Microsoft Exchange Online Message Trace

<div class="condensed-table">
| | |
| --- | --- |
| Version | 1.25.3 (View all) |
| Compatible Kibana version(s) | 8.13.0 or higher |
| Supported Serverless project types
What’s this? | Security
Observability |
| Subscription level
What’s this? | Basic |
| Level of support
What’s this? | Elastic |

</div>
This integration is for Microsoft Exchange Online Message Trace logs. It includes the following datasets for receiving logs over the Microsoft Exchange Online Message Trace API or read from a file:

• log dataset: supports Microsoft Exchange Online Message Trace logs.

The basic authentication configuration fields have been removed from this integration as Microsoft has deprecated and disabled basic authentication for Exchange Online. See the deprecation notification for details.

At a minimum, your Office 365 service account should include a role with Message Tracking and View‑Only Recipients permissions, assigned to the Office 365 user account that will be used for the integration. Assign these permissions using the Exchange admin center.

Logs are either gathered via the rest API or via a logfile. Log Documentation

The log dataset collects the Microsoft Exchange Online Message Trace logs. To search for ingested logs in Elasticsearch you need to query using datastream.dataset: microsoft_exchange_online_message_trace.log. This integration will poll the Microsoft Exchange Online Message Trace legacy API (https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace) to pull Message Trace logs and ingest them via the ingest pipelines.

In order to continue using the Microsoft Exchange Online Message Trace you will need to enable and configure OAuth2 authentication via your service app.

• [discrete] === Service App Configuration

  1. In the Azure portal, create a Microsoft Entra App (service app) Registration. For details please refer to the official Microsoft Documentation.

  2. In most cases under the Redirect URI section, you would want to configure the value Web for the app type and http://localhost for the Redirect URI, unless there are some specific requirements on your end.

  3. Assign the application at least one Microsoft Entra (Azure AD) role that will enable it to access the Reporting Web Service:

     • Security Reader
     • Global Reader

  4. The App Registration should contain the following API permissions: Office 365 Exchange Online > ReportingWebService.Read.All (application). See Specify the permissions your app requires to access the Reporting Web Service.

• [discrete] === Configuring OAuth2 Credentials

  Once you have your service app registered and configured, you can now configure your OAuth2 credentials as follows:-

  1. Generate a client secret for your registered service app. Copy and store the client secret value with you as this will be required for your OAuth2 credentials.

  2. Fill in the following fields with the appropriate values from your configured service app:-

     • Client ID: The client_id of your service app to pass in the OAuth request parameter.

     • Client secret: The client_secret of your service app that you generated earlier, to pass in the OAuth request parameter.

     • Tenant ID: The Directory ID (tenant identifier) of your service app in your Microsoft Entra ID(Azure Active Directory).

       With these values now configured, the OAuth2 configuration for the integration should be ideally complete. For more details, please check the official doc for Getting Started with Reporting Web Service.

• For configuring Local Domains you can check your Microsoft Admin Exchange Center for the domains available in your organization. They are usually under the sections Accepted Domains and Remote Domains.

• The default Interval is configured to 1h and Initial Interval to 48h, you can however change these to your required values. The look-back value of Initial Interval should not exceed 200 hours as this might cause unexpected errors with the API.

• The default Minimum Age is configured to 1h, you can however change these to your required values. The Minimum Age was introduced to allow a sliding window to exist in combination with the Initial Interval. If you do not require a sliding window you can set this to 0s which will cause the Minimum Age to always default to the current time (now).

• The default Additional Look-back Time value is configured for 1h. This is intended to capture events that may not have been initially present due to eventual consistency. This value does not need to exceed 24h.

  • NOTE: The larger this value is, the less likely events will be missed, however, this will cause the integration to take longer to pull all events, making newer events take longer to become present.

• The default value of Batch Size is set to 1000. This means for every request Httpjson will paginate with a value of 1000 results per page. The maximum page size supported by the Message Trace API is 2000. The API will return an empty value array when there are no more logs to pull and the pagination will terminate with an error that can be ignored.

Disclaimer: With basic authentication support now disabled, the PowerShell script provided below will not work as is. However, you can see the guides here on how to connect to PowerShell using different authentication techniques using the EXO V2 and V3 modules. With a combination of the script below and the alternate authentication methods mentioned in the guide, you can possibly perform the logfile collection as usual.

The following sample Powershell script may be used to get the logs and put them into a JSON file that can then be consumed by the logfile input:

Prerequisites:

Install the Exchange Online Management module by running the following command:

Install-Module -Name ExchangeOnlineManagement

Import the Exchange Online Management module by running the following command:

Import-Module -Name ExchangeOnlineManagement

This script would have to be triggered at a certain interval, in accordance with the look-back interval specified. In this example script, the look back would be 24 hours, so the interval would need to be daily. According to the Documentation, it is only possible to get up to 1k pages. If this should be an issue, try reducing the $looback or increasing $pageSize.

