Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cy 496 o365 user audit signin logs #342

Merged
merged 9 commits into from
Jul 20, 2023
Merged

Cy 496 o365 user audit signin logs #342

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
4e4d267
Add ErrorCode and LogonError Field mapping
mahirchavda Jun 29, 2023
4904cf1
Add Cyences Authentication data model with custom fields
mahirchavda Jul 13, 2023
b1a8b09
Field extraction and use new Authentication datamodel
mahirchavda Jul 13, 2023
cda52b5
Update O365 alerts to add more field from Audit SignIn events
mahirchavda Jul 13, 2023
bf152aa
fix macro
mahirchavda Jul 13, 2023
53e8f72
resolve review comment
mahirchavda Jul 13, 2023
ba14172
filter o365 to remove duplicate events
mahirchavda Jul 13, 2023
39c1eb8
Add sourcetype everywhere and update o365 dashboard
mahirchavda Jul 13, 2023
a532982
Fix lookup field issue
mahirchavda Jul 17, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5,258 changes: 5,258 additions & 0 deletions cyences_app_for_splunk/default/data/models/Cyences_Authentication.json
View file
Open in desktop

Large diffs are not rendered by default.

4 changes: 2 additions & 2 deletions cyences_app_for_splunk/default/data/ui/views/cs_asset_intelligence.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -292,7 +292,7 @@
</input>
<table>
<search>
<query>| tstats `cs_summariesonly_authentication` values(Authentication.src) as src_ip from datamodel=Authentication where Authentication.dest_category="vpn_auth" AND $tkn_filter_authentication$ AND `cs_vpn_indexes` by _time Authentication.action Authentication.user span=1s | rename Authentication.* as *
<query>| tstats `cs_summariesonly_authentication` values(Authentication.src) as src_ip from datamodel=Cyences_Authentication where Authentication.dest_category="vpn_auth" AND $tkn_filter_authentication$ AND `cs_vpn_indexes` by _time Authentication.action Authentication.user span=1s | rename Authentication.* as *
| iplocation src_ip
| eval Country = if(isnull(Country) OR Country="", "Unknown", Country)
| eval City = if(isnull(City) OR City="", "Unknown", City) | fields _time user action src_ip City Country
Expand Down Expand Up @@ -320,7 +320,7 @@
</input>
<table>
<search>
<query>| tstats `cs_summariesonly_authentication` count from datamodel=Authentication where `cs_authentication_indexes` $tkn_filter_authentication$ Authentication.app!=OktaIM2:log Authentication.action IN ("success","failure") Authentication.app="*" `cs_authentication_app_filter` by Authentication.app Authentication.action Authentication.user, Authentication.src</query>
<query>| tstats `cs_summariesonly_authentication` count from datamodel=Cyences_Authentication where `cs_authentication_indexes` $tkn_filter_authentication$ Authentication.app!=OktaIM2:log Authentication.action IN ("success","failure") Authentication.app="*" `cs_authentication_app_filter` by Authentication.app Authentication.action Authentication.user, Authentication.src</query>
<earliest>$tkn_timeRange_authentication.earliest$</earliest>
<latest>$tkn_timeRange_authentication.latest$</latest>
</search>
Expand Down
10 changes: 5 additions & 5 deletions cyences_app_for_splunk/default/data/ui/views/cs_authentication_reports.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@
<fieldForLabel>app</fieldForLabel>
<fieldForValue>app</fieldForValue>
<search>
<query>| tstats `cs_summariesonly_authentication` count from datamodel=Authentication where `cs_authentication_indexes` `cs_authentication_app_filter` by Authentication.app | rename "Authentication.app" as app</query>
<query>| tstats `cs_summariesonly_authentication` count from datamodel=Cyences_Authentication where `cs_authentication_indexes` `cs_authentication_app_filter` by Authentication.app | rename "Authentication.app" as app</query>
<earliest>$timeRange.earliest$</earliest>
<latest>$timeRange.latest$</latest>
</search>
Expand Down Expand Up @@ -48,7 +48,7 @@
<title>All Authentications</title>
<chart>
<search>
<query>| tstats `cs_summariesonly_authentication` prestats=t count as count, dc(Authentication.user) as dc_users from datamodel=Authentication where `cs_authentication_indexes` Authentication.action IN ("success","failure") Authentication.app=$tkn_app|s$ `cs_authentication_app_filter` by _time Authentication.action
