Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to monitor 365 Mailbox permissions?

Niro
Explorer
‎08-21-2023 05:01 PM

We're trying to set up some searches/alerts when someone makes a change to mailboxes on Exchange Online. I'm still learning SPL, but I'm having some issues with this particular one.

Splunk gets the log data from 365 correctly, but it returns a list of 4 dictionaries  to identify the changes me

 

"Parameters": [{"Name": "Identity", "Value": "valuea"}, {"Name": "User", "Value": "valueb"}, {"Name": "AccessRights", "Value": "valuec"}, {"Name": "InheritanceType", "Value": "valued"}]

 

 

The search from the app is below, and it just spits out all 4 names/values - but how would I reference them individually? Mainly I just want to do that so I can make nicer looking alerts and dashboards with that data.

 

`m365_default_index` sourcetype="o365:management:activity" Workload=Exchange Operation=*permission* NOT UserId = "*Microsoft.Exchange.ServiceHost*" | table CreationTime Operation ObjectId Parameters{}.Name Parameters{}.Value UserId | rename ObjectId AS Object Parameters{}.Name AS Parameter Parameters{}.Value AS "Value" UserId AS "Modified By"

 

 

Labels (4)
Labels
Tags (2)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-22-2023 11:52 PM 
| foreach Identity User AccessRights InheritanceType
    [| eval <<FIELD>>=mvindex('Parameters{}.Value',mvfind('Parameters{}.Name',"<<FIELD>>"))]
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎08-22-2023 12:22 AM

If the cited search is from a prepackaged app, it is not very useful for you.  Do this instead

`m365_default_index` sourcetype="o365:management:activity" Workload=Exchange Operation=*permission* NOT UserId = "*Microsoft.Exchange.ServiceHost*"
| spath path=Parameters{}
| mvexpand Parameters{} ``` handle each array element separately ```
| spath input=Parameters{}
| table CreationTime Operation ObjectId Name Value UserId | rename ObjectId AS Object Name AS Parameter UserId AS "Modified By"
Tags (2)
0 Karma
Reply

Niro
Explorer
‎08-22-2023 06:14 AM

Thanks!

This does break it out, but then I'm left with 4 separate lines...so if I want to take an action on it (like an alert) it would be 4 separate alerts and none of them would tell the full story.

I want to be able to take this output and do something like:

"user $result.modifiedby$ - operation $result.operation$ on $result.Parameters{}.Identity$ - user $result.Parameters{}.User$ - rights $result.Parameters{}.accessrights$ "

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎08-22-2023 11:38 PM

You need to illustrate what you expect the result to be.  So, you do not want to break the parameter names at all?  And you should illustrate the full event instead of just the Parameters array. (It is always a good idea to illustrate data that relate to your desired results when asking a question.)

So, based on the additional information, I am guessing the raw data contains these:

 

{"result": {"Parameters": [{"Name": "Identity", "Value": "valuea"}, {"Name": "User", "Value": "valueb"}, {"Name": "AccessRights", "Value": "valuec"}, {"Name": "InheritanceType", "Value": "valued"}],
  "operation": "op", "modifiedby": "muser"}}

 

The following should achieve the manipulation you wanted:

 

| eval zip = mvzip('Parameters{}.Name', 'Parameters{}.Value')
| foreach Identity User AccessRights InheritanceType
    [eval <<FIELD>> = mvindex(split(mvfilter(match(zip, "^<<FIELD>>,")), ","), 1)]
| eval show = "user " . modifiedby . " - operation " . operation . " - on " . Identity . " - User " . User . " - rights " . AccessRights

 

The above sample data gives something like

AccessRightsIdentityInheritanceTypeUsershow
zip
valuecvalueavaluedvaluebuser muser - operation op - on valuea - User valueb - rights valuec
Identity,valuea
User,valueb
AccessRights,valuec
InheritanceType,valued

Here is an emulation you can play with and compare to real data

 

| makeresults
| eval _raw = "{\"result\": {\"Parameters\": [{\"Name\": \"Identity\", \"Value\": \"valuea\"}, {\"Name\": \"User\", \"Value\": \"valueb\"}, {\"Name\": \"AccessRights\", \"Value\": \"valuec\"}, {\"Name\": \"InheritanceType\", \"Value\": \"valued\"}],
  \"operation\": \"op\", \"modifiedby\": \"muser\"}}"
| spath
| rename result.* as *
``` the above emulates
`m365_default_index` sourcetype="o365:management:activity" Workload=Exchange Operation=*permission* NOT UserId = "*Microsoft.Exchange.ServiceHost*"
```

 

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...