Office 365 Email Activity and Data Exfiltration Detection

Published Feb 13 2020 06:04 AM 60.5K Views
Microsoft

This article shows how to use Office 365 message trace to analyze email activity and detect various security use cases like data exfiltration in Azure Sentinel.

 

Office 365 Message Trace contains lots of information that can be useful for security analyst. While it doesn’t include message content itself, it can provide interesting information about mail flow in the organization. It can be also used to detect malicious activity and generate interesting reports about mail-flow (e.g information about bulk mail, spoofed domain emails or detecting abnormal rate of e-mail sending). Especially abnormal rate of e-mail sending can be used to detect malicious data exfiltration from within the organization. In this article we will describe how we can use Office 365 Message Trace and Azure Sentinel to detect these security scenarios.

 

Update 3rd June 2020 - while this article is using Logic Apps to ingest message trace data, you can consider using another, perhaps more elegant approach to ingest O365 message trace data based on Azure Function. For more details visit article published by my colleague @Jon Nordström in Ingesting Office 365 Message Traces to Sentinel

 

Accessing Office 365 Message Trace 

Office 365 Message Tracking logs can be accessed directly through web interface in Security & Compliance Center or Powershell (via Get-MessageTrace cmdlet). Additionally for programmatic access there’s also Office 365 Message Trace Reporting Web Service – we will be using this service in the article. It can be accessed through REST URI at https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?. By default, it returns 30 days of message trace data. To filter results you can provide additional parameters in the URI – e.g. as in below example where we are looking for data within 2 days timeframe. Also note, that if you provide StartDate you also need to provide EndDate.

https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?\$filter=StartDate%...'

Office 365 Message Trace can be queried in the web interface for up to 30 days of data. If the reporting service is queried for longer period than 30 days, it will return empty dataset. Also, while all data about messages is available as soon as they are sent or received, it can take up to 24 hours until they are available through reporting service.

 

Creating Service Account

Before accessing Office 365 Message Trace service we need to create Office 365 service account. This account needs to have very strong password (as there’s no OAuth 2.0).

Service account can be created in Office 365 Security & Compliance Center or with Powershell. In order to manage Office 365 with PowerShell module, you need to follow steps in Connect to Office 365 Powershell.

 

Here’s the cmdlet to create the service user:

 

$TenantDomain = (Get-MsolAccountSku).AccountSkuId[0].Split(":")[0] + ".onmicrosoft.com"
$UserName = "msgtracereporting@"+$tenantdomain
$Pwd = "O365Msg-TracE"
New-MsolUser -UserPrincipalName $UserName -DisplayName "Message Trace Reporting" -Password $Pwd -ForceChangePassword $False -PasswordNeverExpires $True -UsageLocation "NL"
$RoleGroup = New-RoleGroup -Name "Message Trace Reporting" -Roles "Message Tracking", "View-Only Audit Logs", "View-Only Configuration", "View-Only Recipients" -Members $UserName

 

Note: If you are facing issue with New-RoleGroup command, please be sure you are connected to Exchange Online Powershell as described here - https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/exchange-online-powershell-v2/e...

 

Once you have the service account created, you can test the service by running simple curl command:

curl -v --user msgtracereporting@tenantdomain:password "https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MessageTrace?\$filter=StartDate%...'"

 

By default, Office 365 Reporting Service will return XML dataset, but you can change the resultset to JSON by specifying it in the Header request. We will be working with JSON dataset as Azure Sentinel works by default with JSON. Also, Logic Apps has better support for JSON than for XML. To get JSON data just include -H "Accept: application/json" in the curl command.

 

Creating Logic Apps playbook

We will be retrieving and ingesting data into Sentinel through Logic Apps playbook.

 

Note: there are other ways how message trace data can be ingested – e.g. through using Logstash, custom function or creating scheduled job that will ingest data through Sentinel HTTP Data Collection API.

 

Now, let's go through Logic App Playbook creation. First, create new playbook in the Azure Sentinel Playbooks section, chose resource group and location.

 

Next, we need to choose the playbook trigger. We will be using Logic Apps scheduled trigger. We will set to run the trigger in daily interval, but you can chose any period, just remember the maximum 30 days interval to get the message trace. 

 

Message Trace table data will be ingested into EmailEvents custom logs table (EmailEvents_CL). We will be referencing this table thorough the article.

 

As playbook will be running in scheduled interval, we need to address what is the data interval to be queried during each playbook execution. The simple approach would be to take always the period of playbook execution – i.e. if we know the playbook runs every 24 hours, we would always request the 24 hours old data from message trace – interval of <(now()-1d), now()>. But this approach doesn’t provide the most flexible approach – i.e. if we decide to change the playbook interval (e.g. to 48 hours), we also need to update code of data retrieval in playbook itself. Also, if we will be doing any troubleshooting and we will need to rerun playbook, we can end up in having duplicate data ingested into the message trace table. And as Azure Sentinel doesn’t provide option how to delete data (it’s a SIEM), we need to be careful on how we are doing data ingestion.

 

The more accurate approach for data retrieval is based on timestamp of the latest ingested message trace, and querying data from this timestamp . In order to avoid empty dataset in potentially rare situation when the latest message is older than 30 days (as mentioned the reporting service will return data only within 30 days timeframe), we will query from interval as function of min(latest_ingested_message _timestamp, 30 days).

 

To retrieve timestamp of the latest ingested message, we will run the following KQL query:

EmailEvents | summarize arg_max(Received_t, Received_t) | project Received_t

 

Note: we are using arg_max function, returning only the largest value, and then projecting against this value to get single result.

Now we get the min(latest_ingested_message _timestamp, 30 days) and run fuzzy logic with isfuzzy = true operator to ensure the query won’t fail if the table doesn’t exist yet. As we are using isfuzzy=true, this query will also succeed when the EmailEvents table is not yet created (first Playbook execution)

The final query:

 

union isfuzzy=true
(print Received_t=(now()-30d)), //querying max 30 days ago
(EmailEvents_CL | summarize arg_max(Received_t, *)) //latest message
| summarize max(Received_t)
| project max_Received_t = (max_Received_t + 1ms)

 

We will now add into playbook Run Query and list Results action to execute the query:

 

Calling Office 365 Message Reporting Service

After we have the timestamp of the latest message, we can now call the Office 365 Message Trace Service.

First, we need to parse the result of query execution in previous step. We will be using Parse Json action with default schema generated from the return value of query function. We just changed type from array to object under items property. As we know we are querying for single value, we can conveniently change the type to object, which will return single item rather than array with one item.

parse_json2.png

To call the O365 Message Trace Reporting Service we will use HTTP function in Logic Apps. We will be also adding JSON into Headers section to retrieve data in JSON format instead of XML:

httpcall.png

 

Also notice the expression we added for the most recent timestamp we queried in previous step and utcnow() function to refer to current data.

 

After we retrieve message trace data, we will ingest them into Azure Sentinel. Before we ingest data, we parse the result set from HTTP service query against O365 reporting service using another Parse_JSON function:

parse_json.png

For data ingestion we will be using Send Data function from Log Analytics function list. Note that by default this function will produce for-each loop if you input array as a parameter. As Send Data function supports ingesting large JSON array at once, we can avoid for-each cycle (also each for-each cycle generates additional logic app cost), and ingest all retrieved messages at once. To do so just add “value” request into SendData action. You may not see “value” immediately in the list of dynamic properties – if in this case just type into expression dialog body(‘Parse_JSON’)?[‘value’].

 

Important note: Send Data function has currently 30MB limit for data ingestion, so in case your playbook fails due to large data set, you can increase the playbook recurrence interval. Additionally, you can implement a logic that will check for message trace size, and if it's above 30MB you can send alert (e.g. through email action). You can check for size through using length function (@length(string(variables('value'))) or checking Content-Length header from response. Both calculations may be approximate due to encoding/stringification but should be accurate enough for this purpose.

 

send_data.png

And here’s the resultset after Message Trace ingestion into EmailEvents table:

resultset.png

 

Detecting Data Exfiltration

After we have ingested data from Office 365 Message Trace into Azure Sentinel, we can start do querying and preparing security use cases. One of the common use case across organization is to detect data exfiltration. One indicator of data exfiltration is sending large amount of data in a short timeframe. 

 

Note: in following queries please replace article's tenant name m365x175748.onmicrosoft.com with your Office 365 domain/tenant name. If you are using multiple domain names, for each of the domain add additional operator into the query.

 

To detect data exfiltration, we will form KQL query –

 

First, we will create query that will calculate baseline for #of sent messages:

let sending_threshold = toscalar(
EmailEvents_CL
| where Received_t >= startofday(ago(7d)) and Received_t < startofday(now())
| summarize cnt=count() by SenderAddress_s, bin(Received_t, 1d)
| summarize avg(cnt), stdev(cnt)
| project threshold = avg_cnt+stdev_cnt);
print sending_threshold

 

After sending_threshold is calculated, we can now form full query that will check for specific deviations from the threshold. For more details how this query was formulated check one of the recent Azure Sentinel webinar on rules creation at https://aka.ms/SecurityWebinars.

 

let sending_threshold = toscalar(
EmailEvents_CL
| where Received_t >= startofday(ago(7d)) and Received_t < startofday(now()) and RecipientAddress_s !endswith "m365x175748.onmicrosoft.com"
| summarize cnt=count() by SenderAddress_s, bin(Received_t, 1d)
| summarize avg(cnt), stdev(cnt)
| project threshold = avg_cnt+stdev_cnt);
EmailEvents_CL
| where Received_t >= ago(1d)
| summarize count() by SenderAddress_s
| where count_ > sending_threshold

 

Once we have the query, we can create Sentinel alert rule and start being alerted about anomalous data exfiltration.

