Splunk Search

How to set up a search to Retrieve Office 365 audit event property retrieval?

JohnMoeVita
New Member

I'm trying to set up a search to return Office 365 role change events for specific roles, such as the Global Administrator (aka Company Administrator).  The event data seems to be structured like this (simplified for clarity):

 

 

{ Id: <someGuid>
  ModifiedProperties: [
    {
      Name: Role.ObjectID
      NewValue: 
      OldValue: <someGuid>
    },
    {
      Name: Role.DisplayName
      NewValue: 
      OldValue: Company Administrator
    },
    {
      Name: Role.TemplateId
      NewValue: 
      OldValue: <someGuid>
    },
    {
      Name: Role.WellKnownObjectName
      NewValue: 
      OldValue: TenantAdmins
    }
  ]
  ObjectId: <UPN of object modified>
  Operation: <what was done>
  UserId: <UPN of user that made change
}

 

 

I want to extract the value OldValue of ModifiedProperties object where Name = Role.DisplayName into a field.  I've had a look, and had thought either spath or eval would help, but I couldn't see any extra fields being created when I used either, much less being able to then extract data from it.

Am I on the right track? Or looking at it all wrong?  My base search is this:

 

 

sourcetype="o365:management:activity" AND RecordType=8 AND (ModifiedProperties{}.NewValue="TenantAdmins" OR ModifiedProperties{}.OldValue="TenantAdmins")

 

 

I then tried to push it through eval like this:

 

 

| eval 'ModifiedProperties{}.Name'='ModifiedProperties{}.OldValue'

 

 

I thought I understood that should have added 4 extra fields (to match the four ModifiedProperties objects) to the returned event, but the events didn't change.

Can anyone lend a hand?

Labels (1)
0 Karma

chgota
Loves-to-Learn Lots

I came across this post while trying to figure out how to solve the same issue, and I think I've worked it out:

| eval old_role_name = mvindex('modifiedProperties{}.oldValue', mvfind('modifiedProperties{}.displayName', "Role\.DisplayName"))


modifiedProperties{}.oldValue and modifiedProperties{}.displayName are both multivalue fields.  I found the mv index number of modifiedProperties{}.displayName where the value is Role.DisplayName using mvfind, then used that index number to extract the correct value from modifiedProperties{}.oldValue  into a new field with mvindex.

(The backslash in the second argument of mvfind is because it's actually a regex, not a vanilla string).

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...