| Table of Contents | ||||||
|---|---|---|---|---|---|---|
|
Overview
The Microsoft 365 Reporting web service enables developers to integrate information on email and spam, antivirus activity, compliance status, and Lync Online activities into their custom service reporting applications and web portals.
This topic provides an overview of the REST web service, the functional architecture, the reports available, and other ways you can access the reports.
Devo collector features
Feature | Details |
|---|---|
Allow parallel downloading ( |
|
Running environments |
|
Data sources
Data source | Table | Collector service | Remote endpoint | Description |
|---|---|---|---|---|
|
|
|
| Summary information about mail traffic to and from the organization |
|
|
|
| List details about Data Loss Prevention (DLP) rule matches for Exchange Online, SharePoint Online, and OneDrive for Business in your cloud-based organization |
|
|
|
| Summary information about mail traffic from spoofed (forged) senders (phishing, spam) View email security reports - Microsoft Defender for Office 365 |
|
|
|
| Results of Exchange Online Protection and Microsoft Defender for Office 365 detections in your cloud-based organization |
|
|
|
| Summary information about the processing of email messages that have passed through the Office 365 system for the organization |
|
|
|
| List a summary of Data Loss Prevention (DLP) rule matches for Exchange Online, SharePoint Online and OneDrive for Business in your cloud-based organization |
|
|
|
| List details about Exchange Online Protection and Microsoft Defender for Office 365 detections in your cloud-based organization |
|
|
|
| Detailed information about Safe Links results |
...
For more information on how the events are parsed, visit our page.
Vendor setup
In order to configure the collector, you need to have valid Office365 credentials.
Run the collector
Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).
| Rw ui tabs macro | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running. StructureThe following directory structure should be created for being used when running the collector:
Devo credentialsIn Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in 
Editing the config.yaml file
Replace the placeholders with your required values following the description table below: | ||||||||||||
Parameter | Data type | Type | Value range | Details | ||||||||
|
|
| Minimum length: 1 | Use this param to give an unique id to this collector. | ||||||||
|
|
| Minimum length: 1 | Use this param to give a valid name to this collector. | ||||||||
|
|
|
| Use this param to identify the Devo Cloud where the events will be sent. | ||||||||
|
|
| Minimum length: 4 | Use this param to identify the chain.cert file downloaded from your Devo domain. Usually this file's name is: | ||||||||
|
|
| Minimum length: 4 | Use this param to identify the | ||||||||
|
|
| Minimum length: 4 | Use this param to identify the | ||||||||
|
|
| Minimum length: 1 | Use this param to give an unique id to this input service. | ||||||||
|
|
| false / true | If the value is true, the input definition will be executed. If the value is false, the service will be ignored. | ||||||||
|
|
| Minimum value: 1 | Customize the maximum number of API requests per second. If not used, the default setting will be used: This parameter can be left blank, removed or commented. | ||||||||
|
|
| Email format: username@domain.com | Username to authenticate to the service. | ||||||||
|
|
| Any | Password to authenticate to the service. | ||||||||
|
|
| Minimum length: 1 | By default, this service will run every This parameter can be left blank, removed or commented. | ||||||||
|
|
| Date format: | This parameter allows you to clear the persistence of the collector and restart the download pipeline.
This parameter can be left blank, removed or commented. | ||||||||
|
|
| Minimum value: 1 | Because it can take up to 24 hours for an event to be available through the API, this collector requests data with a 25 hours delay (25*60*60=90000). This parameter allows you to customize this delay.
This parameter can be left blank, removed or commented. | ||||||||
|
|
| Following RFC 3339:
Example: | Initial time period used when fetching data from the endpoint.
| ||||||||
Collector Docker image | SHA-256 hash | |||||||||||
collector-office365_exchange_reports_if-docker-image-0.4.1-beta.tgz |
|
| Code Block |
|---|
gunzip -c <image_file>-<version>.tgz | docker load |
| Note |
|---|
Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace |
The Docker image can be deployed on the following services:
Docker
Execute the following command on the root directory <any_directory>/devo-collectors/<product_name>/
| Code Block |
|---|
docker run
--name collector-<product_name>
--volume $PWD/certs:/devo-collector/certs
--volume $PWD/config:/devo-collector/config
--volume $PWD/state:/devo-collector/state
--env CONFIG_FILE=config.yaml
--rm
--interactive
--tty
<image_name>:<version> |
| Note |
|---|
Replace |
Docker Compose
The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/<product_name>/ directory.
