<span class="pill kill-chain">FromIP</span>
<span class="pill kill-chain">Index</span>
<span class="pill kill-chain">MessageId</span>
<span class="pill kill-chain">MessageTraceId</span>
<span class="pill kill-chain">Organization</span>
<span class="pill kill-chain">Received</span>
<span class="pill kill-chain">RecipientAddress</span>
<span class="pill kill-chain">SenderAddress</span>
<span class="pill kill-chain">Size</span>
<span class="pill kill-chain">Status</span>
<span class="pill kill-chain">Subject</span>
<span class="pill kill-chain">ToIP</span>
<span class="pill kill-chain">_bkt</span>
<span class="pill kill-chain">_cd</span>
<span class="pill kill-chain">_eventtype_color</span>
<span class="pill kill-chain">_indextime</span>
<span class="pill kill-chain">_raw</span>
<span class="pill kill-chain">_serial</span>
<span class="pill kill-chain">_si</span>
<span class="pill kill-chain">_sourcetype</span>
<span class="pill kill-chain">_subsecond</span>
<span class="pill kill-chain">_time</span>
<span class="pill kill-chain">action</span>
<span class="pill kill-chain">date_hour</span>
<span class="pill kill-chain">date_mday</span>
<span class="pill kill-chain">date_minute</span>
<span class="pill kill-chain">date_month</span>
<span class="pill kill-chain">date_second</span>
<span class="pill kill-chain">date_wday</span>
<span class="pill kill-chain">date_year</span>
<span class="pill kill-chain">date_zone</span>
<span class="pill kill-chain">dest</span>
<span class="pill kill-chain">eventtype</span>
<span class="pill kill-chain">host</span>
<span class="pill kill-chain">index</span>
<span class="pill kill-chain">internal_message_id</span>
<span class="pill kill-chain">linecount</span>
<span class="pill kill-chain">message_id</span>
<span class="pill kill-chain">punct</span>
<span class="pill kill-chain">recipient</span>
<span class="pill kill-chain">recipient_count</span>
<span class="pill kill-chain">recipient_domain</span>
<span class="pill kill-chain">size</span>
<span class="pill kill-chain">source</span>
<span class="pill kill-chain">sourcetype</span>
<span class="pill kill-chain">splunk_server</span>
<span class="pill kill-chain">splunk_server_group</span>
<span class="pill kill-chain">src</span>
<span class="pill kill-chain">src_user</span>
<span class="pill kill-chain">src_user_domain</span>
<span class="pill kill-chain">status_code</span>
<span class="pill kill-chain">subject</span>
<span class="pill kill-chain">tag</span>
<span class="pill kill-chain">tag::action</span>
<span class="pill kill-chain">tag::eventtype</span>
<span class="pill kill-chain">timeendpos</span>
<span class="pill kill-chain">timestartpos</span>
<span class="pill kill-chain">vendor_product</span>
</div>
Data Source: Office 365 Reporting Message Trace
Description
Data source object for Office 365 Reporting Message Trace
Details
| Property | Value |
|---|---|
| Source | o365 |
| Sourcetype | o365:reporting:messagetrace |
| Separator | Organization |
Related Detections
Supported Apps
- Splunk Microsoft Office 365 Add-on (version 5.1.0)
Event Fields
Fields
Example Log
1{"Organization": "attackrange.onmicrosoft.com", "MessageId": "<BY5PR08MB62304A5BB7F9EE555B4CEA26DC1C2@BY5PR08MB6230.namprd08.prod.outlook.com>", "Received": "2025-01-16T21:06:46.832439", "SenderAddress": "victim_2@attack_range.lan", "RecipientAddress": "attacker_outside@gmail.com", "Subject": "Accounts and Passwords", "Status": "Delivered", "ToIP": "2607:f8b0:400e:c0d::1a", "FromIP": "189.135.168.197", "Size": 33584, "MessageTraceId": "3567c8ef-cc17-4a3f-d166-08dd3161e4fc", "Index": 3035}
Source: GitHub | Version: 1