Microsoft Office 365 Message Trace

The IBM QRadar Microsoft Office 365 Message Trace DSM collects JSON events from a Microsoft Message Trace by using the Office 365 Message Trace API protocol.

To integrate Microsoft Message Trace API with QRadar, complete the following steps:
  1. If automatic updates are not enabled, download the most recent version of the following RPMs from the IBM® support website (http://www.ibm.com/support):
    • Microsoft Office 365 Message Trace DSM RPM
    • Protocol Common RPM
    • Office 365 Message Trace API protocol RPM
  2. Add a Microsoft Office 365 Message Trace log source by using the Office 365 Message Trace REST API protocol on the QRadar Console. Basic authentication has been removed and is no longer supported; the Office 365 Message Trace REST API protocol now supports only modern authentication, which uses OAuth 2.0 to authenticate and authorize access to the resource.
    Important: As of 1 January 2023, Microsoft will no longer support basic authentication. To continue receiving Message Trace events, you must use modern authentication. Modern authentication uses OAuth 2.0 to authenticate and authorize access to the events. For more information about the deprecation of basic authentication, see Basic Authentication Deprecation in Exchange Online –September 2022 Update (https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-deprecation-in-exchange-online-september/ba-p/3609437).
    Important: Microsoft has announced the deprecation of the legacy Message Trace Reporting Web Service in Microsoft Exchange Online, with deprecation beginning March 18, 2026. To maintain compatibility with this change, the Message Trace integration in IBM QRadar has been updated to use the new Message Trace API. You must update to the latest protocol version to continue receiving Message Trace events. Failure to upgrade before the deprecation may result in Message Trace logs no longer being collected. For more information, see Announcing General Availability (GA) of the New Message Trace in Exchange Online(https://techcommunity.microsoft.com/blog/exchange/announcing-general-availability-ga-of-the-new-message-trace-in-exchange-online/4420243).
    Exception for GCC, GCC-High, DoD, and Sovereign Cloud Customers:
    The new Message Trace API is currently only available for worldwide (WW) environments. As stated by Microsoft: "Please note that this timeline applies to our WW environment only and does not affect GCC, GCC-High, DOD, or other sovereign clouds. Timeline for GCC, GCC-High, DoD, and other sovereign clouds will be provided in CY25H2."
    If you are a GCC, GCC-High, DoD, or sovereign cloud customer, you must continue using the following RPM versions:
    • Protocol: 7.5.0-QRADAR-PROTOCOL-Office365MessageTraceRESTAPI-7.5-20250213060632.noarch.rpm
    • DSM: 7.5.0-QRADAR-DSM-MicrosoftOffice365MessageTrace-7.5-20260113065949.noarch.rpm

    Do not upgrade to newer versions until Microsoft officially releases MessageTraceV2 support for your cloud environment.

    To prevent automatic upgrades, go to Auto Update and select Check for Updates. If newer MessageTrace RPMs appear, highlight them and choose the option to hide those updates.