topic Email_data dataset empty in Cortex XDR Discussions

Email_data dataset empty

RMaudsley — Thu, 20 Jun 2024 23:30:36 GMT

Hi all, have been digging into our Cortex tenant and noticed that the email_data dataset has no data. Our emails come from Microsoft Exchange online. To get data to this dataset is it just having a compliance mailbox set up in exchange? We already have a connector to M365 and I can see data in the dataset msft_o365_exchange_online_raw but we haven't set up a compliance mailbox yet so I am assuming this may be the reason email_data is empty. Can anyone confirm?

Thanks in advance for any help.

Re: Email_data dataset empty

jmazzeo — Fri, 21 Jun 2024 12:25:03 GMT

Hi, thanks for reaching us using the Live Community.

The O365 emails goes to the "msft_o365_emails_raw" dataset, please check that one if you have something there. The "email_data" dataset is an internal default dataset.

You can take a look at this doc for more details about the Office 365 integration, including the steps required on the Microsoft side.

If this post answers your question, please mark it as the solution.