| Code Block |
|---|
version: '3'
services:
collector-<product_name>:
image: <image_name>:${IMAGE_VERSION:-latest}
container_name: collector-<product_name>
volumes:
- ./certs:/devo-collector/certs
- ./config:/devo-collector/config
- ./credentials:/devo-collector/credentials
- ./state:/devo-collector/state
environment:
- CONFIG_FILE=${CONFIG_FILE:-config.yaml} |
To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/<product_name>/ directory:
| Code Block |
|---|
IMAGE_VERSION=<version> docker-compose up -d |
| Note |
|---|
Replace |
| Rw tab | ||
|---|---|---|
|
The collector runs on the Devo Collector Server. To enable the collector for a customer:
In the Collector Server GUI, access to the domain in which you want this instance to be created in, click on Add Collector and search for “Office 365 Exchange Reports - Integrations Factory”, then click on the result.
In the Version field, select the latest value.
In the Collector Name field, set the value you prefer (this name must be unique inside the same Collector Server domain).
In the Parameters section, establish the Collector Parameters as follows below:Collector services detail
| Code Block |
|---|
{
"office365_reporting_message": {
"id": "<input_id>",
"enabled": <input_status>,
"requests_per_second": <requests_per_second>,
"credentials": {
"username": "<creds_username>",
"password": "<creds_password>"
},
"services": {
"office365_reporting_MailTraffic_service": {
"request_period_in_seconds": <request_period_in_seconds>,
"reset_persistence_auth": "<reset_persistence_auth>"
},
"office365_reporting_DlpDetail_service": {
"request_period_in_seconds": <request_period_in_seconds>,
"reset_persistence_auth": "<reset_persistence_auth>"
},
"office365_reporting_SpoofMail_service": {
"request_period_in_seconds": <request_period_in_seconds>,
"reset_persistence_auth": "<reset_persistence_auth>"
},
"office365_reporting_AdvancedThreatProtectionTraffic_service": {
"request_period_in_seconds": <request_period_in_seconds>,
"reset_persistence_auth": "<reset_persistence_auth>"
},
"office365_reporting_MessageTrace_service": {
"request_period_in_seconds": <request_period_in_seconds>,
"reset_persistence_auth": "<reset_persistence_auth>"
},
"office365_reporting_Dlp_service": {
"request_period_in_seconds": <request_period_in_seconds>,
"reset_persistence_auth": "<reset_persistence_auth>"
},
"office365_reporting_MailDetailATP_service": {
"request_period_in_seconds": <request_period_in_seconds>,
"reset_persistence_auth": "<reset_persistence_auth>"
},
"office365_reporting_SafelinksDetail_service": {
"request_period_in_seconds": <request_period_in_seconds>,
"reset_persistence_auth": "<reset_persistence_auth>"
}
}
}
} |
Replace the placeholders with the corresponding values:
Parameter
Data type
Type
Value range / Format
Details
input_id
int
Mandatory
Minimum length: 1
Maximum length: 5
Use this param to give an unique id to this input service.
input_status
bool
Mandatory
false / true
If the value is true, the input definition will be executed. If the value is false, the service will be ignored.
requests_per_second
int
Optional
Minimum value: 1
Customize the maximum number of API requests per second. If not used, the default setting will be used: 100000 requests/sec
This parameter can be left blank, removed or commented.
creds_username
str
Mandatory
Email format: username@domain.com
Username to authenticate to the service.
creds_password
str
Mandatory
Any
Password to authenticate to the service.
request_period_in_seconds
int
Optional
Minimum length: 1
By default, this service will run every 60 seconds. This parameter allows you to customize this behavior.
This parameter can be left blank, removed or commented.
reset_persistence_auth
str
Optional
Date format: YYYY-MM-DD
This parameter allows you to clear the persistence of the collector and restart the download pipeline.
| Note |
|---|
Updating this value will produce the lost of all persisted data and current pipelines. |
The collector runs on the Devo Collector Server. To enable the collector for a customer:
In the Collector Server GUI, access to the domain in which you want this instance to be created in, click on Add Collector and search for “Office 365 Exchange Reports - Integrations Factory”, then click on the result.
In the Version field, select the latest value.
In the Collector Name field, set the value you prefer (this name must be unique inside the same Collector Server domain).
