Splunk Search
Highlighted

How to search and alert if anyone accesses a certain mailbox or SharePoint sites other than approved members?

New Member

Hi Team,

How can I write search for the below use case? We have a Financial Audit Department. If any one accesses Financial Audit Department mailbox or Sharepoint sites apart from the Financial Audit Department members, I want to search and alert on this.

Access to mailboxes by a sys admin or a delegate for the Financial Audit Department.

Access to FAD Sharepoint sites by the Administrators.

Regards,
Syed

0 Karma
Highlighted

Re: How to search and alert if anyone accesses a certain mailbox or SharePoint sites other than approved members?

SplunkTrust
SplunkTrust

You will need these things:

  • access logs for your mailboxes and sharepoint sites
  • a Splunk instance getting above logs
  • a way to tell "user is part of FAD or not", e.g. LDAP search, DB lookup, static list, etc., producing a user->department lookup

Once you have these, you can search something like this:

index=fad (sourcetype=sharepoint_access OR sourcetype=mailbox_access) NOT department=fad

Then alert whenever that search returns results.

0 Karma