Skip to content

Enable a saved search

In reference to SharePoint file operations, you can populate the sensitivity label properties id, name, description, color,sensitivity, tooltip, isActive, isAppliable, contentFormats, hasProtection as fields in a lookup file that works with o365:management:activity events.

From the Splunk Add-On for Microsoft Office 365 Object view in Splunk Web or in default/savedsearches.conf: * Edit the search by replacing {tenant_name} with an O365 tenant defined in the add-on configuration. * Optionally set a different schedule for the search to run on. * Enable the saved search.

Note

Accessing published labels require InformationProtectionPolicy.Read.All permission as specified in Configure an integration application in Microsoft Entra ID (Azure AD) for the Splunk Add-on for Microsoft Office 365.

Usage example

Splunk Search

sourcetype=”o365:management:activity” SensitivityLabelId | lookup splunk_ta_o365_sensitivitylabels_lookup id AS SensitivityLabelId OUTPUTNEW name, description

Use the getsensitivitylabels search command

Use the search command, getsensitivitylabels, to get sensitivity labels associated to a Microsoft Office 365 organization.

The following example demonstrates how to use this search command:

Splunk Search

| getsensitivitylabels tenant_name=”your_tenant”

Use the following table to create a search fetching O365 sensitivity labels. All attributes are required:

Attribute Description
tenant_name An O365 tenant defined in the add-on configuration