Splunk Search

How to monitor 365 Mailbox permissions?

Niro
Explorer

We're trying to set up some searches/alerts when someone makes a change to mailboxes on Exchange Online. I'm still learning SPL, but I'm having some issues with this particular one.

Splunk gets the log data from 365 correctly, but it returns a list of 4 dictionaries  to identify the changes me

 

"Parameters": [{"Name": "Identity", "Value": "valuea"}, {"Name": "User", "Value": "valueb"}, {"Name": "AccessRights", "Value": "valuec"}, {"Name": "InheritanceType", "Value": "valued"}]

 

 

The search from the app is below, and it just spits out all 4 names/values - but how would I reference them individually? Mainly I just want to do that so I can make nicer looking alerts and dashboards with that data.

 

`m365_default_index` sourcetype="o365:management:activity" Workload=Exchange Operation=*permission* NOT UserId = "*Microsoft.Exchange.ServiceHost*" | table CreationTime Operation ObjectId Parameters{}.Name Parameters{}.Value UserId | rename ObjectId AS Object Parameters{}.Name AS Parameter Parameters{}.Value AS "Value" UserId AS "Modified By"

 

 

Labels (4)
Tags (2)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| foreach Identity User AccessRights InheritanceType
    [| eval <<FIELD>>=mvindex('Parameters{}.Value',mvfind('Parameters{}.Name',"<<FIELD>>"))]
0 Karma

yuanliu
SplunkTrust
SplunkTrust

If the cited search is from a prepackaged app, it is not very useful for you.  Do this instead

`m365_default_index` sourcetype="o365:management:activity" Workload=Exchange Operation=*permission* NOT UserId = "*Microsoft.Exchange.ServiceHost*"
| spath path=Parameters{}
| mvexpand Parameters{} ``` handle each array element separately ```
| spath input=Parameters{}
| table CreationTime Operation ObjectId Name Value UserId | rename ObjectId AS Object Name AS Parameter UserId AS "Modified By"
Tags (2)
0 Karma

Niro
Explorer

Thanks!

This does break it out, but then I'm left with 4 separate lines...so if I want to take an action on it (like an alert) it would be 4 separate alerts and none of them would tell the full story.

I want to be able to take this output and do something like:

"user $result.modifiedby$ - operation $result.operation$ on $result.Parameters{}.Identity$ - user $result.Parameters{}.User$ - rights $result.Parameters{}.accessrights$ "

0 Karma

yuanliu
SplunkTrust
SplunkTrust

You need to illustrate what you expect the result to be.  So, you do not want to break the parameter names at all?  And you should illustrate the full event instead of just the Parameters array. (It is always a good idea to illustrate data that relate to your desired results when asking a question.)

So, based on the additional information, I am guessing the raw data contains these:

 

{"result": {"Parameters": [{"Name": "Identity", "Value": "valuea"}, {"Name": "User", "Value": "valueb"}, {"Name": "AccessRights", "Value": "valuec"}, {"Name": "InheritanceType", "Value": "valued"}],
  "operation": "op", "modifiedby": "muser"}}

 

The following should achieve the manipulation you wanted:

 

| eval zip = mvzip('Parameters{}.Name', 'Parameters{}.Value')
| foreach Identity User AccessRights InheritanceType
    [eval <<FIELD>> = mvindex(split(mvfilter(match(zip, "^<<FIELD>>,")), ","), 1)]
| eval show = "user " . modifiedby . " - operation " . operation . " - on " . Identity . " - User " . User . " - rights " . AccessRights

 

The above sample data gives something like

AccessRightsIdentityInheritanceTypeUsershow
zip
valuecvalueavaluedvaluebuser muser - operation op - on valuea - User valueb - rights valuec
Identity,valuea
User,valueb
AccessRights,valuec
InheritanceType,valued

Here is an emulation you can play with and compare to real data

 

| makeresults
| eval _raw = "{\"result\": {\"Parameters\": [{\"Name\": \"Identity\", \"Value\": \"valuea\"}, {\"Name\": \"User\", \"Value\": \"valueb\"}, {\"Name\": \"AccessRights\", \"Value\": \"valuec\"}, {\"Name\": \"InheritanceType\", \"Value\": \"valued\"}],
  \"operation\": \"op\", \"modifiedby\": \"muser\"}}"
| spath
| rename result.* as *
``` the above emulates
`m365_default_index` sourcetype="o365:management:activity" Workload=Exchange Operation=*permission* NOT UserId = "*Microsoft.Exchange.ServiceHost*"
```

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...