Additional information from Office 365 Message Trace

Top 10 senders by message count:

EmailEvents_CL
| summarize Amount=count() by SenderAddress_s
| top 10 by Amount

 

Top 10 recipients by message count:

EmailEvents_CL
| summarize Amount=count() by RecipientAddress_s
| top 10 by Amount

 

Mail Flow over time:

EmailEvents_CL
| summarize count() by bin(Received_t, 30m)
| render timechart

 

Summary of internal/external inbound vs. outbound email:

EmailEvents_CL
| summarize InternalEmail = countif(SenderAddress_s endswith "m365x175748.onmicrosoft.com" and RecipientAddress_s endswith "m365x175748.onmicrosoft.com" ), OutboundEmail = countif(SenderAddress_s endswith "m365x175748.onmicrosoft.com" and RecipientAddress_s !endswith "m365x175748.onmicrosoft.com" ), InboundEmail= countif(SenderAddress_s !endswith "m365x175748.onmicrosoft.com" and RecipientAddress_s endswith "m365x175748.onmicrosoft.com" ) by bin_at(Received_t, 1h, now())
| render timechart

 

Top 10 largest email messages by message size:

EmailEvents_CL
| top 10 by Size_d

 

Also, we can use Message Trace data to check if organization has received any e-mail from domain-like email address (e.g. contoso.com vs c0nt0so.om). This domain impersonation can be indicator of phishing attack. One of the option how to do it is to use the tool like dnstwist (there’s also online version at https://dnstwister.report/) to generate list of valid and possible permutations of your domain, store it as a lookup table and then use it in the query joining the data from the EmailEvents table (more about how to use lookup table with Azure Sentinel).

 

We have also created sample workbook for security analysts based on queries described above:

workbook.png

 

Summary

This article has demonstrated how to ingest Office 365 Message Trace logs into Sentinel. Office 365 Message Trace provides underlying data for various interesting security scenarios and use cases like data exfiltration. We have uploaded JSON code and screenshot from playbook into GitHub. Apologies for low screenshot quality - but it should be enough to understand the playbook concept. JSON code provides schema, you just need to replace two function - Run Query and List Results and Send Data as described in the article.

 

Here's also the final Logic Apps playbook for reference:

