The Microsoft 365 email collector fetches emails through Microsoft Graph API, using an authorized app. A compliance mailbox is not required.
The Microsoft 365 email collector fetches emails through Microsoft Graph API, using an authorized app. A compliance mailbox is not required.
Danger
A user account with the Microsoft Azure Account Administrator role is required to set up a new Microsoft 365 email collector.
The following Microsoft Graph API permissions are required:
Mailbox access (read-write)
Read and write mail in all mailboxes
Read contacts in all mailboxes
Read all user mailbox settings
User information, groups, and directory data (read-only)
Read directory data
Read all groups
Read all users' full profiles
The Microsoft 365 collector ingests emails and attachment metadata, including email subject and body. Attachment metadata includes data such as name, type, size, and hash. The actual attached files are not saved.
You can narrow down the scope of ingested mailboxes by:
Microsoft 365 Group
Distribution List
Mail-enabled Security Group
Mail-enabled Users
The Microsoft 365 collector ingests data into the following datasets:
msft_o365_emails_raw
msft_o365_directory_raw
msft_o365_org_raw
msft_o365_apps_raw
msft_o365_users_raw
msft_o365_groups_raw
msft_o365_roles_raw
msft_o365_devices_raw
msft_o365_mailboxes_raw
msft_o365_rules_raw
Cortex XSIAM stores email metadata as plain text, and encrypts emails' subject and body. The email body is saved for 48 hours, and then deleted. Analytical detectors analyze raw and encrypted email data, and when necessary, create alerts. When an alert is created for a malicious email, the raw email, include its subject and body (decrypted), is attached to the alert as an artifact. Therefore, you will not be able to perform threat hunting based on email subject and body. Only email metadata such as date, From, or To, are available for threat hunting purposes.
Configure ingestion into Cortex XSIAM
On the Data Sources page, click Add Data Source, search for and select Microsoft 365, and click Connect.
In the wizard that opens, ensure that you have configured the items listed on the Permissions page, and then click Next.
To confirm that you know that API authorization consent is required, click OK.
Select the Microsoft account from which you want to collect email data.
Click Next.
Enter your password for the Microsoft account, and click Sign in.
If you are asked to perform authentication using your organization's authentication tools, do so.
For the list of of permissions that Cortex Email Security requires, click Accept.
On the Scope page, select one of the following:
Entire organization: Emails will be collected from all mailboxes in your organization.
Specific groups: Enter the email addresses of group names, such as Microsoft 365 Groups, Mail-enabled Security Groups, Distribution Lists, or Mail-enabled Users.
Click Next.
On the Details page, enter a meaningful instance name, and click Next.
On the Summary page, check your configurations, and then click Create.
After data starts to come in, a green check mark appears below the Microsoft 365 configuration, along with the amount of data received.