How can I make a copy of the App and replace micro...

dpanych · ‎06-27-2018

Currently I'm using the App and it's pulling Message Trace event successfully. I want to make a second copy of the App and replace microsoft_trace_url to use ** https://reports.office365.com/ecp/reportingwebservice/reporting.svc/MailDetailMalware? ** and would also like to change the Sourcetype to ** ms:o365:reporting:maildetailmalware**. The MailDetailMalware API works the same as MessageTrace API, so no other changes need to be made to the script. I tried making a copy of the App, renaming any content/scripts/variables/filenames that mention message_trace or messagetrace to a different variant, and it still did not work. This is my first time modifying a Splunk App that was built with the Add-on Builder, so I'm not 100% sure all that needs to be modified. I know the URL is modified in input_module_ms_o365_message_trace.py, but I'm not sure about the Sourcetype. Like I said, I've tried renaming the App and its content so that I can run the two apps side by side, but was not successful. It seemed to error because of duplicate (maybe?) app IDs.

@jconger - Any advice?

jconger · ‎06-28-2018

The easiest way to do this is to create a new add-on using the Add-on Builder. This way, your changes will not get wiped out when new versions of the existing add-on get released. Here are the steps at a high level:

Download and install the Splunk Add-on Builder
Create a new add-on
Create an input for your add-on. Specify that the input will use your own Python code.
Specify parameters for your input (use the same ones as the O365 reporting add-on if you like)
Copy the contents of the input_module_ms_o365_message_trace.py and paste them into the code window in the add-on builder.
Make any changes necessary.

How can I make a copy of the App and replace microsoft_trace_url to use MailDetailMalware API?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!