We're trying to set up some searches/alerts when someone makes a change to mailboxes on Exchange Online. I'm still learning SPL, but I'm having some issues with this particular one.
Splunk gets the log data from 365 correctly, but it returns a list of 4 dictionaries to identify the changes me
"Parameters": [{"Name": "Identity", "Value": "valuea"}, {"Name": "User", "Value": "valueb"}, {"Name": "AccessRights", "Value": "valuec"}, {"Name": "InheritanceType", "Value": "valued"}]
The search from the app is below, and it just spits out all 4 names/values - but how would I reference them individually? Mainly I just want to do that so I can make nicer looking alerts and dashboards with that data.
`m365_default_index` sourcetype="o365:management:activity" Workload=Exchange Operation=*permission* NOT UserId = "*Microsoft.Exchange.ServiceHost*" | table CreationTime Operation ObjectId Parameters{}.Name Parameters{}.Value UserId | rename ObjectId AS Object Parameters{}.Name AS Parameter Parameters{}.Value AS "Value" UserId AS "Modified By"
| foreach Identity User AccessRights InheritanceType
[| eval <<FIELD>>=mvindex('Parameters{}.Value',mvfind('Parameters{}.Name',"<<FIELD>>"))]
If the cited search is from a prepackaged app, it is not very useful for you. Do this instead
`m365_default_index` sourcetype="o365:management:activity" Workload=Exchange Operation=*permission* NOT UserId = "*Microsoft.Exchange.ServiceHost*"
| spath path=Parameters{}
| mvexpand Parameters{} ``` handle each array element separately ```
| spath input=Parameters{}
| table CreationTime Operation ObjectId Name Value UserId | rename ObjectId AS Object Name AS Parameter UserId AS "Modified By"
Thanks!
This does break it out, but then I'm left with 4 separate lines...so if I want to take an action on it (like an alert) it would be 4 separate alerts and none of them would tell the full story.
I want to be able to take this output and do something like:
"user $result.modifiedby$ - operation $result.operation$ on $result.Parameters{}.Identity$ - user $result.Parameters{}.User$ - rights $result.Parameters{}.accessrights$ "
You need to illustrate what you expect the result to be. So, you do not want to break the parameter names at all? And you should illustrate the full event instead of just the Parameters array. (It is always a good idea to illustrate data that relate to your desired results when asking a question.)
So, based on the additional information, I am guessing the raw data contains these:
{"result": {"Parameters": [{"Name": "Identity", "Value": "valuea"}, {"Name": "User", "Value": "valueb"}, {"Name": "AccessRights", "Value": "valuec"}, {"Name": "InheritanceType", "Value": "valued"}],
"operation": "op", "modifiedby": "muser"}}
The following should achieve the manipulation you wanted:
| eval zip = mvzip('Parameters{}.Name', 'Parameters{}.Value')
| foreach Identity User AccessRights InheritanceType
[eval <<FIELD>> = mvindex(split(mvfilter(match(zip, "^<<FIELD>>,")), ","), 1)]
| eval show = "user " . modifiedby . " - operation " . operation . " - on " . Identity . " - User " . User . " - rights " . AccessRights
The above sample data gives something like
AccessRights | Identity | InheritanceType | User | show | zip |
valuec | valuea | valued | valueb | user muser - operation op - on valuea - User valueb - rights valuec | Identity,valuea User,valueb AccessRights,valuec InheritanceType,valued |
Here is an emulation you can play with and compare to real data
| makeresults
| eval _raw = "{\"result\": {\"Parameters\": [{\"Name\": \"Identity\", \"Value\": \"valuea\"}, {\"Name\": \"User\", \"Value\": \"valueb\"}, {\"Name\": \"AccessRights\", \"Value\": \"valuec\"}, {\"Name\": \"InheritanceType\", \"Value\": \"valued\"}],
\"operation\": \"op\", \"modifiedby\": \"muser\"}}"
| spath
| rename result.* as *
``` the above emulates
`m365_default_index` sourcetype="o365:management:activity" Workload=Exchange Operation=*permission* NOT UserId = "*Microsoft.Exchange.ServiceHost*"
```