Splunk Search

How to search and alert if anyone accesses a certain mailbox or SharePoint sites other than approved members?

syed_star357
New Member

Hi Team,

How can I write search for the below use case? We have a Financial Audit Department. If any one accesses Financial Audit Department mailbox or Sharepoint sites apart from the Financial Audit Department members, I want to search and alert on this.

Access to mailboxes by a sys admin or a delegate for the Financial Audit Department.

Access to FAD Sharepoint sites by the Administrators.

Regards,
Syed

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You will need these things:

  • access logs for your mailboxes and sharepoint sites
  • a Splunk instance getting above logs
  • a way to tell "user is part of FAD or not", e.g. LDAP search, DB lookup, static list, etc., producing a user->department lookup

Once you have these, you can search something like this:

index=fad (sourcetype=sharepoint_access OR sourcetype=mailbox_access) NOT department=fad

Then alert whenever that search returns results.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...