Splunk Search

How to monitor 365 Mailbox permissions?

Niro
Explorer

We're trying to set up some searches/alerts when someone makes a change to mailboxes on Exchange Online. I'm still learning SPL, but I'm having some issues with this particular one.

Splunk gets the log data from 365 correctly, but it returns a list of 4 dictionaries  to identify the changes me

 

"Parameters": [{"Name": "Identity", "Value": "valuea"}, {"Name": "User", "Value": "valueb"}, {"Name": "AccessRights", "Value": "valuec"}, {"Name": "InheritanceType", "Value": "valued"}]

 

 

The search from the app is below, and it just spits out all 4 names/values - but how would I reference them individually? Mainly I just want to do that so I can make nicer looking alerts and dashboards with that data.

 

`m365_default_index` sourcetype="o365:management:activity" Workload=Exchange Operation=*permission* NOT UserId = "*Microsoft.Exchange.ServiceHost*" | table CreationTime Operation ObjectId Parameters{}.Name Parameters{}.Value UserId | rename ObjectId AS Object Parameters{}.Name AS Parameter Parameters{}.Value AS "Value" UserId AS "Modified By"

 

 

Labels (4)
Tags (2)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| foreach Identity User AccessRights InheritanceType
    [| eval <<FIELD>>=mvindex('Parameters{}.Value',mvfind('Parameters{}.Name',"<<FIELD>>"))]
0 Karma

yuanliu
SplunkTrust
SplunkTrust

If the cited search is from a prepackaged app, it is not very useful for you.  Do this instead

`m365_default_index` sourcetype="o365:management:activity" Workload=Exchange Operation=*permission* NOT UserId = "*Microsoft.Exchange.ServiceHost*"
| spath path=Parameters{}
| mvexpand Parameters{} ``` handle each array element separately ```
| spath input=Parameters{}
| table CreationTime Operation ObjectId Name Value UserId | rename ObjectId AS Object Name AS Parameter UserId AS "Modified By"
Tags (2)
0 Karma

Niro
Explorer

Thanks!

This does break it out, but then I'm left with 4 separate lines...so if I want to take an action on it (like an alert) it would be 4 separate alerts and none of them would tell the full story.

I want to be able to take this output and do something like:

"user $result.modifiedby$ - operation $result.operation$ on $result.Parameters{}.Identity$ - user $result.Parameters{}.User$ - rights $result.Parameters{}.accessrights$ "

0 Karma

yuanliu
SplunkTrust
SplunkTrust

You need to illustrate what you expect the result to be.  So, you do not want to break the parameter names at all?  And you should illustrate the full event instead of just the Parameters array. (It is always a good idea to illustrate data that relate to your desired results when asking a question.)

So, based on the additional information, I am guessing the raw data contains these:

 

{"result": {"Parameters": [{"Name": "Identity", "Value": "valuea"}, {"Name": "User", "Value": "valueb"}, {"Name": "AccessRights", "Value": "valuec"}, {"Name": "InheritanceType", "Value": "valued"}],
  "operation": "op", "modifiedby": "muser"}}

 

The following should achieve the manipulation you wanted:

 

| eval zip = mvzip('Parameters{}.Name', 'Parameters{}.Value')
| foreach Identity User AccessRights InheritanceType
    [eval <<FIELD>> = mvindex(split(mvfilter(match(zip, "^<<FIELD>>,")), ","), 1)]
| eval show = "user " . modifiedby . " - operation " . operation . " - on " . Identity . " - User " . User . " - rights " . AccessRights

 

The above sample data gives something like

AccessRightsIdentityInheritanceTypeUsershow
zip
valuecvalueavaluedvaluebuser muser - operation op - on valuea - User valueb - rights valuec
Identity,valuea
User,valueb
AccessRights,valuec
InheritanceType,valued

Here is an emulation you can play with and compare to real data

 

| makeresults
| eval _raw = "{\"result\": {\"Parameters\": [{\"Name\": \"Identity\", \"Value\": \"valuea\"}, {\"Name\": \"User\", \"Value\": \"valueb\"}, {\"Name\": \"AccessRights\", \"Value\": \"valuec\"}, {\"Name\": \"InheritanceType\", \"Value\": \"valued\"}],
  \"operation\": \"op\", \"modifiedby\": \"muser\"}}"
| spath
| rename result.* as *
``` the above emulates
`m365_default_index` sourcetype="o365:management:activity" Workload=Exchange Operation=*permission* NOT UserId = "*Microsoft.Exchange.ServiceHost*"
```

 

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...