Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] O365 Mailbox Inbox Folder Shared with All Users. Field "object" doesn't exist. #2937

Open
atgithub11 opened this issue Jan 2, 2024 · 1 comment
Open

[BUG] O365 Mailbox Inbox Folder Shared with All Users. Field "object" doesn't exist. #2937

atgithub11 opened this issue Jan 2, 2024 · 1 comment
Assignees
@josehelps
Labels
needs-more-info

Comments

@atgithub11
Copy link

Correlation search, O365 Mailbox Inbox Folder Shared with All Users, is currently using a field called "object", as object=Inbox. But I do not see this field being sent as part of O365 exchange data. Instead, I see a field called Item.ParentFolder.Name with values such as Inbox, Calender, Contacts etc.

Should "object=Inbox" be replaced with "Item.ParentFolder.Name=Inbox" for this correlation search?

App Version:

  • ESCU: 4.18.0
@atgithub11 atgithub11 added the bug Something isn't working label Jan 2, 2024
@josehelps
Copy link
Collaborator

@atgithub11 this might be due to how the data for o365 is being collected in your environment. I believe for this detection we expect the user to be leveraging https://splunkbase.splunk.com/app/4055 let me know if this is the case?

@josehelps josehelps self-assigned this Jan 24, 2024
@josehelps josehelps added needs-more-info and removed bug Something isn't working labels Jan 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@josehelps josehelps

Labels
needs-more-info
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@josehelps @atgithub11