Office 365 Message Trace¶
About¶
Message trace follows email messages as they travel through your Exchange Online organization. You can determine if a message was received, rejected, deferred, or delivered by the service. It also shows what actions were taken on the message before it reached its final status
Product Details¶
Vendor URL: Office 365 Message Trace
Product Type: Email Monitoring Tools
Product Tier: Tier III
Integration Method: JSON
Integration URL: Office 365 Message Trace
Parser Details¶
Log Format: JSON
Expected Normalization Rate: near 100%
Data Label: OFFICE_365_MESSAGETRACE
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| Size | additional.fields["Email_Size_Bytes"] |
| SenderAddress | network.email.from |
| MessageID | network.email.mail_id |
| Subject | network.email.subject |
| RecipientAddress | network.email.to |
| Organization | principal.administrative_domain |
| FromIP | principal.ip |
| Status | security_result.action_details |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| all events | EMAIL_TRANSACTION |
Log Sample¶
{"EndDate":"2023-06-27T11:56:12Z","FromIP":"10.1.1.1","Index":0,"MessageId":"\AAAAcDM5PR1301MB19642247413ED7EB2E93C3F3F727A@AAAAR1301MB1964.0000099.prod.outlook.com\u003e","MessageTraceId":"aaaaaa4b-6d76-44b1-e83a-08db7705806a","Organization":"company.domain.com","Received":"2023-06-27T11:56:11.608889","RecipientAddress":"jane.doe@domain.com","SenderAddress":"john.doe@domain.com","Size":9121990,"StartDate":"2023-06-27T11:55:02Z","Status":"Delivered","Subject":"Test Request","ToIP":"10.1.1.2"}
Sample Parsing¶
additional.fields["Email_Size_Bytes"] = "9121990"
metadata.event_type = "EMAIL_TRANSACTION"
network.email.from = "john.doe@domain.com"
network.email.mail_id = "\AAAAcDM5PR1301MB19642247413ED7EB2E93C3F3F727A@AAAAR1301MB1964.0000099.prod.outlook.com\u003e"
network.email.subject = "Test Request"
network.email.to = "jane.doe@domain.com"
principal.administrative_domain = "company.domain.com"
principal.ip = "10.1.1.1"
security_result.action_details = "Delivered"
security_result.action = "ALLOW"
target.ip = "10.1.1.2
Parser Alerting¶
This product currently does not have any Parser-based Alerting