# Username and Password
$username = "USERNAME@DOMAIN.TLD"
$password = "PASSWORD"
# Lookback in Hours
$lookback = "-24"
# Page Size, should be no problem with 1k
$pageSize = "1000"
# Output of the json file
# This would then be ingested via the integration
$output_location = "C:\temp\messageTrace.json"

$password = ConvertTo-SecureString $password -AsPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential ($username, $password)
$startDate = (Get-Date).AddHours($lookback)
$endDate = Get-Date

Connect-ExchangeOnline -Credential $Credential
$paginate = 1
$page = 1
$output = @()
while ($paginate -eq 1)
{
    $messageTrace = Get-MessageTrace -PageSize $pageSize -StartDate $startDate -EndDate $endDate -Page $page
    $page
    if (!$messageTrace)
    {
        $paginate = 0
    }
    else
    {
        $page++
        $output = $output + $messageTrace
    }
}
if (Test-Path $output_location)
{
    Remove-Item $output_location
}
foreach ($event in $output)
{
    $event.StartDate = [Xml.XmlConvert]::ToString(($event.StartDate), [Xml.XmlDateTimeSerializationMode]::Utc)
    $event.EndDate = [Xml.XmlConvert]::ToString(($event.EndDate), [Xml.XmlDateTimeSerializationMode]::Utc)
    $event.Received = [Xml.XmlConvert]::ToString(($event.Received), [Xml.XmlDateTimeSerializationMode]::Utc)
    $event = $event | ConvertTo-Json -Compress
    Add-Content $output_location $event -Encoding UTF8
}

{
    "@timestamp": "2022-10-21T17:25:30.600Z",
    "agent": {
        "ephemeral_id": "1928ec83-7c3a-4ad0-9066-63dae084a2e1",
        "id": "bd32c689-9c8b-44ea-ae34-b04c1bf3fd7d",
        "name": "elastic-agent-75168",
        "type": "filebeat",
        "version": "8.15.3"
    },
    "data_stream": {
        "dataset": "microsoft_exchange_online_message_trace.log",
        "namespace": "89156",
        "type": "logs"
    },
    "destination": {
        "domain": "contoso.com",
        "registered_domain": "contoso.com",
        "top_level_domain": "com",
        "user": {
            "domain": "contoso.com",
            "email": "linus@contoso.com",
            "id": "linus@contoso.com",
            "name": "linus"
        }
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "bd32c689-9c8b-44ea-ae34-b04c1bf3fd7d",
        "snapshot": false,
        "version": "8.15.3"
    },
    "email": {
        "attachments": {
            "file": {
                "size": 22704
            }
        },
        "delivery_timestamp": "2022-10-21T17:25:30.6006882Z",
        "from": {
            "address": [
                "noreply@azure.microsoft.com"
            ]
        },
        "local_id": "a6f62809-5cda-4454-0962-08dab38940d6",
        "message_id": "<GVAP278MB037518E76F4082DFE9B607B3DA2D9@GVAP278MB0375.CHEP278.PROD.OUTLOOK.COM>",
        "subject": "testmail 1",
        "to": {
            "address": [
                "linus@contoso.com"
            ]
        }
    },
    "event": {
        "agent_id_status": "verified",
        "category": [
            "email"
        ],
        "created": "2024-11-04T20:39:54.654Z",
        "dataset": "microsoft_exchange_online_message_trace.log",
        "ingested": "2024-11-04T20:39:57Z",
        "original": "{\"EndDate\":\"2022-10-22T09:40:10Z\",\"FromIP\":\"40.107.23.81\",\"Index\":1,\"MessageId\":\"\\u003cGVAP278MB037518E76F4082DFE9B607B3DA2D9@GVAP278MB0375.CHEP278.PROD.OUTLOOK.COM\\u003e\",\"MessageTraceId\":\"a6f62809-5cda-4454-0962-08dab38940d6\",\"Organization\":\"contoso.com\",\"Received\":\"2022-10-21T17:25:30.6006882Z\",\"RecipientAddress\":\"linus@contoso.com\",\"SenderAddress\":\"noreply@azure.microsoft.com\",\"Size\":22704,\"StartDate\":\"2022-10-21T09:40:10Z\",\"Status\":\"Delivered\",\"Subject\":\"testmail 1\",\"ToIP\":null}",
        "outcome": "success",
        "type": [
            "info"
        ]
    },
    "input": {
        "type": "httpjson"
    },
    "microsoft": {
        "online_message_trace": {
            "EndDate": "2022-10-22T09:40:10Z",
            "FromIP": "40.107.23.81",
            "Index": 1,
            "MessageId": "<GVAP278MB037518E76F4082DFE9B607B3DA2D9@GVAP278MB0375.CHEP278.PROD.OUTLOOK.COM>",
            "MessageTraceId": "a6f62809-5cda-4454-0962-08dab38940d6",
            "Organization": "contoso.com",
            "Received": "2022-10-21T17:25:30.6006882Z",
            "RecipientAddress": "linus@contoso.com",
            "SenderAddress": "noreply@azure.microsoft.com",
            "Size": 22704,
            "StartDate": "2022-10-21T09:40:10Z",
            "Status": "Delivered",
            "Subject": "testmail 1"
        }
    },
    "related": {
        "user": [
            "linus@contoso.com",
            "noreply@azure.microsoft.com",
            "linus",
            "noreply"
        ]
    },
    "source": {
        "domain": "azure.microsoft.com",
        "ip": "40.107.23.81",
        "registered_domain": "microsoft.com",
        "subdomain": "azure",
        "top_level_domain": "com",
        "user": {
            "domain": "azure.microsoft.com",
            "email": "noreply@azure.microsoft.com",
            "id": "noreply@azure.microsoft.com",
            "name": "noreply"
        }
    },
    "tags": [
        "preserve_original_event",
        "forwarded"
    ]
}