one working on this from our team.
Is this a feed that you have configured? Are you able to share the details of what you have configured?
Sure!
I’ve configured all logs in Defender to be sent to an "Azure Storage Account".
(Today, you can also use "Azure Event Hub", which is easier to configure — but since it's still under GA, you’ll probably need to discuss it with your Google Customer Engineer to enable it in your SecOps instance.)
I’m pulling the logs from there using a feed.
It looks like this:
Please use the following guide:
https://cloud.google.com/chronicle/docs/ingestion/default-parsers/collect-microsoft-defender-endpoint
Note - the relevant log types for "Microsoft Defender for Office 365" are:
Sure!
I’ve configured all logs in Defender to be sent to an "Azure Storage Account".
(Today, you can also use "Azure Event Hub", which is easier to configure — but since it's still under GA, you’ll probably need to discuss it with your Google Customer Engineer to enable it in your SecOps instance.)
I’m pulling the logs from there using a feed.
It looks like this:
Please use the following guide:
https://cloud.google.com/chronicle/docs/ingestion/default-parsers/collect-microsoft-defender-endpoint
Note - the relevant log types for "Microsoft Defender for Office 365" are:
@Eoved GA means "General Availability" - so every customer with proper entitlements for certain features would have this feature/module/component.
Eventb Hub is available as a feed type but keep in mind that there are associated costs with that as well.
You can use the graph api as well but without looking at some logs, I cannot accurately tell you if those Email logs are available through Graph.
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.