Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] O365 Mailbox Inbox Folder Shared with All Users. Field "object" doesn't exist. #2937

Closed
atgithub11 opened this issue Jan 2, 2024 · 2 comments
Assignees

Comments

@atgithub11
Copy link

Correlation search, O365 Mailbox Inbox Folder Shared with All Users, is currently using a field called "object", as object=Inbox. But I do not see this field being sent as part of O365 exchange data. Instead, I see a field called Item.ParentFolder.Name with values such as Inbox, Calender, Contacts etc.

Should "object=Inbox" be replaced with "Item.ParentFolder.Name=Inbox" for this correlation search?

App Version:

  • ESCU: 4.18.0
@atgithub11 atgithub11 added the bug Something isn't working label Jan 2, 2024
@josehelps
Copy link
Collaborator

@atgithub11 this might be due to how the data for o365 is being collected in your environment. I believe for this detection we expect the user to be leveraging https://splunkbase.splunk.com/app/4055 let me know if this is the case?

@josehelps josehelps self-assigned this Jan 24, 2024
@josehelps josehelps added needs-more-info and removed bug Something isn't working labels Jan 24, 2024
@nasbench
Copy link
Contributor

nasbench commented Dec 9, 2024

Hey @atgithub11 thanks for opening this issue. Here is some clarification that might help you understand this.

You can see in the detection, the raw log does contain the field "Item.ParentFolder.Name"

image

And this is what you are probably ingesting.

But as @josehelps said, the analytics expects ingestion of O365 via the splunk app https://splunkbase.splunk.com/app/4055 as it is stated by the how to implement section

how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.

Behind the scene, this app is creating the field object and assigning its value based on some condition:

image

In this case if the Operation field is "ModifyFolderPermissions" or "AddFolderPermissions", the value of the Object field will be set to Item.ParentFolder.Name.

Hence the detection should be correct, and this is just an issue of ingestion.

Hope this helps.

I'll be closing this as complete, feel free to re-open the issue in case you have further questions

@nasbench nasbench closed this as completed Dec 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants