You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Correlation search, O365 Mailbox Inbox Folder Shared with All Users, is currently using a field called "object", as object=Inbox. But I do not see this field being sent as part of O365 exchange data. Instead, I see a field called Item.ParentFolder.Name with values such as Inbox, Calender, Contacts etc.
Should "object=Inbox" be replaced with "Item.ParentFolder.Name=Inbox" for this correlation search?
App Version:
ESCU: 4.18.0
The text was updated successfully, but these errors were encountered:
@atgithub11 this might be due to how the data for o365 is being collected in your environment. I believe for this detection we expect the user to be leveraging https://splunkbase.splunk.com/app/4055 let me know if this is the case?
how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
Behind the scene, this app is creating the field object and assigning its value based on some condition:
In this case if the Operation field is "ModifyFolderPermissions" or "AddFolderPermissions", the value of the Object field will be set to Item.ParentFolder.Name.
Hence the detection should be correct, and this is just an issue of ingestion.
Hope this helps.
I'll be closing this as complete, feel free to re-open the issue in case you have further questions
Correlation search, O365 Mailbox Inbox Folder Shared with All Users, is currently using a field called "object", as object=Inbox. But I do not see this field being sent as part of O365 exchange data. Instead, I see a field called Item.ParentFolder.Name with values such as Inbox, Calender, Contacts etc.
Should "object=Inbox" be replaced with "Item.ParentFolder.Name=Inbox" for this correlation search?
App Version:
The text was updated successfully, but these errors were encountered: