InsightIDR | Office365| Seeking advice


I would like to seek confirmation and advice on this situation.

I integrated Office 365, in that integration will it also include the email logging trace?

Kind of, if a user (within domain) sent an email to an outside domain.

Example: Organization Domain:
Outside Domain:

Scenario: sent an email (with/without attachment) to [somebody@yahoo.comph]

IS the log on that kind of event will also be available in InsightIDR now that we integrated the office365? I tried doing a test on this but I cannot find the email trace (event) in the Log Search.

Perhaps, do I need to request to enable some service/feature in Office365 to get this kind of data from our Office365 Admin? Or do I need another integration like a script which pulls such data from office365 then feed it to InsightIDR using custom logs?

Hope to get some advice on this.

Best Regards,

Hey @nowel,

The short answer is yes, a user sending an email to another domain can be tracked in IDR. This all depends on your current Subscription license for O365. The “Send” action in IDR is found under the Cloud Service Activity log set.

Now the ability to see the “Send” value in your O365 logs is available only for E5 or E5 Compliance add-on subscription users. The user sends an email message, replies to an email message, or forwards an email message.

For more information, see Set up Advanced Audit in Microsoft 365.

Thanks a lot Davis!

Very much appreciated your assistance on this. Am trying to communicate with the Office365 Admin and he went ahead and asked me what he needs to do which am don’t really have an idea myself as I don’t manage Office365. He really passed the ball to me on that. :sweat_smile:

Not a problem @nowel! Yeah, I feel your pain there for sure! The advanced auditing does need to be turned on for every O365 user, which you can do in the O365 admin platform or by using PowerShell (which may be easier, but obviously test, test, test).

1 Like