playbook.png

27 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-1176355%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Email%20Activity%20and%20Data%20Exfiltration%20Detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1176355%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20sharing.%3C%2FP%3E%3CP%3EI%20don't%20find%20%3CSTRONG%3EMessage%20Tracking%3C%2FSTRONG%3E%20role%2C%20could%20you%20please%20check%20and%20suggest%20alternate%20relevant%20role%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1176417%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Email%20Activity%20and%20Data%20Exfiltration%20Detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1176417%22%20slang%3D%22en-US%22%3E%3CP%3Eas%20i%20did%20not%20find%20%3CSTRONG%3EMessage%20Tracking%3C%2FSTRONG%3E%20role%2C%20I%20tried%20following%20role%20for%20the%20group%2C%3C%2FP%3E%3CP%3EView-Only%20Manage%20Alerts%3CBR%20%2F%3EOrganization%20Configuration%3CBR%20%2F%3EView-Only%20Audit%20Logs%3CBR%20%2F%3EView-Only%20Record%20Management%3CBR%20%2F%3EView-Only%20Recipients%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ecreated%20a%20playbook.%20but%20getting%20following%20error%20404%20for%20HTTP%20step.%3C%2FP%3E%3CP%3E%22value%22%3A%20%22Resource%20not%20found%20for%20the%20segment%20'MessageTrace'.%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ecould%20you%20please%20help%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1177176%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Email%20Activity%20and%20Data%20Exfiltration%20Detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1177176%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F559645%22%20target%3D%22_blank%22%3E%40Mahesh0212%3C%2FA%3E%26nbsp%3Bthanks%20for%20reaching%20out%2C%20you%20need%20message%20tracking%20role%20to%20access%20message%20trace%2C%20that's%20also%20why%20the%20HTTP%20step%20is%20failing.%20What%20errors%20are%20you%20getting%20when%20trying%20to%20create%20the%20service%20account%3F%20The%20message%20tracking%20role%20is%20available%20as%20also%20described%20here%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Funderstanding-management-roles-exchange-2013-help%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fexchange%2Funderstanding-management-roles-exchange-2013-help%3C%2FA%3E.%20Do%20you%20have%20the%20right%20permissions%20required%20to%20create%20the%20service%20account%20user%20please%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1178317%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Email%20Activity%20and%20Data%20Exfiltration%20Detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1178317%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Stefan%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethanks%20for%20responding.%20I%20am%20having%20owner%20rights.%3C%2FP%3E%3CP%3EI%20don't%20see%20message%20tracking%20role%20in%20%22%3CA%20href%3D%22https%3A%2F%2Fprotection.office.com%2Fpermissions%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fprotection.office.com%2Fpermissions%3C%2FA%3E%22%2C%20do%20I%20need%20to%20give%20the%20role%20from%20anyother%20place%3F%20I%20tried%20the%20command%20you%20mentioned%20as%20well.%3C%2FP%3E%3CP%3Ewhen%20I%20run%20following%20command-%3C%2FP%3E%3CP%3E%3CSTRONG%3E%24RoleGroup%20%3D%20New-RoleGroup%20-Name%20%22Message%20Trace%20Reporting%22%20-Roles%20%22Message%20Tracking%22%2C%20%22View-Only%20Audit%20Logs%22%2C%20%22View-Only%20Configuration%22%2C%20%22View-Only%20Recipients%22%20-Members%20%24UserName%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3Ereceived%20error%20as%2C%3C%2FP%3E%3CP%3E%3CSTRONG%3ENew-RoleGroup%20%3A%20The%20term%20'New-RoleGroup'%20is%20not%20recognized%20as%20the%20name%20of%20a%20cmdlet%2C%20function%2C%20script%20file%2C%20or%20operable%3CBR%20%2F%3Eprogram.%20Check%20the%20spelling%20of%20the%20name%2C%20or%20if%20a%20path%20was%20included%2C%20verify%20that%20the%20path%20is%20correct%20and%20try%20again.%3CBR%20%2F%3EAt%20line%3A1%20char%3A14%3CBR%20%2F%3E%2B%20%24RoleGroup%20%3D%20New-RoleGroup%20-Name%20%22New%20Message%20Trace%20Reporting%22%20-Roles%20...%3CBR%20%2F%3E%2B%20~~~~~~~~~~~~~%3CBR%20%2F%3E%2B%20CategoryInfo%20%3A%20ObjectNotFound%3A%20(New-RoleGroup%3AString)%20%5B%5D%2C%20CommandNotFoundException%3CBR%20%2F%3E%2B%20FullyQualifiedErrorId%20%3A%20CommandNotFoundException%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eso%20for%20time%20being%2C%20I%20am%20trying%20my%20account%20instead%20of%20service%20account.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eonce%20the%20HTTPS%20output%20is%20available%20I%20am%20trying%20to%20parse%20json%20and%20following%20schema%20comes%20by%20uploading%20output.%20but%20when%20I%20run%20it%2C%20it%20gives%20error%3C%2FP%3E%3CP%3E%22%3CSPAN%20class%3D%22ms-MessageBar-innerText%20innerText-85%22%3E%3CSPAN%3E%3CSTRONG%3EValidationFailed%3C%2FSTRONG%3E.%20The%20schema%20validation%20failed.%3C%2FSPAN%3E%3C%2FSPAN%3E%22%3C%2FP%3E%3CP%3Ecould%20you%20please%20share%20what%20schema%20you%20used%3F%3C%2FP%3E%3CP%3Eschema%20after%20uploading%20output%20from%20http%20body.%3C%2FP%3E%3CP%3E%7B%3CBR%20%2F%3E%22type%22%3A%20%22object%22%2C%3CBR%20%2F%3E%22properties%22%3A%20%7B%3CBR%20%2F%3E%22odata.metadata%22%3A%20%7B%3CBR%20%2F%3E%22type%22%3A%20%22string%22%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%22value%22%3A%20%7B%3CBR%20%2F%3E%22type%22%3A%20%22array%22%2C%3CBR%20%2F%3E%22items%22%3A%20%7B%3CBR%20%2F%3E%22type%22%3A%20%22object%22%2C%3CBR%20%2F%3E%22properties%22%3A%20%7B%3CBR%20%2F%3E%22Organization%22%3A%20%7B%3CBR%20%2F%3E%22type%22%3A%20%22string%22%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%22MessageId%22%3A%20%7B%3CBR%20%2F%3E%22type%22%3A%20%22string%22%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%22Received%22%3A%20%7B%3CBR%20%2F%3E%22type%22%3A%20%22string%22%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%22SenderAddress%22%3A%20%7B%3CBR%20%2F%3E%22type%22%3A%20%22string%22%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%22RecipientAddress%22%3A%20%7B%3CBR%20%2F%3E%22type%22%3A%20%22string%22%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%22Subject%22%3A%20%7B%3CBR%20%2F%3E%22type%22%3A%20%22string%22%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%22Status%22%3A%20%7B%3CBR%20%2F%3E%22type%22%3A%20%22string%22%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%22ToIP%22%3A%20%7B%7D%2C%3CBR%20%2F%3E%22FromIP%22%3A%20%7B%3CBR%20%2F%3E%22type%22%3A%20%22string%22%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%22Size%22%3A%20%7B%3CBR%20%2F%3E%22type%22%3A%20%22integer%22%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%22MessageTraceId%22%3A%20%7B%3CBR%20%2F%3E%22type%22%3A%20%22string%22%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%22StartDate%22%3A%20%7B%3CBR%20%2F%3E%22type%22%3A%20%22string%22%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%22EndDate%22%3A%20%7B%3CBR%20%2F%3E%22type%22%3A%20%22string%22%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%22Index%22%3A%20%7B%3CBR%20%2F%3E%22type%22%3A%20%22integer%22%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%22required%22%3A%20%5B%3CBR%20%2F%3E%22Organization%22%2C%3CBR%20%2F%3E%22MessageId%22%2C%3CBR%20%2F%3E%22Received%22%2C%3CBR%20%2F%3E%22SenderAddress%22%2C%3CBR%20%2F%3E%22RecipientAddress%22%2C%3CBR%20%2F%3E%22Subject%22%2C%3CBR%20%2F%3E%22Status%22%2C%3CBR%20%2F%3E%22ToIP%22%2C%3CBR%20%2F%3E%22FromIP%22%2C%3CBR%20%2F%3E%22Size%22%2C%3CBR%20%2F%3E%22MessageTraceId%22%2C%3CBR%20%2F%3E%22StartDate%22%2C%3CBR%20%2F%3E%22EndDate%22%2C%3CBR%20%2F%3E%22Index%22%3CBR%20%2F%3E%5D%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3C%2FP%3E%3CP%3Ethanks%2C%3C%2FP%3E%3CP%3Emahesh%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1179073%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Email%20Activity%20and%20Data%20Exfiltration%20Detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1179073%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F559645%22%20target%3D%22_blank%22%3E%40Mahesh0212%3C%2FA%3E%26nbsp%3Byou%20need%20to%20follow-steps%20described%20in%20Connect%20to%20Office%20365%20with%20Powershell%20%2C%20that's%20references%20in%20the%20article.%20Specifically%20you%20need%20to%20import%20Ad%20module%20and%20ms%20online%20module%20and%20initiate%20session%20to%20get%20access%20to%20Exchange%20Online%20powershell%20modules.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20per%20the%20schema%20from%20HTTPS%20call%2C%20can%20you%20please%20try%20the%20following%20one%3A%3C%2FP%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSPAN%3E%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22properties%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22odata.metadata%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22string%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22value%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22items%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22properties%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22EndDate%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22string%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22FromIP%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22string%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22Index%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22integer%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22MessageId%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22string%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22MessageTraceId%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22string%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22Organization%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22string%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22Received%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22string%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22RecipientAddress%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22string%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22SenderAddress%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22string%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22Size%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22integer%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22StartDate%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22string%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22Status%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22string%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22Subject%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22string%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22ToIP%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%5B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22string%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22null%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%5D%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22required%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%5B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22Organization%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22MessageId%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%5D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22object%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22array%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22object%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%7D%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1180339%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Email%20Activity%20and%20Data%20Exfiltration%20Detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1180339%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20article%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F40452%22%20target%3D%22_blank%22%3E%40Stefan%20Simon%3C%2FA%3E%26nbsp%3B.