Overview
To help protect you from data loss, you can use Code42 to investigate attachments sent through users' Microsoft Office 365 Outlook email accounts or mailboxes.
When you add Microsoft Office 365 as a data connection, you must authorize Code42 as a registered client API using your administrator account. Once connected, Code42 monitors your organization's email environment from that point forward to collect information about all attachments emailed by monitored users. That attachment file information then becomes available in Forensic Search for investigation.
This article explains how to add Microsoft Office 365 email as a data connection.
Considerations
See also the considerations applicable to all email services.
Before you begin
Before you connect Code42 to Microsoft Office 365 email, complete these steps:
- Verify that the users you want to monitor are active users that have an Exchange email account or mailbox in your Microsoft environment.
- Plan user or group scoping to identify the users you want the Code42 connection to monitor.
Connect Code42 to Microsoft Office 365 email
- Sign in to the Code42 console.
- Select Administration > Integrations > Data Connections.
- Click Add data connection.
The Add data connection panel opens. - From Data connection, select Microsoft Office 365 under Email services.
- Enter a display name. This name must be unique.
-
Select the scope of email users in your Microsoft Office 365 environment to monitor:
- All: Monitors all email users with Office 365 mailboxes in your environment.
-
Specific users: Monitors only the Office 365 mailboxes for the email users you designate.
- Click Upload .CSV file.
- Select the scoping CSV file that contains a list of only those Office 365 email user accounts that you want to monitor.
-
Specific groups: Monitors only the mailboxes of the email users in the Office 365 groups you designate.
- Click Upload .CSV file.
- Select the scoping CSV file that contains a list of Office 365 groups whose user mailboxes you want to monitor.
- Click Authorize.
The Microsoft Office 365 sign in screen appears. - Enter your Microsoft Office 365 administrator credentials.
- Review the terms and agreements, including the requested Office 365 email permissions, and click Accept.
Microsoft Office 365 is added to the Data Connections list as an email data connection.
The next time that an attachment is emailed by a monitored user, information about that file is recorded as an event by Code42. For details, see Attachment metadata below.
Next Steps
Now that you have added Microsoft Office 365 as a data connection, learn more about:
Attachment metadata
Once you complete authorization, information about email attachments becomes available in Code42 Forensic Search. When an attachment is emailed by a monitored user, information about that attachment is sent to Code42. This attachment information includes the following:
- Filename
- Hash, when available
- Email address of the sender and recipients
By default, the Microsoft Office 365 email data connection does not collect file attachment contents. File contents are only available for download if the insider risk agent observed and collected the same file in a separate event.
Email attachment information typically becomes available in Forensic Search results within 30 minutes, but may take longer in some cases.
The Date Observed for the event indicates the date and time the attachment was emailed through Microsoft Office 365, not when the file event appeared in Code42. For more information on the specific metadata and file events visible in Forensic Search, see the File event metadata reference.
Troubleshooting
Issues in your Microsoft Office 365 email environment can cause errors with the Code42 connection. When such issues occur, the connection in the Data Connections table is highlighted in red and an error message is displayed at the top of the screen. When this occurs, click the connection in the Data Connections table. The detail panel opens and lists the specific error so that you can resolve it.
Refer to these articles to troubleshoot specific errors that can appear for the email connection in the Data Connections list:
External resources
Microsoft documentation: Compare Exchange Online plans