-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cy 496 o365 user audit signin logs #342
Conversation
@@ -2151,14 +2151,25 @@ display.page.search.mode = fast | |||
request.ui_dispatch_app = cyences_app_for_splunk | |||
request.ui_dispatch_view = search | |||
search = `cs_o365` sourcetype="o365:management:activity" _index_earliest=-61m@m _index_latest=-1m@m Workload=AzureActiveDirectory Operation=UserLoginFailed (LogonError="DeviceAuthenticationRequired" OR LogonError="UserStrongAuthClientAuthNRequiredInterrupt") \ | |||
| fields _time sourcetype user ClientIP Id LogonError user_type authentication_method app ApplicationId ExtendedProperties{}.Name ExtendedProperties{}.Value \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this can be a macro:
`cs_o365` sourcetype="o365:management:activity" _index_earliest=-31m@m _index_latest=-1m@m Workload=AzureActiveDirectory Operation=UserLoginFailed (LogonError="DeviceAuthenticationRequired" OR LogonError="UserStrongAuthClientAuthNRequiredInterrupt") `cs_public_ips(ClientIP)` \
| fields _time sourcetype user ClientIP Id LogonError user_type authentication_method app ApplicationId ExtendedProperties{}.Name ExtendedProperties{}.Value \
| eval ExtendedProperties=mvzip('ExtendedProperties{}.Name','ExtendedProperties{}.Value'," : ") \
| stats count, values(user_type) as user_type, values(authentication_method) as authentication_method, max(_time) as Last_Failed_Login, values(LogonError) as LogonError, values(ApplicationId) as ApplicationId, values(ExtendedProperties) as ExtendedProperties by user, ClientIP, app \
| append \
[| search `cs_o365` source="AuditLogs.SignIns" earliest=-1h@m latest=now status.errorCode!=0 (LogonError="DeviceAuthenticationRequired" OR LogonError="UserStrongAuthClientAuthNRequiredInterrupt") `cs_public_ips(ipAddress)` \
| fields _time sourcetype userPrincipalName ipAddress id LogonError appDisplayName clientAppUsed conditionalAccessStatus isInteractive deviceDetail.* org_country org_region org_city \
| rename userPrincipalName as user, ipAddress as ClientIP, id as Id ] \
| eval user = lower(user) \
| stats values(*) as *, max(_time) as _time by Id, user, ClientIP \
| search sourcetype="o365:management:activity" \
- With fields -> Union of all needed in different needed for all alerts and dashboards
- timerange for both are macro parameters.
- Only concerns in conditions specific to both alerts. Try with this alert, if we can pass complex search conditions (even with double quotes and AND, etc) then we do it, otherwise ignore it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
will have to take most of things as argument so i think it better to have in the search itself. It will just complicate things. We have lots of different requirement like. LogonError, Operation/status.errorCode, earliest, latest no of fields can also change.
Will merge it after testing it on one environment |
No description provided.