Skip to content

Office 365 Message Trace

About

Message trace follows email messages as they travel through your Exchange Online organization. You can determine if a message was received, rejected, deferred, or delivered by the service. It also shows what actions were taken on the message before it reached its final status

Product Details

Vendor URL: Office 365 Message Trace

Product Type: Email Monitoring Tools

Product Tier: Tier III

Integration Method: JSON

Integration URL: Office 365 Message Trace

Parser Details

Log Format: JSON

Expected Normalization Rate: near 100%

Data Label: OFFICE_365_MESSAGETRACE

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
Size additional.fields["Email_Size_Bytes"]
SenderAddress network.email.from
MessageID network.email.mail_id
Subject network.email.subject
RecipientAddress network.email.to
Organization principal.administrative_domain
FromIP principal.ip
Status security_result.action_details

Product Event Types

Event UDM Event Classification
all events EMAIL_TRANSACTION

Log Sample

{"EndDate":"2023-06-27T11:56:12Z","FromIP":"10.1.1.1","Index":0,"MessageId":"\AAAAcDM5PR1301MB19642247413ED7EB2E93C3F3F727A@AAAAR1301MB1964.0000099.prod.outlook.com\u003e","MessageTraceId":"aaaaaa4b-6d76-44b1-e83a-08db7705806a","Organization":"company.domain.com","Received":"2023-06-27T11:56:11.608889","RecipientAddress":"jane.doe@domain.com","SenderAddress":"john.doe@domain.com","Size":9121990,"StartDate":"2023-06-27T11:55:02Z","Status":"Delivered","Subject":"Test Request","ToIP":"10.1.1.2"}

Sample Parsing

additional.fields["Email_Size_Bytes"] = "9121990"
metadata.event_type = "EMAIL_TRANSACTION"
network.email.from = "john.doe@domain.com"
network.email.mail_id = "\AAAAcDM5PR1301MB19642247413ED7EB2E93C3F3F727A@AAAAR1301MB1964.0000099.prod.outlook.com\u003e"
network.email.subject = "Test Request"
network.email.to = "jane.doe@domain.com"
principal.administrative_domain = "company.domain.com"
principal.ip = "10.1.1.1"
security_result.action_details = "Delivered"
security_result.action = "ALLOW"
target.ip = "10.1.1.2

Parser Alerting

This product currently does not have any Parser-based Alerting