%20One%20question.%20I'm%20not%20seeing%20any%20Schema%20info%20under%20the%20Parse%20JSON%202%20action.%20The%20article%20seems%20to%20indicates%20that%20this%20is%20auto%20generated...%20%22default%20schema%20generated%20from%20the%20return%20value%20of%20query%20function%22.%20I%20should%20point%20out%20here%20that%20I%20don't%20have%20a%20Custom%20Log%20created%20yet%20so%20there%20is%20likely%20no%20return%20data%20coming%20from%20action%20two%20(Run%20query%20and%20list%20results)%20just%20yet.%20The%20article%20seems%20to%20assume%20that%20the%20custom%20log%20(EmailEvents_CL)%20should%20already%20be%20created.%20However%2C%20I'm%20having%20trouble%20finding%20info%20on%20how%20to%20create%20a%20custom%20log%20when%20not%20using%20the%20default%20method%20as%20described%20in%20the%20article%20below%20(dependent%20on%20csv%20files%20that%20are%20picked%20up%20by%20the%20CL%20watcher%20service%20regularly).%20How%20would%20one%20create%20a%20CL%20when%20using%20a%20Data%20Collector%20api%2C%20for%20example.%20Thanks.%3C%2FP%3E%3CP%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-sources-custom-logs%23defining-a-custom-log%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-sources-custom-logs%23defining-a-custom-log%3C%2FA%3E%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1180456%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Email%20Activity%20and%20Data%20Exfiltration%20Detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1180456%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F40452%22%20target%3D%22_blank%22%3E%40Stefan%20Simon%3C%2FA%3E%26nbsp%3Bif%20you%20can%20also%20provide%20an%20exploded%20view%20of%20the%20complete%20playbook%20(like%20the%20image%20you%20have%20in%20the%20summary%20section%20but%20expanded%20out)%20it%20will%20really%20help%20someone%20like%20me%20who%20is%20new%20to%20Azure%20Sentinel%20Playbooks.%20Thanks%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1185309%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Email%20Activity%20and%20Data%20Exfiltration%20Detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1185309%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F562301%22%20target%3D%22_blank%22%3E%40KenSilver%3C%2FA%3E%20%2C%20thanks%20for%20your%20interest%20in%20the%20article.%20I%20have%20uploaded%20JSON%20code%20from%20playbook%20into%20GitHub%20as%20well%20as%20Playbook%20screenshot%20-%20%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fstefans-cyber%2Fsentinel%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fstefans-cyber%2Fsentinel%3C%2FA%3E%3C%2FFONT%3E.%20Apologize%20for%20low%20screenshot%20quality%2C%20but%20I%20wasn't%20able%20to%20make%20it%20better%20-%20should%20be%20enough%20though%20to%20understand%20the%20concept.%20JSON%20code%20provides%20you%20schema%2C%20you%20just%20need%20to%20replace%20two%20function%20-%20%3CEM%3ERun%20Query%3C%2FEM%3E%20%3CEM%3Eand%20List%20Results%3C%2FEM%3E%20and%20%3CEM%3ESend%20Data%3C%2FEM%3E%20as%20described%20in%20the%20article.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1185783%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Email%20Activity%20and%20Data%20Exfiltration%20Detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1185783%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F40452%22%20target%3D%22_blank%22%3E%40Stefan%20Simon%3C%2FA%3E%26nbsp%3Bfor%20updating%20the%20images%20and%20json%20code.%20I'm%20able%20to%20progress%20through%20the%20http%20action%20but%20it%20now%20errors%20on%20the%20last%20Parse%20Json%20action.%20The%20error%20is%20the%20same%20as%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F559645%22%20target%3D%22_blank%22%3E%40Mahesh0212%3C%2FA%3E%26nbsp%3B%20%22ValidationFailed%3A%20The%20schema%20validation%20failed.%22%20When%20I%20click%20%22show%20raw%20outputs%22%20the%20error%20message%20is%20%22Invalid%20type.%20Expected%20String%20but%20got%20Null.%22.%20This%20error%20occurs%20on%20every%20value%20in%20the%20schema%20(ie%20Subject%2C%20MessageID%2C%20etc).%20The%20Parse%20Json%20action%20seems%20to%20have%20received%20the%20body%20from%20the%20http%20action.%20Under%20INPUTS%20in%20Parse%20JSON%2C%20I%20can%20%22click%20to%20download%22%20and%20it%20brings%20up%20the%20trace%20data%20in%20a%20new%20browser%20window.%20I'll%20continue%20to%20troubleshoot.%20Thanks.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1187126%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Email%20Activity%20and%20Data%20Exfiltration%20Detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1187126%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F562301%22%20target%3D%22_blank%22%3E%40KenSilver%3C%2FA%3E%26nbsp%3Bwhat%20schema%20are%20you%20using%20in%20Parse_JSON%3F%20Can%20you%20verify%20it's%20the%20same%20schema%20as%20below%20please%3F%3C%2FP%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSPAN%3E%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22properties%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22odata.metadata%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22string%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22value%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22items%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22properties%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22EndDate%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22string%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22FromIP%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22string%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22Index%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22integer%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22MessageId%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22string%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22MessageTraceId%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22string%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22Organization%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22string%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22Received%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22string%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22RecipientAddress%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22string%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22SenderAddress%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22string%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22Size%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22integer%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22StartDate%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22string%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22Status%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22string%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22Subject%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22string%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22ToIP%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%5B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22string%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22null%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%5D%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22required%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%5B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22Organization%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22MessageId%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%5D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22object%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22array%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22object%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%7D%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1187306%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Email%20Activity%20and%20Data%20Exfiltration%20Detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1187306%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F562301%22%20target%3D%22_blank%22%3E%40KenSilver%3C%2FA%3E%26nbsp%3B%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F559645%22%20target%3D%22_blank%22%3E%40Mahesh0212%3C%2FA%3E%26nbsp%3B%2C%20I%20just%20tried%20to%20redo%20the%20playbook%20and%20all%20works%20well.%20Please%20check%20if%20you%20have%20correctly%20filled%20HTTP%20request%20and%20that%20it%20correctly%20returns%20O365%20Message%20Trace%20in%20JSON%20format%20(you%20can%20do%20it%20in%20the%20Run%20History%20of%20the%20playbook).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1189906%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Email%20Activity%20and%20Data%20Exfiltration%20Detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1189906%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F40452%22%20target%3D%22_blank%22%3E%40Stefan%20Simon%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20template.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EJust%20created%20the%20Playbook%20and%20noticed%20that%20in%20our%20case%20the%20Json%20schema%20didn't%20work.%3CBR%20%2F%3EIt%20is%20due%20to%20some%20of%20the%20message%20traces%20coming%20with%20a%20Null%20value%20under%20the%20FromIP.%3C%2FP%3E%3CP%3EWorth%20adjusting%20your%20template%20so%20not%20just%20the%20ToIP%20but%20the%20FromIP%20can%20accept%20Null%20values%3A%3C%2FP%3E%3CP%3E%22FromIP%22%3A%20%7B%3CBR%20%2F%3E%22type%22%3A%20%5B%3CBR%20%2F%3E%22string%22%2C%3CBR%20%2F%3E%22null%22%3CBR%20%2F%3E%5D%3CBR%20%2F%3E%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3EWorking%20perfectly%20now.%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1193137%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Email%20Activity%20and%20Data%20Exfiltration%20Detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1193137%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F536747%22%20target%3D%22_blank%22%3E%40caiodaruizcorrea%3C%2FA%3E%26nbsp%3Bthat's%20very%20helpful%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1193896%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Email%20Activity%20and%20Data%20Exfiltration%20Detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1193896%22%20slang%3D%22en-US%22%3E%3CP%3ESo%20in%20addition%20to%20adding%20a%20null%20return%20type%20for%20FromIP%20per%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F536747%22%20target%3D%22_blank%22%3E%40caiodaruizcorrea%3C%2FA%3E%26nbsp%3BI%20also%20needed%20to%20add%20a%20null%20return%20type%20for%20Subject.%20After%20that%2C%20all%20worked%20successfully.%20Thanks%20everyone!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1197988%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Email%20Activity%20and%20Data%20Exfiltration%20Detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1197988%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F40452%22%20target%3D%22_blank%22%3E%40Stefan%20Simon%3C%2FA%3E%2C%20Thanks%20for%20sharing%20the%20schema.%20I%20tried%20it%20and%20also%20tried%20the%20correction%20mentioned%20by%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F536747%22%20target%3D%22_blank%22%3E%40caiodaruizcorrea%3C%2FA%3E%20.%20but%20getting%20an%20error%20%22playbook%20cant%20be%20saved%20as%20it%20contains%20invalid%20parameters%22.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20tested%20the%20same%20schema%20over%20internet%20against%20the%20data%20we%20are%20getting%20via%20HTTP%2C%20it%20works%20perfectly.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOn%20the%20other%20note%2C%20can%20we%20use%20any%20other%20authentication%20instead%20of%20Basic%3F%20as%20this%20is%20a%20playbook%2C%20I%20got%20the%20service%20account%20(without%20domain)%20from%20my%20client%20and%20a%20password%2C%20but%20it%20doesn't%20work.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EMahesh%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1206828%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Email%20Activity%20and%20Data%20Exfiltration%20Detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1206828%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F559645%22%20target%3D%22_blank%22%3E%40Mahesh0212%3C%2FA%3E%20good%20to%20see%20the%20issue%20has%20been%20resolved%20now.%20As%20per%20the%20account%20requirements%2C%20I'm%20sharing%20with%20you%20details%20directly%20from%20documentation%20-%26nbsp%3B%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23171717%3B%20font-family%3A%20Segoe%20UI%2CSegoeUI%2CSegoe%20WP%2CHelvetica%20Neue%2CHelvetica%2CTahoma%2CArial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20400%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20overflow-wrap%3A%20break-word%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EThe%20account%20you%20use%20to%20access%20the%20reports%20must%20have%20administrative%20permissions%20in%20the%20Office%20365%20organization.%20If%20the%20account%20can%20view%20this%20report%20in%20the%20Office%20365%20Control%20Panel%2C%20then%20the%20account%20has%20permissions%20to%20retrieve%20the%20data%20from%20the%20REST%20web%20service.%20This%20report%20requires%20the%20user%20to%20be%20assigned%20to%20the%20View-Only%20Recipients%20role.%20In%20the%20default%20Office%20365%20permissions%20structure%2C%20users%20with%20the%20following%20administrator%20permissions%20can%20access%20this%20report%3A%20billing%20administrator%2C%20global%20administrator%2C%20password%20administrator%2C%20service%20administrator%2C%20and%20user%20management%20administrator.%20%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1222020%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Email%20Activity%20and%20Data%20Exfiltration%20Detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1222020%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F40452%22%20target%3D%22_blank%22%3E%40Stefan%20Simon%3C%2FA%3E%26nbsp%3B%2C%20thank%20you%20for%20this%20post.%3CBR%20%2F%3EA%20customer%20that%20we%20contribute%20to%20doesn't%20see%20the%20message%20tracking%20role%20when%20trying%20to%20create%20the%20service%20account.%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22image.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F176339iA8069D3905344AE2%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22image.png%22%20alt%3D%22image.png%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Outlook-1re1aiww%20(1).png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F176340i76A6E04CF7AC66D8%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Outlook-1re1aiww%20(1).png%22%20alt%3D%22Outlook-1re1aiww%20(1).png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EWhen%20tried%20to%20add%20the%20user%20with%20the%20command%20he%20got%20this%20error.%3C%2FP%3E%3CDIV%3E%3CBR%20%2F%3EDoes%20the%20user%20require%20any%20of%20the%20following%3F%3C%2FDIV%3E%3CDIV%3E%3CDIV%3ESecurity%20Admin%3C%2FDIV%3E%3CDIV%3ESecurity%20Reader%3C%2FDIV%3E%3CDIV%3EView-Only%20Recipients%3C%2FDIV%3E%3CDIV%3ECompliance%20Admin%3C%2FDIV%3E%3CSPAN%3EData%20Loss%20Prevention%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EPlease%20let%20me%20know%20how%20to%20proceed.%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CFONT%20face%3D%22Calibri%2CArial%2CHelvetica%2Csans-serif%22%20size%3D%223%22%20color%3D%22black%22%3E%3CBR%20%2F%3EBest%20Regards%2C%3CBR%20%2F%3EDavid%20Shoshany%3C%2FFONT%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1225642%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Email%20Activity%20and%20Data%20Exfiltration%20Detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1225642%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F579140%22%20target%3D%22_blank%22%3E%40DavidSho%3C%2FA%3E%26nbsp%3B%2C%20it%20seems%20your%20shell%20is%20failing%20on%20New-RoleGroup%20command.%20Have%20you%20properly%20connected%20to%20your%20Office%20365%20environment%20and%20important%20all%20required%20commands%20as%20described%20in%20the%20article%3F%20Could%20you%20please%20check%20there%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1232620%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Email%20Activity%20and%20Data%20Exfiltration%20Detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1232620%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F40452%22%20target%3D%22_blank%22%3E%40Stefan%20Simon%3C%2FA%3E%26nbsp%3BThis%20is%20an%20awesome%20content%2C%20thanks%20for%20share%2C%20please%20recommend%20to%20follow%20the%20step%20by%20step%20on%20the%20LogicApp%20construction.%20people%20can%20find%20useful%20to%20watch%20this%20content%20to%20learn%20to%20interact%20with%20KQL%20queries%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fes-es%2Fazure%2Fazure-monitor%2Flog-query%2Fget-started-queries%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fes-es%2Fazure%2Fazure-monitor%2Flog-query%2Fget-started-queries%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1241660%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Email%20Activity%20and%20Data%20Exfiltration%20Detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1241660%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F559645%22%20target%3D%22_blank%22%3E%40Mahesh0212%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F579140%22%20target%3D%22_blank%22%3E%40DavidSho%3C%2FA%3E%26nbsp%3BI%20ran%20into%20the%20same%20issues%20as%20well%20with%20not%20having%20the%20New-RoleGroup%20cmdlet.%20You%20will%20need%20to%20connect%20using%20the%20Exchange%20Online%20Powershell%20Module%20as%20well.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fexchange%2Fexchange-online%2Fexchange-online-powershell-v2%2Fexchange-online-powershell-v2%3Fview%3Dexchange-ps%23install-and-maintain-the-exchange-online-powershell-v2-module%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fexchange%2Fexchange-online%2Fexchange-online-powershell-v2%2Fexchange-online-powershell-v2%3Fview%3Dexchange-ps%23install-and-maintain-the-exchange-online-powershell-v2-module%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1250542%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Email%20Activity%20and%20Data%20Exfiltration%20Detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1250542%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F40452%22%20target%3D%22_blank%22%3E%40Stefan%20Simon%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F572555%22%20target%3D%22_blank%22%3E%40mperrotta%3C%2FA%3E%26nbsp%3B%2C%20thanks%20that%20solved%20the%20issue!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1251632%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Email%20Activity%20and%20Data%20Exfiltration%20Detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1251632%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20a%20lot%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F572555%22%20target%3D%22_blank%22%3E%40mperrotta%3C%2FA%3E%26nbsp%3B%20I%20have%20updated%20article%20with%20this%20information.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1375338%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Email%20Activity%20and%20Data%20Exfiltration%20Detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1375338%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F40452%22%20target%3D%22_blank%22%3E%40Stefan%20Simon%3C%2FA%3ECan%20you%20Share%20the%20JSON%20for%20the%20sample%20workbook%20you%20have%20created%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1436389%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Email%20Activity%20and%20Data%20Exfiltration%20Detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1436389%22%20slang%3D%22en-US%22%3E%3CP%3EDear%20readers%2C%20I%20would%20like%20to%20share%20with%20you%20another%20approach%20how%20to%20ingest%20o365%20message%20trace%20data%20with%20O365%20azure%20function.%20You%20can%20find%20more%20details%20in%20here%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOfficeDev%2FO365-ActivityFeed-AzureFunction%2Ftree%2Fmaster%2FSentinel%2Fmsgtrace%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FOfficeDev%2FO365-ActivityFeed-AzureFunction%2Ftree%2Fmaster%2FSentinel%2Fmsgtrace%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1169652%22%20slang%3D%22en-US%22%3EOffice%20365%20Email%20Activity%20and%20Data%20Exfiltration%20Detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1169652%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20article%20shows%20how%20to%20use%20Office%20365%20message%20trace%20to%20analyze%20email%20activity%20and%20detect%20various%20security%20use%20cases%20like%20data%20exfiltration%20in%20Azure%20Sentinel.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOffice%20365%20Message%20Trace%20contains%20lots%20of%20information%20that%20can%20be%20useful%20for%20security%20analyst.%20While%20it%20doesn%E2%80%99t%20include%20message%20content%20itself%2C%20it%20can%20provide%20interesting%20information%20about%20mail%20flow%20in%20the%20organization.%20It%20can%20be%20also%20used%20to%20detect%20malicious%20activity%20and%20generate%20interesting%20reports%20about%20mail-flow%20(e.g%20information%20about%20bulk%20mail%2C%20spoofed%20domain%20emails%20or%20detecting%20abnormal%20rate%20of%20e-mail%20sending).%20Especially%20abnormal%20rate%20of%20e-mail%20sending%20can%20be%20used%20to%20detect%20malicious%20data%20exfiltration%20from%20within%20the%20organization.%20In%20this%20article%20we%20will%20describe%20how%20we%20can%20use%20Office%20365%20Message%20Trace%20and%20Azure%20Sentinel%20to%20detect%20these%20security%20scenarios.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH4%20id%3D%22toc-hId--708899612%22%20id%3D%22toc-hId--708899612%22%20id%3D%22toc-hId--708899612%22%20id%3D%22toc-hId--708899612%22%20id%3D%22toc-hId--708899612%22%3E%3CFONT%20color%3D%22%23FF0000%22%3EUpdate%3C%2FFONT%3E%203rd%20June%202020%20-%20while%20this%20article%20is%20using%20Logic%20Apps%20to%20ingest%20message%20trace%20data%2C%20you%20can%20consider%20using%20another%2C%20perhaps%20more%20elegant%20approach%20to%20ingest%20O365%20message%20trace%20data%20based%20on%20Azure%20Function.