Page Comparison

Table of Contents

minLevel	2
maxLevel	2
type	flat

Overview

The Microsoft 365 Reporting web service enables developers to integrate information on email and spam, antivirus activity, compliance status, and Lync Online activities into their custom service reporting applications and web portals.

This topic provides an overview of the REST web service, the functional architecture, the reports available, and other ways you can access the reports.

Devo collector features

Feature	Details
Allow parallel downloading (`multipod`)	`not allowed`
Running environments	`collector server` `on-premise`

Data sources

Data source	Table	Collector service	Remote endpoint	Description
`MailTrafficReport`	`cloud.office365.reporting.mailtraffic`	`office365_reporting_MailTraffic_service`	`https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MailTraffic`	Summary information about mail traffic to and from the organization MailTraffic report
`DlpDetailReport`	`cloud.office365.reporting.dlpdetail`	`office365_reporting_DlpDetail_service`	`https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/DlpDetailReport`	List details about Data Loss Prevention (DLP) rule matches for Exchange Online, SharePoint Online, and OneDrive for Business in your cloud-based organization Get-DlpDetailReport (ExchangePowerShell)
`SpoofMailReport`	`cloud.office365.reporting.spoofmail`	`office365_reporting_SpoofMail_service`	`https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/SpoofMailReport`	Summary information about mail traffic from spoofed (forged) senders (phishing, spam) View email security reports - Microsoft Defender for Office 365
`AdvancedThreatProtectionTrafficReport`	`cloud.office365.reporting.atptraffic`	`office365_reporting_AdvancedThreatProtectionTraffic_service`	`https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MailTrafficATP`	Results of Exchange Online Protection and Microsoft Defender for Office 365 detections in your cloud-based organization Get-MailTrafficATPReport (ExchangePowerShell)
`MessageTraceDetail`	`cloud.office365.reporting.messagetrace`	`office365_reporting_MessageTrace_service`	`https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace`	Summary information about the processing of email messages that have passed through the Office 365 system for the organization MessageTrace report
`DlpReport`	`cloud.office365.reporting.dlp`	`office365_reporting_Dlp_service`	`https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/DlpDetectionsReport`	List a summary of Data Loss Prevention (DLP) rule matches for Exchange Online, SharePoint Online and OneDrive for Business in your cloud-based organization Get-DlpDetectionsReport (ExchangePowerShell)
`MailDetailATP`	`cloud.office365.reporting.maildetailatp`	`office365_reporting_MailDetailATP_service`	`https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/MailDetailATP`	List details about Exchange Online Protection and Microsoft Defender for Office 365 detections in your cloud-based organization Get-MailDetailATPReport (ExchangePowerShell)
`SafelinksDetail`	`cloud.office365.reporting.safelinksdetail`	`office365_reporting_SafelinksDetail_service`	`https://reports.office365.com/ecp/ReportingWebService/Reporting.svc/SafelinksDetail`	Detailed information about Safe Links results Get-SafeLinksDetailReport (ExchangePowerShell)

...

For more information on how the events are parsed, visit our page.

Vendor setup

In order to configure the collector, you need to have valid Office365 credentials.

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Rw ui tabs macro

Rw tab

title	On-premise collector

This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.

Structure

The following directory structure should be created for being used when running the collector:

Code Block

<any_directory>
└── devo-collectors/
    └── <product_name>/
        ├── certs/
        │   ├── chain.crt
        │   ├── <your_domain>.key
        │   └── <your_domain>.crt
        ├── state/
        └── config/ 
            └── config.yaml

Note
Replace `<product_name>` with the proper value.

Devo credentials

In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in <product_name>/certs/. Learn more about security credentials in Devo here.

Note
Replace `<product_name>` with the proper value.

Editing the config.yaml file

Code Block

globals:
  debug: true
  id: <collector_id>
  name: <collector_name>
  persistence:
    type: filesystem
    config:
      directory_name: state
  multiprocessing: <multiprocessing_mode>

