Data Source: O365 ModifyFolderPermissions

Date: 2024-07-18

ID: 0a8c1080-68c2-46d7-8324-2e7d97bb6e2f

Author: Patrick Bareiss, Splunk

Description

Data source object for O365 ModifyFolderPermissions

Details

Property	Value
Source	`o365`
Sourcetype	`o365:management:activity`
Separator	Operation

Supported Apps

Splunk Add-on for Microsoft Office 365 (version 4.5.1)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">AppId</span>
  
  <span class="pill kill-chain">ClientIP</span>
  
  <span class="pill kill-chain">ClientIPAddress</span>
  
  <span class="pill kill-chain">ClientInfoString</span>
  
  <span class="pill kill-chain">CreationTime</span>
  
  <span class="pill kill-chain">ExternalAccess</span>
  
  <span class="pill kill-chain">Id</span>
  
  <span class="pill kill-chain">InternalLogonType</span>
  
  <span class="pill kill-chain">Item.Id</span>
  
  <span class="pill kill-chain">Item.ParentFolder.Id</span>
  
  <span class="pill kill-chain">Item.ParentFolder.MemberRights</span>
  
  <span class="pill kill-chain">Item.ParentFolder.MemberSid</span>
  
  <span class="pill kill-chain">Item.ParentFolder.MemberUpn</span>
  
  <span class="pill kill-chain">Item.ParentFolder.Name</span>
  
  <span class="pill kill-chain">Item.ParentFolder.Path</span>
  
  <span class="pill kill-chain">LogonType</span>
  
  <span class="pill kill-chain">LogonUserSid</span>
  
  <span class="pill kill-chain">MailboxGuid</span>
  
  <span class="pill kill-chain">MailboxOwnerSid</span>
  
  <span class="pill kill-chain">MailboxOwnerUPN</span>
  
  <span class="pill kill-chain">Operation</span>
  
  <span class="pill kill-chain">OrganizationId</span>
  
  <span class="pill kill-chain">OrganizationName</span>
  
  <span class="pill kill-chain">OriginatingServer</span>
  
  <span class="pill kill-chain">RecordType</span>
  
  <span class="pill kill-chain">ResultStatus</span>
  
  <span class="pill kill-chain">SessionId</span>
  
  <span class="pill kill-chain">UserId</span>
  
  <span class="pill kill-chain">UserKey</span>
  
  <span class="pill kill-chain">UserType</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">Workload</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">app</span>
  
  <span class="pill kill-chain">authentication_service</span>
  
  <span class="pill kill-chain">change_type</span>
  
  <span class="pill kill-chain">client_info_str</span>
  
  <span class="pill kill-chain">command</span>
  
  <span class="pill kill-chain">dataset_name</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dest_name</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">object</span>
  
  <span class="pill kill-chain">object_attrs</span>
  
  <span class="pill kill-chain">object_category</span>
  
  <span class="pill kill-chain">object_id</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">record_type</span>
  
  <span class="pill kill-chain">result</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">src</span>
  
  <span class="pill kill-chain">src_ip</span>
  
  <span class="pill kill-chain">status</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">tenant_id</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user</span>
  
  <span class="pill kill-chain">user_agent</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">user_type</span>
  
  <span class="pill kill-chain">vendor_account</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1{"CreationTime": "2023-09-07T18:19:07", "Id": "ff065c17-e638-4013-20ab-08dbafceeca1", "Operation": "ModifyFolderPermissions", "OrganizationId": "e17879dd-24ec-44a6-be92-9dcbf6969220", "RecordType": 2, "ResultStatus": "Succeeded", "UserKey": "10032002CC029AE9", "UserType": 0, "Version": 1, "Workload": "Exchange", "ClientIP": "22.23.21.25", "UserId": "user1@contoso.onmicrosoft.com", "AppId": "00000002-0000-0ff1-ce00-000000000000", "ClientIPAddress": "22.23.21.25", "ClientInfoString": "Client=OWA;Action=ViaProxy", "ExternalAccess": false, "InternalLogonType": 0, "LogonType": 0, "LogonUserSid": "S-1-5-21-1148582062-3132321681-773847816-45339891", "MailboxGuid": "8e942cc1-73d8-4483-9def-7d9579d615a7", "MailboxOwnerSid": "S-1-5-21-1148582062-3132321681-773847816-45339891", "MailboxOwnerUPN": "user1@contoso.onmicrosoft.com", "OrganizationName": "contoso.onmicrosoft.com", "OriginatingServer": "BYAPR18MB2728 (15.20.4200.000)\r\n", "SessionId": "d2a5a3ba-992b-431a-9b52-8c76210d17d9", "Item": {"Id": "LgAAAABKe+NY5HVjRYWDqaJ5IKKFAQBQ11dzmT6LS6bQbkNDtISsAAAAAAEMAAAB", "ParentFolder": {"Id": "LgAAAABKe+NY5HVjRYWDqaJ5IKKFAQBQ11dzmT6LS6bQbkNDtISsAAAAAAEMAAAB", "MemberRights": "FreeBusySimple", "MemberSid": "S-1-1-0", "MemberUpn": "Everyone", "Name": "Inbox", "Path": "\\Inbox"}}}

Source: GitHub | Version: 1