%20For%20more%20details%20visit%20article%20published%20by%20my%20colleague%26nbsp%3B%5B%23%24dp11%5D%40Jon%20Nordstr%C3%B6m%26nbsp%3Bin%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FOfficeDev%2FO365-ActivityFeed-AzureFunction%2Ftree%2Fmaster%2FSentinel%2Fmsgtrace%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3E-ERR%3AREF-NOT-FOUND-Ingesting%20Office%20365%20Message%20Traces%20to%20Sentinel%3C%2FA%3E%3C%2FH4%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1077548643%22%20id%3D%22toc-hId-1077548643%22%20id%3D%22toc-hId-1077548643%22%20id%3D%22toc-hId-1077548643%22%20id%3D%22toc-hId-1077548643%22%3EAccessing%20Office%20365%20Message%20Trace%26nbsp%3B%3C%2FH2%3E%0A%3CP%3EOffice%20365%20Message%20Tracking%20logs%20can%20be%20accessed%20directly%20through%20web%20interface%20in%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F165398%22%20target%3D%22_blank%22%3ESecurity%20%26amp%3B%20Compliance%20Center%3C%2FA%3E%20or%20Powershell%20(via%20Get-MessageTrace%20cmdlet).%20Additionally%20for%20programmatic%20access%20there%E2%80%99s%20also%20-ERR%3AREF-NOT-FOUND-Office%20365%20Message%20Trace%20Reporting%20Web%20Service%20%E2%80%93%20we%20will%20be%20using%20this%20service%20in%20the%20article.%20It%20can%20be%20accessed%20through%20REST%20URI%20at%20-ERR%3AREF-NOT-FOUND-%3CA%20href%3D%22https%3A%2F%2Freports.office365.com%2Fecp%2Freportingwebservice%2Freporting.svc%2FMessageTrace%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Freports.office365.com%2Fecp%2Freportingwebservice%2Freporting.svc%2FMessageTrace%3C%2FA%3E%3F.%20By%20default%2C%20it%20returns%2030%20days%20of%20message%20trace%20data.%20To%20filter%20results%20you%20can%20provide%20additional%20parameters%20in%20the%20URI%20%E2%80%93%20e.g.%20as%20in%20below%20example%20where%20we%20are%20looking%20for%20data%20within%202%20days%20timeframe.%20Also%20note%2C%20that%20if%20you%20provide%20StartDate%20you%20also%20need%20to%20provide%20EndDate.%3C%2FP%3E%0A%3CP%3E-ERR%3AREF-NOT-FOUND-%3CA%20href%3D%22https%3A%2F%2Freports.office365.com%2Fecp%2Freportingwebservice%2Freporting.svc%2FMessageTrace%3F%5C%24filter%3DStartDate%2520eq%2520datetime'2020-02-01T00%3A00%3A00Z'%2520and%2520EndDate%2520eq%2520datetime'2020-02-06T00%3A00%3A00Z%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Freports.office365.com%2Fecp%2Freportingwebservice%2Freporting.svc%2FMessageTrace%3F%5C%24filter%3DStartDate%2520eq%2520datetime'2020-02-01T00%3A00%3A00Z'%2520and%2520EndDate%2520eq%2520datetime'2020-02-06T00%3A00%3A00Z%3C%2FA%3E'%3C%2FP%3E%0A%3CP%3EOffice%20365%20Message%20Trace%20can%20be%20queried%20in%20the%20web%20interface%20for%20up%20to%2030%20days%20of%20data.%20If%20the%20reporting%20service%20is%20queried%20for%20longer%20period%20than%2030%20days%2C%20it%20will%20return%20empty%20dataset.%20Also%2C%20while%20all%20data%20about%20messages%20is%20available%20as%20soon%20as%20they%20are%20sent%20or%20received%2C%20it%20can%20take%20up%20to%2024%20hours%20until%20they%20are%20available%20through%20reporting%20service.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--729905820%22%20id%3D%22toc-hId--729905820%22%20id%3D%22toc-hId--729905820%22%20id%3D%22toc-hId--729905820%22%20id%3D%22toc-hId--729905820%22%3ECreating%20Service%20Account%3C%2FH2%3E%0A%3CP%3EBefore%20accessing%20Office%20365%20Message%20Trace%20service%20we%20need%20to%20create%20Office%20365%20service%20account.%20This%20account%20needs%20to%20have%20very%20strong%20password%20(as%20there%E2%80%99s%20no%20OAuth%202.0).%3C%2FP%3E%0A%3CP%3EService%20account%20can%20be%20created%20in%20Office%20365%20Security%20%26amp%3B%20Compliance%20Center%20or%20with%20Powershell.%20In%20order%20to%20manage%20Office%20365%20with%20PowerShell%20module%2C%20you%20need%20to%20follow%20steps%20in%20-ERR%3AREF-NOT-FOUND-Connect%20to%20Office%20365%20Powershell.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%E2%80%99s%20the%20cmdlet%20to%20create%20the%20service%20user%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%24TenantDomain%20%3D%20(Get-MsolAccountSku).AccountSkuId%5B0%5D.Split(%22%3A%22)%5B0%5D%20%2B%20%22.onmicrosoft.com%22%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%24UserName%20%3D%20%22msgtracereporting%40%22%2B%24tenantdomain%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%24Pwd%20%3D%20%22O365Msg-TracE%22%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3ENew-MsolUser%20-UserPrincipalName%20%24UserName%20-DisplayName%20%22Message%20Trace%20Reporting%22%20-Password%20%24Pwd%20-ForceChangePassword%20%24False%20-PasswordNeverExpires%20%24True%20-UsageLocation%20%22NL%22%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%24RoleGroup%20%3D%20New-RoleGroup%20-Name%20%22Message%20Trace%20Reporting%22%20-Roles%20%22Message%20Tracking%22%2C%20%22View-Only%20Audit%20Logs%22%2C%20%22View-Only%20Configuration%22%2C%20%22View-Only%20Recipients%22%20-Members%20%24UserName%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3ENote%3A%20If%20you%20are%20facing%20issue%20with%20New-RoleGroup%20command%2C%20please%20be%20sure%20you%20are%20connected%20to%20Exchange%20Online%20Powershell%20as%20described%20here%20-%26nbsp%3B%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3E-ERR%3AREF-NOT-FOUND-%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fexchange%2Fexchange-online%2Fexchange-online-powershell-v2%2Fexchange-online-powershell-v2%3Fview%3Dexchange-ps%23install-and-maintain-the-exchange-online-powershell-v2-module%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fexchange%2Fexchange-online%2Fexchange-online-powershell-v2%2Fexchange-online-powershell-v2%3Fview%3Dexchange-ps%23install-and-maintain-the-exchange-online-powershell-v2-module%3C%2FA%3E%3C%2FFONT%3E%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOnce%20you%20have%20the%20service%20account%20created%2C%20you%20can%20test%20the%20service%20by%20running%20simple%20curl%20command%3A%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3Ecurl%20-v%20--user%20msgtracereporting%40tenantdomain%3Apassword%20%22-ERR%3AREF-NOT-FOUND-%3CA%20href%3D%22https%3A%2F%2Freports.office365.com%2Fecp%2Freportingwebservice%2Freporting.svc%2FMessageTrace%3F%5C%24filter%3DStartDate%2520eq%2520datetime'2020-02-01T00%3A00%3A00Z'%2520and%2520EndDate%2520eq%2520datetime'2020-02-06T00%3A00%3A00Z%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Freports.office365.com%2Fecp%2Freportingwebservice%2Freporting.svc%2FMessageTrace%3F%5C%24filter%3DStartDate%2520eq%2520datetime'2020-02-01T00%3A00%3A00Z'%2520and%2520EndDate%2520eq%2520datetime'2020-02-06T00%3A00%3A00Z%3C%2FA%3E'%22%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EBy%20default%2C%20Office%20365%20Reporting%20Service%20will%20return%20XML%20dataset%2C%20but%20you%20can%20change%20the%20resultset%20to%20JSON%20by%20specifying%20it%20in%20the%20Header%20request.%20We%20will%20be%20working%20with%20JSON%20dataset%20as%20Azure%20Sentinel%20works%20by%20default%20with%20JSON.%20Also%2C%20Logic%20Apps%20has%20better%20support%20for%20JSON%20than%20for%20XML.%26nbsp%3BTo%20get%20JSON%20data%20just%20include%20%3CEM%3E-H%20%22Accept%3A%20application%2Fjson%22%3C%2FEM%3E%20in%20the%20curl%20command.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1757607013%22%20id%3D%22toc-hId-1757607013%22%20id%3D%22toc-hId-1757607013%22%20id%3D%22toc-hId-1757607013%22%20id%3D%22toc-hId-1757607013%22%3ECreating%20Logic%20Apps%20playbook%3C%2FH2%3E%0A%3CP%3EWe%20will%20be%20retrieving%20and%20ingesting%20data%20into%20Sentinel%20through%20Logic%20Apps%20playbook.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3ENote%3A%20there%20are%20other%20ways%20how%20message%20trace%20data%20can%20be%20ingested%20%E2%80%93%20e.g.%20through%20using%20Logstash%2C%20custom%20function%20or%20creating%20scheduled%20job%20that%20will%20ingest%20data%20through%20Sentinel%20HTTP%20Data%20Collection%20API.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENow%2C%20let's%20go%20through%20Logic%20App%20Playbook%20creation.%20First%2C%20create%20new%20playbook%20in%20the%20Azure%20Sentinel%20Playbooks%20section%2C%20chose%20resource%20group%20and%20location.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENext%2C%20we%20need%20to%20choose%20the%20playbook%20trigger.%20We%20will%20be%20using%20Logic%20Apps%20scheduled%20trigger.%20We%20will%20set%20to%20run%20the%20trigger%20in%20daily%20interval%2C%20but%20you%20can%20chose%20any%20period%2C%20just%20remember%20the%20maximum%2030%20days%20interval%20to%20get%20the%20message%20trace.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMessage%20Trace%20table%20data%20will%20be%20ingested%20into%20%3CEM%3EEmailEvents%3C%2FEM%3E%20custom%20logs%20table%20%3CEM%3E(EmailEvents_CL)%3C%2FEM%3E.%20We%20will%20be%20referencing%20this%20table%20thorough%20the%20article.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAs%20playbook%20will%20be%20running%20in%20scheduled%20interval%2C%20we%20need%20to%20address%20what%20is%20the%20data%20interval%20to%20be%20queried%20during%20each%20playbook%20execution.%20The%20simple%20approach%20would%20be%20to%20take%20always%20the%20period%20of%20playbook%20execution%20%E2%80%93%20i.e.%20if%20we%20know%20the%20playbook%20runs%20every%2024%20hours%2C%20we%20would%20always%20request%20the%2024%20hours%20old%20data%20from%20message%20trace%20%E2%80%93%20interval%20of%26nbsp%3B%3CEM%3E%26lt%3B(now()-1d)%2C%20now()%26gt%3B%3C%2FEM%3E.%20But%20this%20approach%20doesn%E2%80%99t%20provide%20the%20most%20flexible%20approach%20%E2%80%93%20i.e.%20if%20we%20decide%20to%20change%20the%20playbook%20interval%20(e.g.%20to%2048%20hours)%2C%20we%20also%20need%20to%20update%20code%20of%20data%20retrieval%20in%20playbook%20itself.%20Also%2C%20if%20we%20will%20be%20doing%20any%20troubleshooting%20and%20we%20will%20need%20to%20rerun%20playbook%2C%20we%20can%20end%20up%20in%20having%20duplicate%20data%20ingested%20into%20the%20message%20trace%20table.%20And%20as%20Azure%20Sentinel%20doesn%E2%80%99t%20provide%20option%20how%20to%20delete%20data%20(it%E2%80%99s%20a%20SIEM)%2C%20we%20need%20to%20be%20careful%20on%20how%20we%20are%20doing%20data%20ingestion.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20more%20accurate%20approach%20for%20data%20retrieval%20is%20based%20on%26nbsp%3B%3CEM%3Etimestamp%3C%2FEM%3E%20of%20the%20latest%20ingested%20message%20trace%2C%20and%20querying%20data%20from%20this%20timestamp%20.%20In%20order%20to%20avoid%20empty%20dataset%20in%20potentially%20rare%20situation%20when%20the%20latest%20message%20is%20older%20than%2030%20days%20(as%20mentioned%20the%20reporting%20service%20will%20return%20data%20only%20within%2030%20days%20timeframe)%2C%20we%20will%20query%20%3CEM%3Efrom%20%3C%2FEM%3Einterval%20as%20function%20of%20%3CEM%3Emin(latest_ingested_message%20_timestamp%2C%2030%20days)%3C%2FEM%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20retrieve%20%3CEM%3Etimestamp%3C%2FEM%3E%20of%20the%20latest%20ingested%20message%2C%20we%20will%20run%20the%20following%20KQL%20query%3A%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CFONT%20color%3D%22%233366FF%22%3EEmailEvents%3C%2FFONT%3E%20%7C%20summarize%20arg_max(Received_t%2C%20Received_t)%20%7C%20project%20Received_t%20%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3ENote%3A%20we%20are%20using%20arg_max%20function%2C%20returning%20only%20the%20largest%20value%2C%20and%20then%20projecting%20against%20this%20value%20to%20get%20single%20result.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3ENow%20we%20get%20the%20%3CEM%3Emin(latest_ingested_message%20_timestamp%2C%2030%20days)%3C%2FEM%3E%20and%20run%20fuzzy%20logic%20with%26nbsp%3B%3CEM%3Eisfuzzy%20%3D%20true%3C%2FEM%3E%20operator%20to%20ensure%20the%20query%20won%E2%80%99t%20fail%20if%20the%20table%20doesn%E2%80%99t%20exist%20yet.