outputs:
  devo_1:
    type: devo_platform
    config:
      address: <devo_address>
      port: 443
      type: SSL
      chain: <chain_filename>
      cert: <cert_filename>
      key: <key_filename>
inputs:
  office365_reporting_message:
    id: <input_id>
    enabled: <input_status>
    requests_per_second: <request_per_seconds>
    credentials:
      username: <creds_username>
      password: <creds_password>
  services:
    office365_reporting_MailTraffic_service:
      request_period_in_seconds: <period_in_seconds>
      reset_persistence_auth: <reset_persistence_auth>
      override_time_delay_in_seconds: <delay_in_seconds>
    office365_reporting_DlpDetail_service:
      request_period_in_seconds: <period_in_seconds>
      reset_persistence_auth: <reset_persistence_auth>
      override_time_delay_in_seconds: <delay_in_seconds>
    office365_reporting_SpoofMail_service:
      request_period_in_seconds: <period_in_seconds>
      reset_persistence_auth: <reset_persistence_auth>
      override_time_delay_in_seconds: <delay_in_seconds>
    office365_reporting_AdvancedThreatProtectionTraffic_service:
      request_period_in_seconds: <period_in_seconds>
      reset_persistence_auth: <reset_persistence_auth>
      override_time_delay_in_seconds: <delay_in_seconds>
    office365_reporting_MessageTrace_service:
      request_period_in_seconds: <period_in_seconds>
      reset_persistence_auth: <reset_persistence_auth>
      override_time_delay_in_seconds: <delay_in_seconds>
    office365_reporting_Dlp_service:
      request_period_in_seconds: <period_in_seconds>
      reset_persistence_auth: <reset_persistence_auth>
      override_time_delay_in_seconds: <delay_in_seconds>

Replace the placeholders with your required values following the description table below:

Parameter

Data type

Type

Value range

Details

collector_id

int

Mandatory

Minimum length: 1
Maximum length: 5

Use this param to give an unique id to this collector.

collector_name

str

Mandatory

Minimum length: 1
Maximum length: 10

Use this param to give a valid name to this collector.

devo_address

str

Mandatory

collector-us.devo.io
collector-eu.devo.io

Use this param to identify the Devo Cloud where the events will be sent.

chain_filename

str

Mandatory

Minimum length: 4
Maximum length: 20

Use this param to identify the chain.cert file downloaded from your Devo domain. Usually this file's name is: chain.crt

cert_filename

str

Mandatory

Minimum length: 4
Maximum length: 20

Use this param to identify the file.cert downloaded from your Devo domain.

key_filename

str

Mandatory

Minimum length: 4
Maximum length: 20

Use this param to identify the file.key downloaded from your Devo domain.

input_id

int

Mandatory

Minimum length: 1
Maximum length: 5

Use this param to give an unique id to this input service.

input_status

bool

Mandatory

false / true

If the value is true, the input definition will be executed. If the value is false, the service will be ignored.

requests_per_second

int

Optional

Minimum value: 1

Customize the maximum number of API requests per second. If not used, the default setting will be used: 100000 requests/sec

This parameter can be left blank, removed or commented.

creds_username

str

Mandatory

Email format: username@domain.com

Username to authenticate to the service.

creds_password

str

Mandatory

Any

Password to authenticate to the service.

period_in_seconds

int

Optional

Minimum length: 1

By default, this service will run every 60 seconds. This parameter allows you to customize this behavior.

This parameter can be left blank, removed or commented.

reset_persistence_auth

int

Optional

Date format: YYYY-MM-DD

This parameter allows you to clear the persistence of the collector and restart the download pipeline.

Note
Updating this value will produce the lost of all persisted data and current pipelines.

This parameter can be left blank, removed or commented.

delay_in_seconds

int

Optional

Minimum value: 1
Maximum value: 90000

Because it can take up to 24 hours for an event to be available through the API, this collector requests data with a 25 hours delay (25*60*60=90000). This parameter allows you to customize this delay.

Note
A value less than 25 hours could cause the loss of events in large infrastructures.

This parameter can be left blank, removed or commented.

start_time

str

Mandatory

Following RFC 3339:

%Y-%m-%dT%H:%M:%S.%f

Example: 2024-05-07T15:35:24.133642

Initial time period used when fetching data from the endpoint.

Note
You can't specify a date that's older than 11 days.

Download the Docker image

The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:

Collector Docker image	SHA-256 hash
collector-office365_exchange_reports_if-docker-image-0.4.1-beta.tgz	`dc1b97a8b6d3d70cb58e600f47f9a9ad6c51809326d8f7a1f1c2349ea396daf4`

Use the following command to add the Docker image to the system:

Code Block
gunzip -c <image_file>-<version>.tgz \| docker load

Note
Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace `<image_file>` and `<version>` with a proper value.

The Docker image can be deployed on the following services:

Docker

Execute the following command on the root directory <any_directory>/devo-collectors/<product_name>/

Code Block

docker run 
--name collector-<product_name> 
--volume $PWD/certs:/devo-collector/certs 
--volume $PWD/config:/devo-collector/config 
--volume $PWD/state:/devo-collector/state 
--env CONFIG_FILE=config.yaml 
--rm 
--interactive 
--tty 
<image_name>:<version>

Note
Replace `<product_name>`, `<image_name>` and `<version>` with the proper values.

Docker Compose

The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/<product_name>/ directory.

