Enable a saved search¶
In reference to SharePoint file operations, you can populate the sensitivity label properties id, name, description, color,sensitivity, tooltip, isActive, isAppliable, contentFormats, hasProtection as fields in a lookup file that works with o365:management:activity events.
From the Splunk Add-On for Microsoft Office 365 Object view in Splunk Web or in default/savedsearches.conf:
* Edit the search by replacing {tenant_name} with an O365 tenant defined in the add-on configuration.
* Optionally set a different schedule for the search to run on.
* Enable the saved search.
Note
Accessing published labels require InformationProtectionPolicy.Read.All permission as specified in Configure an integration application in Microsoft Entra ID (Azure AD) for the Splunk Add-on for Microsoft Office 365.
Usage example¶
Splunk Search
sourcetype=”o365:management:activity” SensitivityLabelId | lookup splunk_ta_o365_sensitivitylabels_lookup id AS SensitivityLabelId OUTPUTNEW name, description
Use the getsensitivitylabels search command¶
Use the search command, getsensitivitylabels, to get sensitivity labels associated to a Microsoft Office 365 organization.
The following example demonstrates how to use this search command:
Splunk Search
| getsensitivitylabels tenant_name=”your_tenant”
Use the following table to create a search fetching O365 sensitivity labels. All attributes are required:
| Attribute | Description |
|---|---|
tenant_name |
An O365 tenant defined in the add-on configuration |