Re: Append 2 searches together in o365 to show if ...

nathanluke86 · ‎09-13-2021

I have a search query to display external files shares that are active (Sharepoint/Onedrive).

This is working and shows us when file shares to third parties are still active.

index=o365 file_path=* user=urn* OR TargetUserOrGroupType=Guest
| fillnull value="-"
| dedup UniqueSharingId TargetUserOrGroupName
| where NOT Operation=="RemovedFromSecureLink"
|stats latest(_time) by user Operation file_path file_name vendor_product TargetUserOrGroupName UniqueSharingId

The issue we have is if a user just deletes the file share folder (so no longer an active share) the dashboard still displays the share as active.

I need to append the following search and match to the unique sharing location to display if the file/folder has been deleted:

index=o365 Operation=FileDeleted

TIA

rupkumar4sec · ‎09-13-2021

You can use a sub search to ignore the deleted files from results. Something like

index=o365 file_path=* user=urn* OR TargetUserOrGroupType=Guest NOT
[ search index=o365 Operation=FileDeleted
| table file_path,file_name ]
| fillnull value="-"
| dedup UniqueSharingId TargetUserOrGroupName
| where NOT Operation=="RemovedFromSecureLink"
| stats latest(_time) by user Operation file_path file_name vendor_product TargetUserOrGroupName UniqueSharingId

Append 2 searches together in o365 to show if a file share has been deleted

other

subsearch

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?