Splunk Search

Append 2 searches together in o365 to show if a file share has been deleted

nathanluke86
Communicator

I have a search query to display external files shares that are active (Sharepoint/Onedrive).

 

 

This is working and shows us when file shares to third parties are still active.

index=o365 file_path=* user=urn* OR TargetUserOrGroupType=Guest
| fillnull value="-"
| dedup UniqueSharingId TargetUserOrGroupName
| where NOT Operation=="RemovedFromSecureLink"
|stats latest(_time) by user Operation file_path file_name vendor_product TargetUserOrGroupName UniqueSharingId

The issue we have is if a user just deletes the file share folder (so no longer an active share) the dashboard still displays the share as active.

 

I need to append the following search and match to the unique sharing location to display if the file/folder has been deleted:

index=o365 Operation=FileDeleted

 

 

 

TIA

Labels (2)
0 Karma

rupkumar4sec
Path Finder

You can use a sub search to ignore the deleted files from results. Something like 

index=o365 file_path=* user=urn* OR TargetUserOrGroupType=Guest NOT
[ search index=o365 Operation=FileDeleted
| table file_path,file_name ]
| fillnull value="-"
| dedup UniqueSharingId TargetUserOrGroupName
| where NOT Operation=="RemovedFromSecureLink"
| stats latest(_time) by user Operation file_path file_name vendor_product TargetUserOrGroupName UniqueSharingId

 

 

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...