I have O365 logs in Splunk. I want to find all shared files/folders plus display sensitivity labels of these files.
All valuable information is in the same source type (sourcetype="o365:management:activity") but in separate log rows.
I want to see on my dashboard:
CreationTime; ObjectId; Operation; SensitivityLabelId; Location; ProcessName; ProductVersion
"CreationTime": "2021-05-06T20:19:44" | "ApplicationName": "Microsoft Azure Information Protection Word Add-In" |
"EventData": "<Type>Edit</Type><MembersCanShareApplied>False</MembersCanShareApplied>" | "Location": "On-premises SharePoint" |
"EventSource": "SharePoint" | "ProcessName": "WINWORD" |
"ItemType": "File" | "ProductVersion": "2.9.116.0"} |
"ObjectId": "https://[FILE_FULL_PATH]/TEST_SHARE_ANYONE_WITH_THE_LINK.docx" | "CreationTime": "2021-05-06T20:13:57" |
"Operation": "AnonymousLinkCreated" | "DataState": "Use" |
"RecordType": 14 | "ObjectId": "https://[FILE_FULL_PATH]/TEST_SHARE_ANYONE_WITH_THE_LINK.docx" |
"SiteUrl": "[MY_PERSONAL_DRIVE]" | "Operation": "Access" |
"SourceFileExtension": "docx" | "ProtectionEventData": {"IsProtected": true |
"SourceFileName": "TEST_SHARE_ANYONE_WITH_THE_LINK.docx" | "ProtectionOwner": "test@mail.com" |
"SourceRelativeUrl": "[PATH]/TEST_SHARE_ANYONE_WITH_THE_LINK.docx" | "ProtectionType": "Template" |
"UserId": "test@mail.com" | "SensitiveInfoTypeData": [] |
"Workload": "OneDrive"} | "SensitivityLabelEventData": {"SensitivityLabelId": "70fd9a0e-0d31-4c8e-9c48-fa8ba4ec32c0"} |
"UserId": "test@mail.com" | |
"UserKey": "test@mail.com" | |
"UserType": 0 | |
"Version": 1 | |
"Workload": "Aip"} |