Ingest logs and data from Microsoft 365 - The Microsoft 365 email collector fetches emails through Microsoft Graph API, using an authorized app. A compliance mailbox is not required. - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation
Product
Cortex XDR
License
Prevent
Pro
Creation date
2024-03-06
Last date published
2025-07-10
Category
Administrator Guide
Abstract

The Microsoft 365 email collector fetches emails through Microsoft Graph API, using an authorized app. A compliance mailbox is not required.

The Microsoft 365 email collector fetches email metadata through Microsoft Graph API, using an authorized app. A compliance mailbox is not required.

Note

For other logs from Microsoft Office 365, use the Office 365 data collector. For more information, see Ingest Logs from Microsoft Office 365.

Prerequisite

  • A user account with the Microsoft Azure Account Administrator role is required to set up a new Microsoft 365 email collector.

  • The following Microsoft Graph API permissions are required:

    • Mailbox access (read-write)

      • Read and write mail in all mailboxes

      • Read contacts in all mailboxes

      • Read all user mailbox settings

    • User information, groups, and directory data (read-only)

      • Read directory data

      • Read all groups

      • Read all users' full profiles

You can narrow down the scope of ingested mailboxes by:

  • Microsoft 365 Group

  • Distribution List

  • Mail-enabled Security Group

  • Mail-enabled Users

Datasets

The Microsoft 365 collector ingests data into the following datasets:

  • msft_o365_emails_raw

  • msft_o365_users_raw

  • msft_o365_groups_raw

  • msft_o365_devices_raw

  • msft_o365_mailboxes_raw

  • msft_o365_rules_raw

  • msft_o365_contacts_raw

Configure ingestion into Cortex XDR

  1. On the Collection Integrations page, locate Microsoft 365, and select Add Instance to begin a new connection.

  2. In the wizard that opens, ensure that you have configured the items listed on the Permissions page, and then click Next.

  3. To confirm that you know that API authorization consent is required, click OK.

  4. Select the Microsoft account from which you want to collect email data.

  5. Click Next.

  6. Enter your password for the Microsoft account, and click Sign in.

  7. If you are asked to perform authentication using your organization's authentication tools, do so.

  8. For the list of of permissions that Cortex Email Security requires, click Accept.

  9. On the Scope page, select one of the following:

    • Entire organization: Emails will be collected from all mailboxes in your organization.

    • Specific groups: Enter the email addresses of group names, such as Microsoft 365 Groups, Mail-enabled Security Groups, Distribution Lists, or Mail-enabled Users.

  10. Click Next.

  11. On the Details page, enter a meaningful instance name, and click Next.

  12. On the Summary page, check your configurations, and then click Create.

After data starts to come in, a green check mark appears below the Microsoft 365 configuration, along with the amount of data received.