%20As%20we%20are%20using%20isfuzzy%3Dtrue%2C%20this%20query%20will%20also%20succeed%20when%20the%20EmailEvents%20table%20is%20not%20yet%20created%20(first%20Playbook%20execution)%3C%2FP%3E%0A%3CP%3EThe%20final%20query%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CFONT%20color%3D%22%233366FF%22%3Eunion%3C%2FFONT%3E%20isfuzzy%3D%3CFONT%20color%3D%22%233366FF%22%3Etrue%3C%2FFONT%3E%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E(print%20Received_t%3D(now()-30d))%2C%20%2F%2Fquerying%20max%2030%20days%20ago%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E(%3CFONT%20color%3D%22%233366FF%22%3EEmailEvents_CL%3C%2FFONT%3E%20%7C%20summarize%20arg_max(Received_t%2C%20*))%20%2F%2Flatest%20message%20%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%7C%20summarize%20max(Received_t)%20%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%7C%20project%20max_Received_t%20%3D%20(max_Received_t%20%2B%201ms)%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20will%20now%20add%20into%20playbook%26nbsp%3B%3CEM%3ERun%20Query%20and%20list%20Results%20%3C%2FEM%3Eaction%20to%20execute%20the%20query%3A%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorStefan%20Simon_0%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CH2%20id%3D%22toc-hId--49847450%22%20id%3D%22toc-hId--49847450%22%20id%3D%22toc-hId--49847450%22%20id%3D%22toc-hId--49847450%22%20id%3D%22toc-hId--49847450%22%3ECalling%20Office%20365%20Message%20Reporting%20Service%3C%2FH2%3E%0A%3CP%3EAfter%20we%20have%20the%20timestamp%20of%20the%20latest%20message%2C%20we%20can%20now%20call%20the%20Office%20365%20Message%20Trace%20Service.%3C%2FP%3E%0A%3CP%3EFirst%2C%20we%20need%20to%20parse%20the%20result%20of%20query%20execution%20in%20previous%20step.%20We%20will%20be%20using%20%3CEM%3EParse%20Json%3C%2FEM%3E%20action%20with%20default%20schema%20generated%20from%20the%20return%20value%20of%20query%20function.%20We%20just%20changed%20type%20from%20%3CEM%3Earray%3C%2FEM%3E%20to%20%3CEM%3Eobject%3C%2FEM%3E%20under%20%3CEM%3Eitems%20%3C%2FEM%3Eproperty.%20As%20we%20know%20we%20are%20querying%20for%20single%20value%2C%20we%20can%20conveniently%20change%20the%20type%20to%20%3CEM%3Eobject%2C%20%3C%2FEM%3Ewhich%20will%20return%20single%20item%20rather%20than%20array%20with%20one%20item.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22parse_json2.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F171048i2CEEA3F5B967F3C0%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22parse_json2.png%22%20alt%3D%22parse_json2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ETo%20call%20the%20O365%20Message%20Trace%20Reporting%20Service%20we%20will%20use%20HTTP%20function%20in%20Logic%20Apps.%20We%20will%20be%20also%20adding%20JSON%20into%20Headers%20section%20to%20retrieve%20data%20in%20JSON%20format%20instead%20of%20XML%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22httpcall.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F171186i9FD98873241F318D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22httpcall.png%22%20alt%3D%22httpcall.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlso%20notice%20the%20expression%20we%20added%20for%20the%20most%20recent%20timestamp%20we%20queried%20in%20previous%20step%20and%20%3CEM%3Eutcnow()%3C%2FEM%3E%20function%20to%20refer%20to%20current%20data.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAfter%20we%20retrieve%20message%20trace%20data%2C%20we%20will%20ingest%20them%20into%20Azure%20Sentinel.%20Before%20we%20ingest%20data%2C%20we%20parse%20the%20result%20set%20from%20HTTP%20service%20query%20against%20O365%20reporting%20service%20using%20another%20Parse_JSON%20function%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22parse_json.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F171058i5906BA3C29AED28C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22parse_json.png%22%20alt%3D%22parse_json.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EFor%20data%20ingestion%20we%20will%20be%20using%20%3CEM%3ESend%20Data%3C%2FEM%3E%20function%20from%20Log%20Analytics%20function%20list.%20Note%20that%20by%20default%20this%20function%20will%20produce%20for-each%20loop%20if%20you%20input%20%3CEM%3Earray%20%3C%2FEM%3Eas%20a%20parameter.%20As%20%3CEM%3ESend%20Data%3C%2FEM%3E%20function%20supports%20ingesting%20large%20JSON%20array%20at%20once%2C%20we%20can%20avoid%20for-each%20cycle%20(also%20each%20for-each%20cycle%20generates%20additional%20logic%20app%20cost)%2C%20and%20ingest%20all%20retrieved%20messages%20at%20once.%20To%20do%20so%20just%20add%20%E2%80%9Cvalue%E2%80%9D%20request%20into%20SendData%20action.%20You%20may%20not%20see%20%E2%80%9Cvalue%E2%80%9D%20immediately%20in%20the%20list%20of%20dynamic%20properties%20%E2%80%93%20if%20in%20this%20case%20just%20type%20into%20expression%20dialog%20%3CEM%3Ebody(%E2%80%98Parse_JSON%E2%80%99)%3F%5B%E2%80%98value%E2%80%99%5D%3C%2FEM%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EImportant%20note%3A%26nbsp%3B%3C%2FSTRONG%3E%3CEM%3ESend%20Data%20%3C%2FEM%3Efunction%20has%20currently%2030MB%20limit%20for%20data%20ingestion%2C%20so%20in%20case%20your%20playbook%20fails%20due%20to%20large%20data%20set%2C%20you%20can%20increase%20the%20playbook%20recurrence%20interval.%20Additionally%2C%20you%20can%20implement%20a%20logic%20that%20will%20check%20for%20message%20trace%20size%2C%20and%20if%20it's%20above%2030MB%20you%20can%20send%20alert%20(e.g.%20through%20email%20action).%20You%20can%20check%20for%20size%20through%20using%20length%20function%20(%40length(string(variables('value')))%20or%20checking%20Content-Length%20header%20from%20response.%20Both%20calculations%20may%20be%20approximate%20due%20to%20encoding%2Fstringification%20but%20should%20be%20accurate%20enough%20for%20this%20purpose.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22send_data.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F171059i95871B5C03379DCA%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22send_data.png%22%20alt%3D%22send_data.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EAnd%20here%E2%80%99s%20the%20resultset%20after%20Message%20Trace%20ingestion%20into%20EmailEvents%20table%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22resultset.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F171060iAC88129A5C645CB5%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22resultset.png%22%20alt%3D%22resultset.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1857301913%22%20id%3D%22toc-hId--1857301913%22%20id%3D%22toc-hId--1857301913%22%20id%3D%22toc-hId--1857301913%22%20id%3D%22toc-hId--1857301913%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId-630210920%22%20id%3D%22toc-hId-630210920%22%20id%3D%22toc-hId-630210920%22%20id%3D%22toc-hId-630210920%22%20id%3D%22toc-hId-630210920%22%3EDetecting%20Data%20Exfiltration%3C%2FH2%3E%0A%3CP%3EAfter%20we%20have%20ingested%20data%20from%20Office%20365%20Message%20Trace%20into%20Azure%20Sentinel%2C%20we%20can%20start%20do%20querying%20and%20preparing%20security%20use%20cases.%20One%20of%20the%20common%20use%20case%20across%20organization%20is%20to%20detect%20data%20exfiltration.%20One%20indicator%20of%20data%20exfiltration%20is%20sending%20large%20amount%20of%20data%20in%20a%20short%20timeframe.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%23ff0000%22%3E%3CSTRONG%3E%3CEM%3ENote%3A%20in%20following%20queries%20please%20replace%20article's%20tenant%20name%26nbsp%3B%3CU%3Em365x175748.onmicrosoft.com%3C%2FU%3E%26nbsp%3Bwith%20your%20Office%20365%20domain%2Ftenant%20name.%20If%20you%20are%20using%20multiple%20domain%20names%2C%20for%20each%20of%20the%20domain%20add%20additional%20operator%20into%20the%20query.%3C%2FEM%3E%3C%2FSTRONG%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20detect%20data%20exfiltration%2C%20we%20will%20form%20KQL%20query%20%E2%80%93%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFirst%2C%20we%20will%20create%20query%20that%20will%20calculate%20baseline%20for%20%23of%20sent%20messages%3A%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3Elet%20sending_threshold%20%3D%20toscalar(%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%233366FF%22%3E%3CSTRONG%3EEmailEvents_CL%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CSTRONG%3E%7C%20where%20Received_t%20%26gt%3B%3D%20startofday(ago(7d))%20and%20Received_t%20%26lt%3B%20startofday(now())%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%7C%20summarize%20cnt%3Dcount()%20by%20SenderAddress_s%2C%20bin(Received_t%2C%201d)%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%7C%20summarize%20avg(cnt)%2C%20stdev(cnt)%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%7C%20project%20threshold%20%3D%20avg_cnt%2Bstdev_cnt)%3B%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3Eprint%20sending_threshold%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAfter%20sending_threshold%20is%20calculated%2C%20we%20can%20now%20form%20full%20query%20that%20will%20check%20for%20specific%20deviations%20from%20the%20threshold.%20For%20more%20details%20how%20this%20query%20was%20formulated%20check%20one%20of%20the%20recent%20Azure%20Sentinel%20webinar%20on%20rules%20creation%20at%26nbsp%3B-ERR%3AREF-NOT-FOUND-%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FSecurityWebinars%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2FSecurityWebinars%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3Elet%20sending_threshold%20%3D%20toscalar(%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CFONT%20color%3D%22%233366FF%22%3E%3CSTRONG%3EEmailEvents_CL%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CSTRONG%3E%7C%20where%20Received_t%20%26gt%3B%3D%20startofday(ago(7d))%20and%20Received_t%20%26lt%3B%20startofday(now())%20and%20RecipientAddress_s%20!endswith%20%22m365x175748.onmicrosoft.com%22%20%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%7C%20summarize%20cnt%3Dcount()%20by%20SenderAddress_s%2C%20bin(Received_t%2C%201d)%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%7C%20summarize%20avg(cnt)%2C%20stdev(cnt)%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%7C%20project%20threshold%20%3D%20avg_cnt%2Bstdev_cnt)%3B%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3EEmailEvents_CL%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%7C%20where%20Received_t%20%26gt%3B%3D%20ago(1d)%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%7C%20summarize%20count()%20by%20SenderAddress_s%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%7C%20where%20count_%20%26gt%3B%20sending_threshold%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOnce%20we%20have%20the%20query%2C%20we%20can%20create%20Sentinel%20alert%20rule%20and%20start%20being%20alerted%20about%20anomalous%20data%20exfiltration.%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1177243543%22%20id%3D%22toc-hId--1177243543%22%20id%3D%22toc-hId--1177243543%22%20id%3D%22toc-hId--1177243543%22%20id%3D%22toc-hId--1177243543%22%3EAdditional%20information%20from%20Office%20365%20Message%20Trace%3C%2FH2%3E%0A%3CP%3ETop%2010%20senders%20by%20message%20count%3A%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%233366FF%22%3E%3CSTRONG%3EEmailEvents_CL%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CSTRONG%3E%7C%20summarize%20Amount%3Dcount()%20by%20SenderAddress_s%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%7C%20top%2010%20by%20Amount%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETop%2010%20recipients%20by%20message%20count%3A%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%233366FF%22%3E%3CSTRONG%3EEmailEvents_CL%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CSTRONG%3E%7C%20summarize%20Amount%3Dcount()%20by%20RecipientAddress_s%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%7C%20top%2010%20by%20Amount%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMail%20Flow%20over%20time%3A%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%233366FF%22%3E%3CSTRONG%3EEmailEvents_CL%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CSTRONG%3E%7C%20summarize%20count()%20by%20bin(Received_t%2C%2030m)%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%7C%20render%20timechart%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESummary%20of%20internal%2Fexternal%20inbound%20vs.