(LRCloud Only) Configure Office 365 Message Tracking Using Cloud to Cloud
Office 365 Message Tracking is a collection of metadata about email messages sent and received within an organization, containing information such as:
- Sender and Recipient
- Subject
- Size
- Status (for example, pending or delivered)
In addition to auditing, these logs can help identify messages with delayed or failed delivery.
The System Monitor Agent can import Office 365 Message Tracking logs into LogRhythm for analysis. This document explains how to configure the collection of Office 365 Message Tracking logs using the web console's cloud to cloud functionality. This is available to LRCloud customers only.
Prerequisites
Before you start to configure collection from O365, you must ensure the following:
- Customer is an LRCloud customer that has their environment hosted.
- You have a valid username and password for connecting to the Office 365 reports API.
- Correct permissions or role in O365 to use message trace search.
Initialize the Logs Source
- Log into the web console as an Restricted Administrator User.
- On the top navigation bar, click the Administration icon, and select Cloud Log Collection.
- At the top of the page, click New Log Source.
- Select the tile for Office 365 Message Tracking Sysmon Agent.
The Add Office 365 Message Tracking Log Source screen appears.
Enter the following details:
Setting Description Name Enter the name for this log source. Description (Optional) Enter a description for this log source. Username Enter the username of the Office 365 Admin account. If the username is an email account, be sure to include the full address.
Password Enter the password to the above Office 365 Admin account. - Click Save.
Using the information provided, a new active log source is created and accepted in the client console. Collection should start automatically within a couple of minutes.
The log source's host is the Platform Manager. However, it is recommended that a new host entity is created and the log source is moved to the new host. This is done in the log source properties screen, not from the log source grid.
For security purposes, the values entered are encrypted using LRCrypt.
Default Config Values for Office 365 Message Tracking Log Source
| Setting | Default Value |
|---|---|
| Endpoint | reports.office365.com |
| Delay | 60 minutes |
| Window | 60 minutes |
| Frequency | 300 seconds |
| GroupByMessageId | false |
| Timeout | 300 seconds |
| ErrorRetryTimeSpan | 60 minutes |
| ErrorRetryCount | 3 |
| LogApiRequests | false |