Cy 496 o365 user audit signin logs #342
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @@ -2151,14 +2151,25 @@ display.page.search.mode = fast | |||
| request.ui_dispatch_app = cyences_app_for_splunk | |||
| request.ui_dispatch_view = search | |||
| search = `cs_o365` sourcetype="o365:management:activity" _index_earliest=-61m@m _index_latest=-1m@m Workload=AzureActiveDirectory Operation=UserLoginFailed (LogonError="DeviceAuthenticationRequired" OR LogonError="UserStrongAuthClientAuthNRequiredInterrupt") \ | |||
| | fields _time sourcetype user ClientIP Id LogonError user_type authentication_method app ApplicationId ExtendedProperties{}.Name ExtendedProperties{}.Value \ | |||
There was a problem hiding this comment.
I think this can be a macro:
`cs_o365` sourcetype="o365:management:activity" _index_earliest=-31m@m _index_latest=-1m@m Workload=AzureActiveDirectory Operation=UserLoginFailed (LogonError="DeviceAuthenticationRequired" OR LogonError="UserStrongAuthClientAuthNRequiredInterrupt") `cs_public_ips(ClientIP)` \
| fields _time sourcetype user ClientIP Id LogonError user_type authentication_method app ApplicationId ExtendedProperties{}.Name ExtendedProperties{}.Value \
| eval ExtendedProperties=mvzip('ExtendedProperties{}.Name','ExtendedProperties{}.Value'," : ") \
| stats count, values(user_type) as user_type, values(authentication_method) as authentication_method, max(_time) as Last_Failed_Login, values(LogonError) as LogonError, values(ApplicationId) as ApplicationId, values(ExtendedProperties) as ExtendedProperties by user, ClientIP, app \
| append \
[| search `cs_o365` source="AuditLogs.SignIns" earliest=-1h@m latest=now status.errorCode!=0 (LogonError="DeviceAuthenticationRequired" OR LogonError="UserStrongAuthClientAuthNRequiredInterrupt") `cs_public_ips(ipAddress)` \
| fields _time sourcetype userPrincipalName ipAddress id LogonError appDisplayName clientAppUsed conditionalAccessStatus isInteractive deviceDetail.* org_country org_region org_city \
| rename userPrincipalName as user, ipAddress as ClientIP, id as Id ] \
| eval user = lower(user) \
| stats values(*) as *, max(_time) as _time by Id, user, ClientIP \
| search sourcetype="o365:management:activity" \
- With fields -> Union of all needed in different needed for all alerts and dashboards
- timerange for both are macro parameters.
- Only concerns in conditions specific to both alerts. Try with this alert, if we can pass complex search conditions (even with double quotes and AND, etc) then we do it, otherwise ignore it.
There was a problem hiding this comment.
will have to take most of things as argument so i think it better to have in the search itself. It will just complicate things. We have lots of different requirement like. LogonError, Operation/status.errorCode, earliest, latest no of fields can also change.
VatsalJagani
approved these changes
Jul 13, 2023
|
Will merge it after testing it on one environment |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.