%20outbound%20email%3A%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%233366FF%22%3E%3CSTRONG%3EEmailEvents_CL%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CSTRONG%3E%7C%20summarize%20InternalEmail%20%3D%20countif(SenderAddress_s%20endswith%20%22m365x175748.onmicrosoft.com%22%20and%20RecipientAddress_s%20endswith%20%22m365x175748.onmicrosoft.com%22%20)%2C%20OutboundEmail%20%3D%20countif(SenderAddress_s%20endswith%20%22m365x175748.onmicrosoft.com%22%20and%20RecipientAddress_s%20!endswith%20%22m365x175748.onmicrosoft.com%22%20)%2C%20InboundEmail%3D%20countif(SenderAddress_s%20!endswith%20%22m365x175748.onmicrosoft.com%22%20and%20RecipientAddress_s%20endswith%20%22m365x175748.onmicrosoft.com%22%20)%20by%20bin_at(Received_t%2C%201h%2C%20now())%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%7C%20render%20timechart%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETop%2010%20largest%20email%20messages%20by%20message%20size%3A%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%233366FF%22%3E%3CSTRONG%3EEmailEvents_CL%3C%2FSTRONG%3E%3C%2FFONT%3E%3CBR%20%2F%3E%3CSTRONG%3E%7C%20top%2010%20by%20Size_d%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlso%2C%20we%20can%20use%20Message%20Trace%20data%20to%20check%20if%20organization%20has%20received%20any%20e-mail%20from%20domain-like%20email%20address%20(e.g.%20contoso.com%20vs%20c0nt0so.om).%20This%20domain%20impersonation%20can%20be%20indicator%20of%20phishing%20attack.%20One%20of%20the%20option%20how%20to%20do%20it%20is%20to%20use%20the%20tool%20like%20-ERR%3AREF-NOT-FOUND-dnstwist%20(there%E2%80%99s%20also%20online%20version%20at%20-ERR%3AREF-NOT-FOUND-%3CA%20href%3D%22https%3A%2F%2Fdnstwister.report%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdnstwister.report%2F%3C%2FA%3E)%20to%20generate%20list%20of%20valid%20and%20possible%20permutations%20of%20your%20domain%2C%20store%20it%20as%20a%20lookup%20table%20and%20then%20use%20it%20in%20the%20query%20joining%20the%20data%20from%20the%20%3CEM%3EEmailEvents%3C%2FEM%3E%20table%20(more%20about%20-ERR%3AREF-NOT-FOUND-how%20to%20use%20lookup%20table%20with%20Azure%20Sentinel%3CSPAN%3E)%3C%2FSPAN%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20have%20also%20created%20sample%20workbook%20for%20security%20analysts%20based%20on%20queries%20described%20above%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22workbook.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F171081i0B29F0E8B2AB2C85%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22workbook.png%22%20alt%3D%22workbook.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1310269290%22%20id%3D%22toc-hId-1310269290%22%20id%3D%22toc-hId-1310269290%22%20id%3D%22toc-hId-1310269290%22%20id%3D%22toc-hId-1310269290%22%3ESummary%3C%2FH2%3E%0A%3CP%3EThis%20article%20has%20demonstrated%20how%20to%20ingest%20Office%20365%20Message%20Trace%20logs%20into%20Sentinel.%20Office%20365%20Message%20Trace%20provides%20underlying%20data%20for%20various%20interesting%20security%20scenarios%20and%20use%20cases%20like%20data%20exfiltration.%20%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3EWe%20have%20uploaded%20JSON%20code%20and%20screenshot%20from%20playbook%20into%20-ERR%3AREF-NOT-FOUND-GitHub.%20Apologies%20for%20low%20screenshot%20quality%20-%20but%20it%20should%20be%20enough%20to%20understand%20the%20playbook%20concept.%20JSON%20code%20provides%20schema%2C%20you%20just%20need%20to%20replace%20two%20function%20-%20%3CEM%3ERun%20Query%20and%20List%20Results%3C%2FEM%3E%20and%20%3CEM%3ESend%20Data%3C%2FEM%3E%20as%20described%20in%20the%20article.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere's%20also%20the%20final%20Logic%20Apps%20playbook%20for%20reference%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22playbook.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F171063i0DB2103212849C04%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22playbook.png%22%20alt%3D%22playbook.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1169652%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Message_Tracking_O365.jpg%22%20style%3D%22width%3A%20710px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F171085i508825F3E48AD002%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Message_Tracking_O365.jpg%22%20alt%3D%22Message_Tracking_O365.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EThis%20article%20describes%20how%20to%20use%20Office%20365%20message%20trace%20to%20analyze%20email%20activity%20and%20detect%20various%20security%20use%20cases%20like%20data%20exfiltration.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOffice%20365%20Message%20Trace%20contains%20lots%20of%20information%20that%20can%20be%20useful%20for%20security%20analyst.%20While%20it%20doesn%E2%80%99t%20include%20message%20content%20itself%2C%20it%20can%20provide%20interesting%20information%20about%20mail%20flow%20in%20the%20organization.%20It%20can%20be%20also%20used%20to%20detect%20malicious%20activity%20and%20generate%20interesting%20reports%20about%20mail-flow%20(e.g%20information%20about%20bulk%20mail%2C%20spoofed%20domain%20emails%20or%20detecting%20abnormal%20rate%20of%20e-mail%20sending).%20Especially%20abnormal%20rate%20of%20e-mail%20sending%20can%20be%20used%20to%20detect%20malicious%20data%20exfiltration%20from%20the%20organization.%20In%20this%20article%20we%20will%20describe%20how%20we%20can%20use%20Office%20365%20Message%20Trace%20and%20Azure%20Sentinel%20to%20detect%20these%20security%20scenarios.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1476953%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Email%20Activity%20and%20Data%20Exfiltration%20Detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1476953%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F40452%22%20target%3D%22_blank%22%3E%40Stefan%20Simon%3C%2FA%3EHi%20Stephan%2C%20many%20thanks%20for%20this%20great%20article%20you%20have%20produced.%26nbsp%3B%20I'm%20having%20a%20proble%20with%20the%20HTTP%20action%20wher%20it's%20returning%20a%20400%20error%20-%20%22The%20query%20is%20invalid%22.%26nbsp%3B%20My%20account%20is%20ok%20as%20I've%20tested%20it%20with%20Invole-WebRequest%20using%20the%20URI%20from%20the%20raw%20input%20of%20this%20action%20and%20it%20returns%20as%20200.%26nbsp%3B%20So%20is%20does%20appear%20that%20there%20is%20an%20issue%20with%20the%20query.%26nbsp%3B%20I've%20compared%20the%20query%20to%20your%20github%20code%20and%20it's%20identical%2C%20I've%20even%20copy%20your%20entire%20code%20and%20created%20a%20new%20Lofig%20App%20and%20still%20the%20same%20error.%3C%2FP%3E%3CP%3EThere%20isn't%20much%20to%20this%20action%20and%20I%20just%20can't%20see%20what%20the%20issue%20would%20be%2C%20please%20see%20below%20for%20the%20raw%20input%20and%20output%20from%20the%20HTTP%20action%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20Thanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%7B%3CBR%20%2F%3E%22uri%22%3A%20%22%3CA%20href%3D%22https%3A%2F%2Freports.office365.com%2Fecp%2Freportingwebservice%2Freporting.svc%2FMessageTrace%3F%24filter%3DStartDate%2520eq%2520datetime'2020-05-20T12%3A42%3A17.5810703Z'%2520and%2520EndDate%2520eq%2520datetime'2020-06-19T12%3A42%3A17.9941616Z%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Freports.office365.com%2Fecp%2Freportingwebservice%2Freporting.svc%2FMessageTrace%3F%24filter%3DStartDate%2520eq%2520datetime'2020-05-20T12%3A42%3A17.5810703Z'%2520and%2520EndDate%2520eq%2520datetime'2020-06-19T12%3A42%3A17.9941616Z%3C%2FA%3E'%22%2C%3CBR%20%2F%3E%22method%22%3A%20%22GET%22%2C%3CBR%20%2F%3E%22headers%22%3A%20%7B%3CBR%20%2F%3E%22Accept%22%3A%20%22application%2Fjson%22%2C%3CBR%20%2F%3E%22Content-Type%22%3A%20%22application%2Fjson%22%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%22authentication%22%3A%20%7B%3CBR%20%2F%3E%22username%22%3A%20%22Myaccount%40mydomain%22%2C%3CBR%20%2F%3E%22password%22%3A%20%22*sanitized*%22%2C%3CBR%20%2F%3E%22type%22%3A%20%22Basic%22%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%7B%3CBR%20%2F%3E%22statusCode%22%3A%20400%2C%3CBR%20%2F%3E%22headers%22%3A%20%7B%3CBR%20%2F%3E%22request-id%22%3A%20%226332f49f-2fdd-4344-a072-ba2e7a8814b8%22%2C%3CBR%20%2F%3E%22X-CalculatedBETarget%22%3A%20%22CWXP265MB0119.GBRP265.PROD.OUTLOOK.COM%22%2C%3CBR%20%2F%3E%22X-BackEndHttpStatus%22%3A%20%22400%22%2C%3CBR%20%2F%3E%22X-RUM-Validated%22%3A%20%221%22%2C%3CBR%20%2F%3E%22X-RWS-Error%22%3A%20%22Microsoft.Exchange.Management.ReportingTask.InvalidExpressionException%22%2C%3CBR%20%2F%3E%22X-Content-Type-Options%22%3A%20%22nosniff%22%2C%3CBR%20%2F%3E%22DataServiceVersion%22%3A%20%223.0%3B%22%2C%3CBR%20%2F%3E%22X-RWS-Version%22%3A%20%222013-V1%22%2C%3CBR%20%2F%3E%22X-DiagInfo%22%3A%20%22CWXP265MB0119%22%2C%3CBR%20%2F%3E%22X-BEServer%22%3A%20%22CWXP265MB0119%22%2C%3CBR%20%2F%3E%22X-UA-Compatible%22%3A%20%22IE%3D10%22%2C%3CBR%20%2F%3E%22Strict-Transport-Security%22%3A%20%22max-age%3D31536000%3B%20includeSubDomains%22%2C%3CBR%20%2F%3E%22X-Proxy-RoutingCorrectness%22%3A%20%221%22%2C%3CBR%20%2F%3E%22X-Proxy-BackendServerStatus%22%3A%20%22400%22%2C%3CBR%20%2F%3E%22X-FEServer%22%3A%20%22AM6P192CA0010%22%2C%3CBR%20%2F%3E%22Cache-Control%22%3A%20%22no-store%2C%20no-cache%22%2C%3CBR%20%2F%3E%22Date%22%3A%20%22Fri%2C%2019%20Jun%202020%2012%3A42%3A18%20GMT%22%2C%3CBR%20%2F%3E%22Server%22%3A%20%22Microsoft-IIS%2F10.0%22%2C%3CBR%20%2F%3E%22X-AspNet-Version%22%3A%20%224.0.30319%22%2C%3CBR%20%2F%3E%22X-Powered-By%22%3A%20%22ASP.NET%22%2C%3CBR%20%2F%3E%22Content-Length%22%3A%20%22102%22%2C%3CBR%20%2F%3E%22Content-Type%22%3A%20%22application%2Fjson%3B%20odata%3Dminimalmetadata%3B%20streaming%3Dtrue%3B%20charset%3Dutf-8%22%3CBR%20%2F%3E%7D%2C%3CBR%20%2F%3E%22body%22%3A%20%7B%3CBR%20%2F%3E%22odata.error%22%3A%20%7B%3CBR%20%2F%3E%22code%22%3A%20%22InvalidQueryException%22%2C%3CBR%20%2F%3E%22message%22%3A%20%7B%3CBR%20%2F%3E%22lang%22%3A%20%22%22%2C%3CBR%20%2F%3E%22value%22%3A%20%22The%20query%20is%20invalid.%22%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1809656%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20Email%20Activity%20and%20Data%20Exfiltration%20Detection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1809656%22%20slang%3D%22en-US%22%3E%3CP%3Ei%20get%20this%20error%20when%20i%20run%20the%20logic%20app%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%7B%3CBR%20%2F%3E%22odata.error%22%3A%20%7B%3CBR%20%2F%3E%22code%22%3A%20%22UnknownError%22%2C%3CBR%20%2F%3E%22message%22%3A%20%7B%3CBR%20%2F%3E%22lang%22%3A%20%22%22%2C%3CBR%20%2F%3E%22value%22%3A%20%22An%20error%20has%20occurred%20on%20the%20server.%22%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethis%20happens%20during%20the%20http%20api%20call.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Jun 03 2020 07:52 AM
Updated by: