Merge pull request #562 from CrossRealms/bug-fix-file-sharing

Bug fixes and improvement in file sharing alert.

cyences_app_for_splunk/default/data/ui/views/cs_o365_reports.xml

@@ -1030,13 +1030,13 @@
 | iplocation ClientIP 
 | fillnull value="" Country, Region, City 
 | rename ClientIP as Source
-| stats values(Operation) as Operations, values(EventData) as EventData, values(Source) as Source, values(SharingLinkScope) as SharingLinkScope, values(Permission) as Permission, values(ItemType) as ItemType, values(ApplicationDisplayName) as ApplicationDisplayName, values(EventSource) as EventSource latest(_time) as LastTime earliest(_time) as FirstTime, values(Country) as Country, values(City) as City, values(Region) as Region by SourceFileName, UserId 
-| search SharingLinkScope!="Organization"
+| stats values(Operation) as Operations, values(TargetUserOrGroupName) as TargetUserOrGroupName, values(EventData) as EventData, values(ObjectId) as ObjectId, values(Source) as Source, values(SharingLinkScope) as SharingLinkScope, values(Permission) as Permission, values(ItemType) as ItemType, values(ApplicationDisplayName) as ApplicationDisplayName, values(EventSource) as EventSource latest(_time) as LastTime earliest(_time) as FirstTime, values(Country) as Country, values(City) as City, values(Region) as Region by SourceFileName, UserId 
+| search NOT SharingLinkScope="Organization"
 | rename UserId as User
 | `cs_human_readable_time_format(FirstTime)`
 | `cs_human_readable_time_format(LastTime)`
 | `cs_user_privilege_mapping(User)`
-| table User,is_privileged_user,SourceFileName,SharingLinkScope,Permission,EventSource,ItemType,Operations,ApplicationDisplayName,FirstTime,LastTime,EventData,Source,Country,City,Region
+| table User,is_privileged_user,SourceFileName,SharingLinkScope,Permission,TargetUserOrGroupName,EventSource,ItemType,Operations,ApplicationDisplayName,FirstTime,LastTime,EventData,ObjectId,Source,Country,City,Region
 | `cs_o365_sharing_file_with_external_user_filter`
 </query>
           <earliest>$timeRange.earliest$</earliest>
@@ -1082,13 +1082,15 @@
       </input>
       <table>
         <search>
-          <query>`cs_o365` sourcetype="o365:management:activity" Workload IN (OneDrive, SharePoint) Operation IN ("AnonymousLinkUsed","SharingLinkUsed") NOT TargetUserOrGroupType IN ("Member", "SharePointGroup") $tkn_exclude_teams_link_accessed$ $tkn_application_name_link_accessed$
-| search UserId=anonymous
-| iplocation ClientIP  
+          <query>`cs_o365` sourcetype="o365:management:activity" Workload IN (OneDrive, SharePoint) Operation IN ("AnonymousLinkUsed","SharingLinkUsed") $tkn_exclude_teams_link_accessed$ $tkn_application_name_link_accessed$
+| iplocation ClientIP
 | fillnull value="" Country, Region, City 
 | rename ClientIP as Source
 | `cs_o365_onedrive_or_sharepoint_link_accessed_by_external_user_internal_filter`
-| stats values(Operation) AS Operations, values(ObjectId) as ObjectId , values(SharingLinkScope) as SharingLinkScope, values(Permission) as Permission, values(ApplicationDisplayName) as ApplicationDisplayName, values(Source) as Source,values(EventData) as EventData, values(ItemType) as ItemType,values(EventSource) as EventSource latest(_time) as LastTime earliest(_time) as FirstTime, values(Country) as Country, values(City) as City, values(Region) as Region by SourceFileName, UserId 
+| stats values(Operation) AS Operations, values(ObjectId) as ObjectId , values(SharingLinkScope) as SharingLinkScope, values(Permission) as Permission, values(ApplicationDisplayName) as ApplicationDisplayName, values(Source) as Source,values(EventData) as EventData, values(ItemType) as ItemType,values(EventSource) as EventSource latest(_time) as LastTime earliest(_time) as FirstTime, values(Country) as Country, values(City) as City, values(Region) as Region by SourceFileName, UserId
+| rex field=UserId "(?&lt;email_user&gt;[^@]+)@(?&lt;email_domain&gt;.+)"
+| eval email_domain_search = replace(email_domain, "\.", "_") | fillnull value="NOTHING_HERE_NO" email_domain_search
+| search NOT SharingLinkScope="Organization" | where !like(ObjectId, "%".email_domain_search."%")
 | rename UserId as UserAccessingFile
 | `cs_human_readable_time_format(FirstTime)`
 | `cs_human_readable_time_format(LastTime)`

cyences_app_for_splunk/default/savedsearches.conf

@@ -2806,14 +2806,14 @@ search = `cs_o365` sourcetype="o365:management:activity" _index_earliest=-61m@m
 | iplocation ClientIP \
 | fillnull value="" Country, Region, City \
 | rename ClientIP as Source \
-| stats values(Operation) as Operations, values(EventData) as EventData, values(Source) as Source, values(SharingLinkScope) as SharingLinkScope, values(Permission) as Permission, values(ItemType) as ItemType, values(ApplicationDisplayName) as ApplicationDisplayName, values(EventSource) as EventSource latest(_time) as LastTime earliest(_time) as FirstTime, values(Country) as Country, values(City) as City, values(Region) as Region by SourceFileName, UserId \
-| search SharingLinkScope!="Organization" \
+| stats values(Operation) as Operations, values(TargetUserOrGroupName) as TargetUserOrGroupName, values(EventData) as EventData, values(ObjectId) as ObjectId, values(Source) as Source, values(SharingLinkScope) as SharingLinkScope, values(Permission) as Permission, values(ItemType) as ItemType, values(ApplicationDisplayName) as ApplicationDisplayName, values(EventSource) as EventSource latest(_time) as LastTime earliest(_time) as FirstTime, values(Country) as Country, values(City) as City, values(Region) as Region by SourceFileName, UserId \
+| search NOT SharingLinkScope="Organization" \
 | rename UserId as User \
 | `cs_human_readable_time_format(FirstTime)` \
 | `cs_human_readable_time_format(LastTime)` \
 | `cs_user_privilege_mapping(User)` \
 | eval cyences_severity = if(is_privileged_user=="Yes", "critical","high") \
-| table User,is_privileged_user,SourceFileName,Permission,SharingLinkScope,EventSource,ItemType,Operations,ApplicationDisplayName,FirstTime,LastTime,EventData,cyences_severity,Source,Country,Region \
+| table User,is_privileged_user,SourceFileName,Permission,SharingLinkScope,TargetUserOrGroupName,EventSource,ItemType,Operations,ApplicationDisplayName,FirstTime,LastTime,EventData,ObjectId,cyences_severity,Source,Country,Region \
 | `cs_o365_sharing_file_with_external_user_filter`
 action.cyences_notable_event_action = 1
 action.cyences_notable_event_action.param.filter_macro_name = cs_o365_sharing_file_with_external_user_filter
@@ -2841,14 +2841,16 @@ display.page.search.tab = statistics
 display.page.search.mode = fast
 request.ui_dispatch_app = cyences_app_for_splunk
 request.ui_dispatch_view = search
-search = `cs_o365` sourcetype="o365:management:activity" _index_earliest=-61m@m _index_latest=-1m@m Workload IN (OneDrive, SharePoint) Operation IN ("AnonymousLinkUsed","SharingLinkUsed") NOT TargetUserOrGroupType IN ("Member", "SharePointGroup") \
+search = `cs_o365` sourcetype="o365:management:activity" _index_earliest=-61m@m _index_latest=-1m@m Workload IN (OneDrive, SharePoint) Operation IN ("AnonymousLinkUsed","SharingLinkUsed") \
 |`cs_o365_link_accessed_by_external_user_internal_filter` \
-| search UserId=anonymous \
 | iplocation ClientIP \
 | fillnull value="" Country, Region, City \
 | rename ClientIP as Source \
 | `cs_o365_onedrive_or_sharepoint_link_accessed_by_external_user_internal_filter` \
 | stats values(Operation) as Operations, values(ObjectId) as ObjectId , values(SharingLinkScope) as SharingLinkScope, values(Permission) as Permission, values(ApplicationDisplayName) as ApplicationDisplayName, values(Source) as Source,values(EventData) as EventData, values(ItemType) as ItemType,values(EventSource) as EventSource latest(_time) as LastTime earliest(_time) as FirstTime, values(Country) as Country, values(City) as City, values(Region) as Region by SourceFileName, UserId \
+| rex field=UserId "(?<email_user>[^@]+)@(?<email_domain>.+)" \
+| eval email_domain_search = replace(email_domain, "\.", "_") | fillnull value="NOTHING_HERE_NO" email_domain_search \
+| search NOT SharingLinkScope="Organization" | where !like(ObjectId, "%".email_domain_search."%") \
 | rename UserId as UserAccessingFile \
 | `cs_human_readable_time_format(FirstTime)` \
 | `cs_human_readable_time_format(LastTime)` \