Dashboards & Visualizations

XML parsing - O365

sturner205
New Member

Afternoon! I'm new to Admin'ing Splunk but was a happy user. I was given an XML output file from O365 and even after reading the 14 other XML questions on the Q&A boards I still need help.

The data is ugly and when I try to ingest it into Splunk via CSV format, Splunk sees "\x00 \x00 \x00 \x00 \x00 \x00 \x00<". I've researched spath and other methods you guys have detailed out in the other answers but no luck. I've also tried to sort the XML as a CSV, manually breaking up the data but it's very slow going.

Here's an excerpt of the log:

Event MailboxGuid="########-####-####-####-############" Owner="Schmoe, Joe J." LastAccessed="2018-04-17T19:08:45+00:00" Operation="FolderBind" OperationResult="Succeeded" LogonType="Admin" FolderId="################################################################" FolderPathName="\Files" ClientInfoString="Client=REST;;" ClientIPAddress="::1" InternalLogonType="Admin" MailboxOwnerUPN="Joe.Schmoe@emailgoeshere.com" MailboxOwnerSid="S-1-5-##-##########-########-##########-#######" LogonUserDisplayName="NT AUTHORITY\SYSTEM" LogonUserSid="S-1-#-##" OriginatingServer="MachineNameHere (##.##.####.###)" />

I see the potential fields, being most concerned with "Owner", "LastAccessed", "LogonType", "ClientIPAddress", & "LogonUserDisplayName".

Thanks!

0 Karma
1 Solution

jconger
Splunk Employee
Splunk Employee

This data looks like it may be from the Office 365 Management Activity API. If so, you could use the Splunk Add-on for Microsoft Cloud Services to gather this data automatically.

But, to answer your question directly, you could import this data as-is since it is in key=value format.

View solution in original post

0 Karma

jconger
Splunk Employee
Splunk Employee

This data looks like it may be from the Office 365 Management Activity API. If so, you could use the Splunk Add-on for Microsoft Cloud Services to gather this data automatically.

But, to answer your question directly, you could import this data as-is since it is in key=value format.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...