In the Parameters section, establish the Collector Parameters as follows below:Collector services detail
| Code Block |
|---|
{
"office365_reporting_message": {
"id": "<input_id>",
"enabled": <input_status>,
"requests_per_second": <requests_per_second>,
"credentials": {
"tenant_id": "<tenant_id_value>",
"client_id": "<client_id_value>",
"client_secret": "<client_secret_value>"
},
"services": {
"office365_reporting_MailTraffic_service": {
"request_period_in_seconds": <request_period_in_seconds>,
"reset_persistence_auth": "<reset_persistence_auth>"
},
"office365_reporting_DlpDetail_service": {
"request_period_in_seconds": <request_period_in_seconds>,
"reset_persistence_auth": "<reset_persistence_auth>"
},
"office365_reporting_SpoofMail_service": {
"request_period_in_seconds": <request_period_in_seconds>,
"reset_persistence_auth": "<reset_persistence_auth>"
},
"office365_reporting_AdvancedThreatProtectionTraffic_service": {
"request_period_in_seconds": <request_period_in_seconds>,
"reset_persistence_auth": "<reset_persistence_auth>"
},
"office365_reporting_MessageTrace_service": {
"request_period_in_seconds": <request_period_in_seconds>,
"reset_persistence_auth": "<reset_persistence_auth>"
},
"office365_reporting_Dlp_service": {
"request_period_in_seconds": <request_period_in_seconds>,
"reset_persistence_auth": "<reset_persistence_auth>"
},
"office365_reporting_MailDetailATP_service": {
"request_period_in_seconds": <request_period_in_seconds>,
"reset_persistence_auth": "<reset_persistence_auth>"
},
"office365_reporting_SafelinksDetail_service": {
"request_period_in_seconds": <request_period_in_seconds>,
"reset_persistence_auth": "<reset_persistence_auth>"
}
}
}
} |
Replace the placeholders with the corresponding values:
Parameter | Data type | Type | Value range / Format | Details | ||
|
|
| Minimum length: 1 | Use this param to give an unique id to this input service. | ||
|
|
| false / true | If the value is true, the input definition will be executed. If the value is false, the service will be ignored. | ||
|
|
| Minimum value: 1 | Customize the maximum number of API requests per second. If not used, the default setting will be used: This parameter can be left blank, removed or commented. | ||
|
|
| Email format: username@domain.com | Username to authenticate to the service. | ||
|
|
| Any | Password to authenticate to the service. | ||
|
|
| Minimum length: 1 | By default, this service will run every This parameter can be left blank, removed or commented. | ||
|
|
| Date format: YYYY-MM-DD | This parameter allows you to clear the persistence of the collector and restart the download pipeline.
This parameter can be left blank, removed or commented. |
| Rw tab | ||
|---|---|---|
|
This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running.
Structure
The following directory structure should be created for being used when running the collector:
| Code Block |
|---|
<any_directory>
└── devo-collectors/
└── <product_name>/
├── certs/
│ ├── chain.crt
│ ├── <your_domain>.key
│ └── <your_domain>.crt
├── state/
└── config/
└── config.yaml |
| Note |
|---|
Replace |
Devo credentials
In Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in <product_name>/certs/. Learn more about security credentials in Devo here.
