Ingest logs and data from Microsoft 365 - Learn more about collecting logs and data from Microsoft 365. - Administrator Guide - Cortex XSIAM - Cortex

Ingest logs and data from Microsoft 365 - Learn more about collecting logs and data from Microsoft 365. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product

Cortex XSIAM

Creation date

2024-03-06

Last date published

2026-02-10

Danger

A user account with the Microsoft Azure Account Administrator role is required to set up a new Microsoft 365 email collector.
The following Microsoft Graph API permissions are required:
- Mailbox access (read-write)
  - Read and write mail in all mailboxes
  - Read contacts in all mailboxes
  - Read all user mailbox settings
- User information, groups, and directory data (read-only)
  - Read directory data
  - Read all groups
  - Read all users' full profiles

The Microsoft 365 collector provides a comprehensive data stream by ingesting information into the following datasets.

msft_o365_emails_raw: Metadata and logs for email traffic.
msft_o365_users_raw: Information regarding user accounts and identities.
msft_o365_groups_raw: Data related to Office 365 groups and distribution lists.
msft_o365_devices_raw: Details on devices registered within the M365 environment.
msft_o365_mailboxes_raw: Configuration and status logs for individual mailboxes.
msft_o365_rules_raw: Logs for mail flow, transport, and inbox rules.
msft_o365_contacts_raw: Organizational and user-defined contact information.

Navigate to data source.
On the Data Sources page, click Add Data Source, search for and select Microsoft 365, and click Connect.
Permissions verification
In the wizard, review the required items on the Permissions page, and then click Next.
Authorization
Click OK to confirm you understand that API authorization consent is required.
Microsoft Sign-in
1. Select the Microsoft account for collection.
2. Click Next.
3. Enter your credentials for the Microsoft account and click Sign in.
4. If you are asked to perform authentication using your organization's authentication tools, do so.
Accept permissions
Review the list of of permissions requested by the collector and click Accept.
Define scope
1. On the Scope page, select one of the following:
  - Entire organization: Emails will be collected from all mailboxes in your organization.
  - Specific groups: Enter the email addresses of group names, such as Microsoft 365 Groups, Mail-enabled Security Groups, Distribution Lists, or Mail-enabled Users.
2. Click Next.
Finalize
1. On the Details page, enter a meaningful instance name, and click Next.
2. On the Summary page, check your configurations, and then click Create.