Ingest logs and data from Microsoft 365 - Learn more about collecting logs and data from Microsoft 365. - Administrator Guide - Cortex XSIAM - Cortex

Ingest logs and data from Microsoft 365 - Learn more about collecting logs and data from Microsoft 365. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM 3.x Documentation

Product

Cortex XSIAM

Creation date

2025-07-15

Last date published

2026-06-11

Notice

Email content visibility and licensing: Email subjects and bodies are stored in an encrypted format to ensure data privacy. To view this content or generate alerts for it, an Email Security module license is required.

Without the license: Sensitive email content (subject, body, and attachments) remains encrypted and is not accessible for viewing or threat hunting.
With the license: When the module detects a suspicious or malicious email, it automatically creates an issue and decrypts the subject, body, and attachments. This decrypted content is then made available as an artifact within the issue for investigation.

Note

For other logs from Microsoft Office 365, use the Office 365 data collector. For more information, see Ingest logs from Microsoft Office 365.

Prerequisite

A user account with the Microsoft Azure Account Administrator role is required to set up a new Microsoft 365 email collector.
The following Microsoft Graph API permissions are required:
- Mailbox access (read-write)
  - Read and write mail in all mailboxes
  - Read contacts in all mailboxes
  - Read all user mailbox settings
- User information, groups, and directory data (read-only)
  - Read directory data
  - Read all groups
  - Read all users' full profiles

The Microsoft 365 collector provides a comprehensive data stream by ingesting information into the following nine datasets. These are categorized by their default availability and licensing requirements:

These datasets are collected as part of the standard Microsoft 365 connector configuration:

msft_o365_emails_raw: Metadata and logs for email traffic.
msft_o365_users_raw: Information regarding user accounts and identities.
msft_o365_groups_raw: Data related to Office 365 groups and distribution lists.
msft_o365_devices_raw: Details on devices registered within the M365 environment.
msft_o365_mailboxes_raw: Configuration and status logs for individual mailboxes.
msft_o365_rules_raw: Logs for mail flow, transport, and inbox rules.
msft_o365_contacts_raw: Organizational and user-defined contact information.

Cortex XSIAM prioritizes data privacy while maintaining security visibility. The following rules apply to ingested email data:

Storage and encryption: Cortex XSIAM stores email metadata as plain text, but the email subject and body are always encrypted.
Retention policy: The email body is temporarily saved for 48 hours and is then automatically deleted.
Automated analysis: Analytical detectors automatically scan both raw metadata and encrypted content to identify threats.
Decryption for investigation: When an issue is created for a malicious email, the raw email (including decrypted subject and body) is attached to the issue as an artifact for review.
Threat hunting constraints: You cannot perform threat hunting based on the email subject or body content. Only metadata, such as Date, From, or To, is available for Cortex Query Language(XQL) threat hunting queries.

Navigate to the data source.
Select Settings → Data Sources & Integrations, click + Add New, search for Microsoft 365, then hover over it and click Add.
Perform permissions verification.
In the wizard, review the required items on the Permissions page, and then click Next.
Authorize.
Click OK to confirm you understand that API authorization consent is required.
Perform Microsoft sign-in.
1. Select the Microsoft account for collection.
2. Click Next.
3. Enter your credentials for the Microsoft account and click Sign in.
4. If you are asked to perform authentication using your organization's authentication tools, do so.
Accept permissions.
Review the list of of permissions requested by the collector and click Accept.
Define the scope.
1. On the Scope page, select one of the following:
  - Entire organization: Emails will be collected from all mailboxes in your organization.
  - Specific groups: Enter the email addresses of group names, such as Microsoft 365 Groups, Mail-enabled Security Groups, Distribution Lists, or Mail-enabled Users.
2. Click Next.
Finalize the details and create the integration instance.
1. On the Details page, enter a meaningful instance name, and click Next.
2. On the Summary page, check your configurations, and then click Create.