| Note |
|---|
Replace |
Editing the config.yaml file
| Code Block |
|---|
globals:
debug: true
id: <collector_id>
name: <collector_name>
persistence:
type: filesystem
config:
directory_name: state
multiprocessing: <multiprocessing_mode>
outputs:
devo_1:
type: devo_platform
config:
address: <devo_address>
port: 443
type: SSL
chain: <chain_filename>
cert: <cert_filename>
key: <key_filename>
inputs:
office365_reporting_message:
id: <input_id>
enabled: <input_status>
requests_per_second: <request_per_seconds>
credentials:
tenant_id: <tenant_id_value>
client_id: <client_id_value>
client_secret: <client_secret_value>
services:
office365_reporting_MailTraffic_service:
request_period_in_seconds: <period_in_seconds>
reset_persistence_auth: <reset_persistence_auth>
override_time_delay_in_seconds: <delay_in_seconds>
office365_reporting_DlpDetail_service:
request_period_in_seconds: <period_in_seconds>
reset_persistence_auth: <reset_persistence_auth>
override_time_delay_in_seconds: <delay_in_seconds>
office365_reporting_SpoofMail_service:
request_period_in_seconds: <period_in_seconds>
reset_persistence_auth: <reset_persistence_auth>
override_time_delay_in_seconds: <delay_in_seconds>
office365_reporting_AdvancedThreatProtectionTraffic_service:
request_period_in_seconds: <period_in_seconds>
reset_persistence_auth: <reset_persistence_auth>
override_time_delay_in_seconds: <delay_in_seconds>
office365_reporting_MessageTrace_service:
request_period_in_seconds: <period_in_seconds>
reset_persistence_auth: <reset_persistence_auth>
override_time_delay_in_seconds: <delay_in_seconds>
office365_reporting_Dlp_service:
request_period_in_seconds: <period_in_seconds>
reset_persistence_auth: <reset_persistence_auth>
override_time_delay_in_seconds: <delay_in_seconds> |
Replace the placeholders with your required values following the description table below:
Parameter | Data type | Type | Value range | Details | ||
|
|
| Minimum length: 1 | Use this param to give an unique id to this collector. | ||
|
|
| Minimum length: 1 | Use this param to give a valid name to this collector. | ||
|
|
|
| Use this param to identify the Devo Cloud where the events will be sent. | ||
|
|
| Minimum length: 4 | Use this param to identify the chain.cert file downloaded from your Devo domain. Usually this file's name is: | ||
|
|
| Minimum length: 4 | Use this param to identify the | ||
|
|
| Minimum length: 4 | Use this param to identify the | ||
|
|
| Minimum length: 1 | Use this param to give an unique id to this input service. | ||
|
|
| false / true | If the value is true, the input definition will be executed. If the value is false, the service will be ignored. | ||
|
|
| Minimum value: 1 | Customize the maximum number of API requests per second. If not used, the default setting will be used: This parameter can be left blank, removed or commented. | ||
|
|
| Email format: username@domain.com | Username to authenticate to the service. | ||
|
|
| Any | Password to authenticate to the service. | ||
|
|
| Minimum length: 1 | By default, this service will run every This parameter can be left blank, removed or commented. | ||
|
|
| Date format: | This parameter allows you to clear the persistence of the collector and restart the download pipeline.
This parameter can be left blank, removed or commented. | ||
|
|
| Minimum value: 1 | Because it can take up to 24 hours for an event to be available through the API, this collector requests data with a 25 hours delay (25*60*60=90000). This parameter allows you to customize this delay.
This parameter can be left blank, removed or commented. | ||
|
|
| Following RFC 3339:
Example: | Initial time period used when fetching data from the endpoint.
|
Download the Docker image
The collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:
Collector Docker image | SHA-256 hash |
|---|---|
collector-office365_exchange_reports_if-docker-image-0.4.1-beta.tgz |
|
Use the following command to add the Docker image to the system:
| Code Block |
|---|
gunzip -c <image_file>-<version>.tgz | docker load |
| Note |
|---|
Once the Docker image is imported, it will show the real name of the Docker image (including version info). Replace |
The Docker image can be deployed on the following services:
Docker
Execute the following command on the root directory <any_directory>/devo-collectors/<product_name>/
| Code Block |
|---|
docker run
--name collector-<product_name>
--volume $PWD/certs:/devo-collector/certs
--volume $PWD/config:/devo-collector/config
--volume $PWD/state:/devo-collector/state
--env CONFIG_FILE=config.yaml
--rm
--interactive
--tty
<image_name>:<version> |
| Note |
|---|
Replace |
Docker Compose
The following Docker Compose file can be used to execute the Docker container. It must be created in the <any_directory>/devo-collectors/<product_name>/ directory.
| Code Block |
|---|
version: '3'
services:
collector-<product_name>:
image: <image_name>:${IMAGE_VERSION:-latest}
container_name: collector-<product_name>
volumes:
- ./certs:/devo-collector/certs
- ./config:/devo-collector/config
- ./credentials:/devo-collector/credentials
- ./state:/devo-collector/state
environment:
- CONFIG_FILE=${CONFIG_FILE:-config.yaml} |
To run the container using docker-compose, execute the following command from the <any_directory>/devo-collectors/<product_name>/ directory:
| Code Block |
|---|
IMAGE_VERSION=<version> docker-compose up -d |
| Note |
|---|
Replace |
Change log
Release | Released on | Release type | Details | Recommendations | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
| Improvements:
Bug fixing:
|
|