https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/o365-email-integration-question/m-p/1247887#M330 <P>If you feel this has answered your query, please let us know by clicking like and on&nbsp;<STRONG>"mark this as a Solution".</STRONG></P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> Tue, 10 Feb 2026 18:32:33 GMT susekar 2026-02-10T18:32:33Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/o365-email-integration-question/m-p/1246714#M312 <P>Hi</P> <P>Anyone done o365 email ingestion with no adv email security license?</P> <P>having a hard time with the pan documentation as alot of the azure naming conventions seems to have changed.</P> <P>&nbsp;</P> <P>q1 - if just using the o365 datasource and enabling the 'exchange online' option, will this be enough or do i need a separate 0365 email collector to deploy (of which i can find no documentation on the process)</P> <P>&nbsp;</P> <P>the use case ultimately will be do detect and manage phishing emails.</P> <P>&nbsp;</P> <P>thanks in adv.</P> <P>&nbsp;</P> Tue, 27 Jan 2026 10:18:27 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/o365-email-integration-question/m-p/1246714#M312 PA_nts 2026-01-27T10:18:27Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/o365-email-integration-question/m-p/1247872#M323 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/306035">@PA_nts</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.</P> <P>&nbsp;</P> <P>Yes, you can ingest <STRONG>Microsoft 365 email data</STRONG> into <STRONG>Cortex XSIAM</STRONG> without an <STRONG>Advanced Email Security (AES)</STRONG> license, but there are important functional differences in terms of email content visibility and detection capabilities.</P> <P>&nbsp;</P> <H4>1. Collector Requirements (Q1 Answer)</H4> <P>To ingest email data for phishing analysis, enabling the <STRONG>Exchange Online</STRONG> option in the legacy <STRONG>Office 365</STRONG> data source is not sufficient and is now deprecated for email collection.</P> <P>Instead, you must use the dedicated <STRONG>Microsoft 365 data collector</STRONG>, which was introduced in <STRONG>XSIAM 2.4</STRONG> as the supported collector for email data. This collector uses the <STRONG>Microsoft Graph API</STRONG> to retrieve detailed email metadata.</P> <UL> <LI> <P><STRONG>Office 365 Collector:</STRONG><BR />Primarily collects audit logs and sign-in activity, which are populated in the <CODE>msft_o365_exchange_online_raw</CODE> dataset.</P> </LI> <LI> <P><STRONG>Microsoft 365 Collector:</STRONG><BR />Designed specifically for email-related data and populates the <CODE>msft_o365_emails_raw</CODE> dataset.</P> </LI> </UL> <P>&nbsp;</P> <H4>2. Ingestion Without an AES License</H4> <P>The Microsoft 365 collector will function without the <STRONG>Advanced Email Security</STRONG> license, but data visibility is limited.</P> <UL> <LI> <P><STRONG>Without an AES License:</STRONG><BR />Only email metadata is ingested, such as sender, recipient, timestamps, and headers. Email bodies, subjects, and attachment contents remain hidden or encrypted and are not available for XQL searches or deep analysis.</P> </LI> <LI> <P><STRONG>With an AES License:</STRONG><BR />Full email content, including message bodies and attachments, becomes available for advanced threat detection and analysis.</P> </LI> </UL> <P><STRONG>Important Licensing Note:</STRONG><BR />Even without the AES license, ingested email data volume (including protected email telemetry) still counts toward your overall <STRONG>Cortex XSIAM Pro Per GB</STRONG> ingestion usage.</P> <P>&nbsp;</P> <H4>3. Use Case: Detecting and Managing Phishing</H4> <P>Without the AES license, phishing detection is limited to <STRONG>metadata-based indicators</STRONG>, such as suspicious senders, abnormal sending patterns, or unusual timestamps. Advanced phishing detection that requires inspecting email content, embedded URLs, or attachments generally requires the <STRONG>Advanced Email Security</STRONG> license.</P> <P>&nbsp;</P> <P>If you feel this has answered your query, please let us know by clicking like and on&nbsp;<STRONG>"mark this as a Solution".</STRONG></P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> Tue, 10 Feb 2026 13:52:36 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/o365-email-integration-question/m-p/1247872#M323 susekar 2026-02-10T13:52:36Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/o365-email-integration-question/m-p/1247876#M326 <P><BR />Thanks Susekar,</P> <P>yeah managed to work it out eventually. will integrate M365 without EAS license and work on what we can see... ultimately will have to look at the eas license if the client wants that level of detection..&nbsp;</P> <P>regards</P> Tue, 10 Feb 2026 14:20:08 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/o365-email-integration-question/m-p/1247876#M326 PA_nts 2026-02-10T14:20:08Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/o365-email-integration-question/m-p/1247887#M330 <P>If you feel this has answered your query, please let us know by clicking like and on&nbsp;<STRONG>"mark this as a Solution".</STRONG></P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> Tue, 10 Feb 2026 18:32:33 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/o365-email-integration-question/m-p/1247887#M330 susekar 2026-02-10T18:32:33Z