Code Block

version: '3'
services:
  collector-<product_name>:
    image: <image_name>:${IMAGE_VERSION:-latest}
    container_name: collector-<product_name>
    volumes:
      - ./certs:/devo-collector/certs
      - ./config:/devo-collector/config
      - ./credentials:/devo-collector/credentials
      - ./state:/devo-collector/state
    environment:
      - CONFIG_FILE=${CONFIG_FILE:-config.yaml}

To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/<product_name>/ directory:

Code Block
IMAGE_VERSION=<version> docker-compose up -d

Note
Replace `<product_name>`, `<image_name>` and `<version>` with the proper values.

Rw tab

title	Cloud collector

The collector runs on the Devo Collector Server. To enable the collector for a customer:

In the Collector Server GUI, access to the domain in which you want this instance to be created in, click on Add Collector and search for “Office 365 Exchange Reports - Integrations Factory”, then click on the result.
In the Version field, select the latest value.
In the Collector Name field, set the value you prefer (this name must be unique inside the same Collector Server domain).
In the Parameters section, establish the Collector Parameters as follows below:Collector services detail

Code Block

{
  "office365_reporting_message": {
    "id": "<input_id>",
    "enabled": <input_status>,
    "requests_per_second": <requests_per_second>,
    "credentials": {
      "username": "<creds_username>",
      "password": "<creds_password>"
    },
    "services": {
      "office365_reporting_MailTraffic_service": {
        "request_period_in_seconds": <request_period_in_seconds>,
        "reset_persistence_auth": "<reset_persistence_auth>"
      },
      "office365_reporting_DlpDetail_service": {
        "request_period_in_seconds": <request_period_in_seconds>,
        "reset_persistence_auth": "<reset_persistence_auth>"
      },
      "office365_reporting_SpoofMail_service": {
        "request_period_in_seconds": <request_period_in_seconds>,
        "reset_persistence_auth": "<reset_persistence_auth>"
      },
      "office365_reporting_AdvancedThreatProtectionTraffic_service": {
        "request_period_in_seconds": <request_period_in_seconds>,
        "reset_persistence_auth": "<reset_persistence_auth>"
      },
      "office365_reporting_MessageTrace_service": {
        "request_period_in_seconds": <request_period_in_seconds>,
        "reset_persistence_auth": "<reset_persistence_auth>"
      },
      "office365_reporting_Dlp_service": {
        "request_period_in_seconds": <request_period_in_seconds>,
        "reset_persistence_auth": "<reset_persistence_auth>"
      },
      "office365_reporting_MailDetailATP_service": {
        "request_period_in_seconds": <request_period_in_seconds>,
        "reset_persistence_auth": "<reset_persistence_auth>"
      },
      "office365_reporting_SafelinksDetail_service": {
        "request_period_in_seconds": <request_period_in_seconds>,
        "reset_persistence_auth": "<reset_persistence_auth>"
      }
    }
  }
}

Replace the placeholders with the corresponding values:

Parameter

Data type

Type

Value range / Format

Details

input_id

int

Mandatory

Minimum length: 1
Maximum length: 5

Use this param to give an unique id to this input service.

input_status

bool

Mandatory

false / true

If the value is true, the input definition will be executed. If the value is false, the service will be ignored.

requests_per_second

int

Optional

Minimum value: 1

Customize the maximum number of API requests per second. If not used, the default setting will be used: 100000 requests/sec

This parameter can be left blank, removed or commented.

creds_username

str

Mandatory

Email format: username@domain.com

Username to authenticate to the service.

creds_password

str

Mandatory

Any

Password to authenticate to the service.

request_period_in_seconds

int

Optional

Minimum length: 1

By default, this service will run every 60 seconds. This parameter allows you to customize this behavior.

This parameter can be left blank, removed or commented.

reset_persistence_auth

str

Optional

Date format: YYYY-MM-DD

This parameter allows you to clear the persistence of the collector and restart the download pipeline.

Note
Updating this value will produce the lost of all persisted data and current pipelines.

This parameter can be left blank, removed or commented.

Change log

Release

Released on

Release type

Details

Recommendations

v0.4.1-beta

14 May 2024

Status

colour	Red
title	BUG FIXING

Status

colour	Green
title	IMPROVEMENT

Improvements:

Updated DCSDK from 1.7.2 to 1.11.1 and added auto update SDK feature.

Bug fixing:

Fixed a bug in office365_exchange_reports_if:0.4.1-beta causing 500 errors due to invalid start_time range requests.

Update

Versions Compared

Old Version 2

New Version Current

Key

Overview

Devo collector features

Data sources

Vendor setup

Run the collector

Structure

Devo credentials

Editing the config.yaml file

Download the Docker image

Docker

Docker Compose

Change log