01-27-2026 02:18 AM
Hi
Anyone done o365 email ingestion with no adv email security license?
having a hard time with the pan documentation as alot of the azure naming conventions seems to have changed.
q1 - if just using the o365 datasource and enabling the 'exchange online' option, will this be enough or do i need a separate 0365 email collector to deploy (of which i can find no documentation on the process)
the use case ultimately will be do detect and manage phishing emails.
thanks in adv.
02-10-2026 05:52 AM
Hello @PA_nts ,
Greetings for the day.
Yes, you can ingest Microsoft 365 email data into Cortex XSIAM without an Advanced Email Security (AES) license, but there are important functional differences in terms of email content visibility and detection capabilities.
To ingest email data for phishing analysis, enabling the Exchange Online option in the legacy Office 365 data source is not sufficient and is now deprecated for email collection.
Instead, you must use the dedicated Microsoft 365 data collector, which was introduced in XSIAM 2.4 as the supported collector for email data. This collector uses the Microsoft Graph API to retrieve detailed email metadata.
Office 365 Collector:
Primarily collects audit logs and sign-in activity, which are populated in the msft_o365_exchange_online_raw dataset.
Microsoft 365 Collector:
Designed specifically for email-related data and populates the msft_o365_emails_raw dataset.
The Microsoft 365 collector will function without the Advanced Email Security license, but data visibility is limited.
Without an AES License:
Only email metadata is ingested, such as sender, recipient, timestamps, and headers. Email bodies, subjects, and attachment contents remain hidden or encrypted and are not available for XQL searches or deep analysis.
With an AES License:
Full email content, including message bodies and attachments, becomes available for advanced threat detection and analysis.
Important Licensing Note:
Even without the AES license, ingested email data volume (including protected email telemetry) still counts toward your overall Cortex XSIAM Pro Per GB ingestion usage.
Without the AES license, phishing detection is limited to metadata-based indicators, such as suspicious senders, abnormal sending patterns, or unusual timestamps. Advanced phishing detection that requires inspecting email content, embedded URLs, or attachments generally requires the Advanced Email Security license.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
02-10-2026 06:20 AM
Thanks Susekar,
yeah managed to work it out eventually. will integrate M365 without EAS license and work on what we can see... ultimately will have to look at the eas license if the client wants that level of detection..
regards
02-10-2026 10:32 AM
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
