Skip to content

Office 365 Message Trace (Graph API)

Overview

Microsoft 365 Message trace follows email messages as they travel through your Exchange Online organization. You can determine if a message was received, rejected, deferred, or delivered by the service. It also shows what actions were taken on the message before it reached its final status. You can use the information from message trace to efficiently answer user questions about what happened to messages, troubleshoot mail flow issues, and validate policy changes (More information on microsoft.com).

Warning

Important note - This format is currently in beta. We highly value your feedback to improve its performance.

  • Vendor: Microsoft
  • Supported environment: Cloud
  • Version compatibility:
  • Detection based on: Telemetry
  • Supported application or feature:

Prerequisite

According to docs.microsoft.com, Message Trace is available to the following plans :

  • Exchange Online Protection
  • Microsoft Defender for Office 365 plan 1 and plan 2
  • Microsoft 365 Defender

Configure

Provision the Microsoft application

In order to access message traces in the Microsoft Graph API, you must provision the Microsoft application 8bd644d1-64a1-4d4b-ae52-2e0cbf64e373.

  1. Log in the Azure Portal

  2. Open the cloud shell

    Azure Cloud Shell

  3. If you use the bash cloud shell, switch to the Powershell one. Click confirm in the modal.

    Azure - Switch to Powershell

    Azure - Confirm

  4. Paste this command to connect to the Microsoft Graph Powershell

    Connect-MgGraph -Scopes "Application.ReadWrite.All"

  5. Paste this command to provision the service principal

    New-MgServicePrincipal -AppId 8bd644d1-64a1-4d4b-ae52-2e0cbf64e373

Configure OAuth

Collect your Tenant ID from your Azure Portal(for more information read How to find your Microsoft Entra ID (Azure AD) tenant ID).

Create an Azure application

  1. On the Azure Portal, in the search bar, go to App registrations
  2. Click + New registration
  3. Type a name
  4. Select Accounts in this organizational directory only option as account type
  5. Click Register
  6. From the Overview page, copy Application (client) ID and Directory (tenant) ID

Create a client secret

  1. Go to Manage > Certificates & secrets
  2. Click + New client secret
  3. Type a description and select the desired expiration period
  4. Click Add
  5. Copy the Value of the client secret

Add permissions

  1. Go to Manage > API permissions
  2. Click Add a permission
  3. On the right panel, Select Microsoft APIs tab
  4. Click Microsoft Graph
  5. Click Application permissions
  6. Select the permission:ExchangeMessageTrace.Read.All
  7. Click Add permissions
  8. In the API permissions page, click Grant admin consent for TENANT_NAME
  9. Click Yes in the Grant admin consent confirmation modal

Create an intake

Go to your Sekoia.io Intakes page, and follow these steps:

  1. Click + Intake button to create a new one
  2. Choose Microsoft 365 Message Trace (Graph API), give it a name and choose the relevant Entity
  3. Edit the intake configuration:
    • Type the Application (client) ID in the client id field
    • Type the Directory (tenant) ID in the tenant id field
    • Type the Value of the client secret in the client secret field

Detection section

The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.

No related built-in rules was found. This message is automatically generated.