Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to search and alert if anyone accesses a certain mailbox or SharePoint sites other than approved members?

syed_star357
New Member
‎08-20-2016 09:58 PM

Hi Team,

How can I write search for the below use case? We have a Financial Audit Department. If any one accesses Financial Audit Department mailbox or Sharepoint sites apart from the Financial Audit Department members, I want to search and alert on this.

Access to mailboxes by a sys admin or a delegate for the Financial Audit Department.

Access to FAD Sharepoint sites by the Administrators.

Regards,
Syed

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎08-21-2016 06:35 AM

You will need these things:

  • access logs for your mailboxes and sharepoint sites
  • a Splunk instance getting above logs
  • a way to tell "user is part of FAD or not", e.g. LDAP search, DB lookup, static list, etc., producing a user->department lookup

Once you have these, you can search something like this:

index=fad (sourcetype=sharepoint_access OR sourcetype=mailbox_access) NOT department=fad

Then alert whenever that search returns results.

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...