Enable a saved search¶
In reference to SharePoint file operations, you can populate the sensitivity label properties id
, name
, description
, color
,sensitivity
, tooltip
, isActive
, isAppliable
, contentFormats
, hasProtection
as fields in a lookup file that works with o365:management:activity
events.
From the Splunk Add-On for Microsoft Office 365 Object view in Splunk Web or in default/savedsearches.conf
:
* Edit the search by replacing {tenant_name}
with an O365 tenant defined in the add-on configuration.
* Optionally set a different schedule for the search to run on.
* Enable the saved search.
Note
Accessing published labels require InformationProtectionPolicy.Read.All
permission as specified in Configure an integration application in Microsoft Entra ID (Azure AD) for the Splunk Add-on for Microsoft Office 365.
Usage example¶
Splunk Search
sourcetype=”o365:management:activity” SensitivityLabelId | lookup splunk_ta_o365_sensitivitylabels_lookup id AS SensitivityLabelId OUTPUTNEW name, description
Use the getsensitivitylabels
search command¶
Use the search command, getsensitivitylabels
, to get sensitivity labels associated to a Microsoft Office 365 organization.
The following example demonstrates how to use this search command:
Splunk Search
| getsensitivitylabels tenant_name=”your_tenant”
Use the following table to create a search fetching O365 sensitivity labels. All attributes are required:
Attribute | Description |
---|---|
tenant_name |
An O365 tenant defined in the add-on configuration |