I have O365 logs in Splunk. I want to find all shared files/folders plus display sensitivity labels of these files.
All valuable information is in the same source type (sourcetype="o365:management:activity") but in separate log rows.
I want to see on my dashboard:
CreationTime; ObjectId; Operation; SensitivityLabelId; Location; ProcessName; ProductVersion
| "CreationTime": "2021-05-06T20:19:44" | "ApplicationName": "Microsoft Azure Information Protection Word Add-In" |
| "EventData": "<Type>Edit</Type><MembersCanShareApplied>False</MembersCanShareApplied>" | "Location": "On-premises SharePoint" |
| "EventSource": "SharePoint" | "ProcessName": "WINWORD" |
| "ItemType": "File" | "ProductVersion": "2.9.116.0"} |
| "ObjectId": "https://[FILE_FULL_PATH]/TEST_SHARE_ANYONE_WITH_THE_LINK.docx" | "CreationTime": "2021-05-06T20:13:57" |
| "Operation": "AnonymousLinkCreated" | "DataState": "Use" |
| "RecordType": 14 | "ObjectId": "https://[FILE_FULL_PATH]/TEST_SHARE_ANYONE_WITH_THE_LINK.docx" |
| "SiteUrl": "[MY_PERSONAL_DRIVE]" | "Operation": "Access" |
| "SourceFileExtension": "docx" | "ProtectionEventData": {"IsProtected": true |
| "SourceFileName": "TEST_SHARE_ANYONE_WITH_THE_LINK.docx" | "ProtectionOwner": "test@mail.com" |
| "SourceRelativeUrl": "[PATH]/TEST_SHARE_ANYONE_WITH_THE_LINK.docx" | "ProtectionType": "Template" |
| "UserId": "test@mail.com" | "SensitiveInfoTypeData": [] |
| "Workload": "OneDrive"} | "SensitivityLabelEventData": {"SensitivityLabelId": "70fd9a0e-0d31-4c8e-9c48-fa8ba4ec32c0"} |
| | "UserId": "test@mail.com" |
| | "UserKey": "test@mail.com" |
| | "UserType": 0 |
| | "Version": 1 |
| | "Workload": "Aip"} |