<query>| tstats `cs_summariesonly_authentication` prestats=t count as count, dc(Authentication.user) as dc_users from datamodel=Cyences_Authentication where `cs_authentication_indexes` Authentication.action IN ("success","failure") Authentication.app=$tkn_app|s$ `cs_authentication_app_filter` by _time Authentication.action
| timechart span=1h count, dc(Authentication.user) by Authentication.action
| eval "Unique Users"='dc(Authentication.user): failure'+'dc(Authentication.user): success'
| fields - "dc(Authentication.user): failure", "dc(Authentication.user): success"
Expand All @@ -75,7 +75,7 @@
<title>Authentication Failure Reasons Over Time</title>
<chart>
<search>
<query>| tstats `cs_summariesonly_authentication` prestats=t count from datamodel=Authentication where `cs_authentication_indexes` nodename=Authentication.Failed_Authentication Authentication.action=failure Authentication.app=$tkn_app|s$ `cs_authentication_app_filter` by _time Authentication.signature
<query>| tstats `cs_summariesonly_authentication` prestats=t count from datamodel=Cyences_Authentication where `cs_authentication_indexes` nodename=Authentication.Failed_Authentication Authentication.action=failure Authentication.app=$tkn_app|s$ `cs_authentication_app_filter` by _time Authentication.signature
| timechart span=1h count by Authentication.signature limit=0</query>
<earliest>$timeRange.earliest$</earliest>
<latest>$timeRange.latest$</latest>
Expand All @@ -96,7 +96,7 @@
<title>Application Authentication Success Rate</title>
<table>
<search>
<query>| tstats `cs_summariesonly_authentication` prestats=t count from datamodel=Authentication where `cs_authentication_indexes` Authentication.app!=OktaIM2:log Authentication.action IN ("success","failure") Authentication.app=$tkn_app|s$ `cs_authentication_app_filter` by Authentication.app Authentication.action | `drop_dm_object_name(Authentication)`
<query>| tstats `cs_summariesonly_authentication` prestats=t count from datamodel=Cyences_Authentication where `cs_authentication_indexes` Authentication.app!=OktaIM2:log Authentication.action IN ("success","failure") Authentication.app=$tkn_app|s$ `cs_authentication_app_filter` by Authentication.app Authentication.action | `drop_dm_object_name(Authentication)`
| chart count by app action
| addtotals
| eval "Success%" = round(success / Total * 100,2)
Expand Down Expand Up @@ -143,7 +143,7 @@
</input>
<table>
<search>
<query>| tstats `cs_summariesonly_authentication` count as count, latest(_time) as last_login from datamodel=Authentication where `cs_authentication_indexes` Authentication.action IN ("success","failure") Authentication.app=$tkn_app|s$ Authentication.user=$tkn_user|s$ `cs_authentication_app_filter` by Authentication.user, Authentication.app, Authentication.action
<query>| tstats `cs_summariesonly_authentication` count as count, latest(_time) as last_login from datamodel=Cyences_Authentication where `cs_authentication_indexes` Authentication.action IN ("success","failure") Authentication.app=$tkn_app|s$ Authentication.user=$tkn_user|s$ `cs_authentication_app_filter` by Authentication.user, Authentication.app, Authentication.action
| `drop_dm_object_name(Authentication)`
| eval over_field=user."|".app
| chart sum(count) as count, max(last_login) as last_login over over_field by action
Expand Down
2 changes: 1 addition & 1 deletion cyences_app_for_splunk/default/data/ui/views/cs_paloalto_firewall_reports.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@
<search>
<query>`cs_palo` sourcetype!="pan:log" sourcetype!="pan:globalprotect"
| stats count as Event_Count, values(dvc_name) as dvc_name, values(sourcetype) as sourcetype by host
| append [| tstats `cs_summariesonly_authentication` count as VPN from datamodel=Authentication where Authentication.dest_category="vpn_auth" AND `cs_palo` by host]
| append [| tstats `cs_summariesonly_authentication` count as VPN from datamodel=Cyences_Authentication where Authentication.dest_category="vpn_auth" AND `cs_palo` by host]
| stats values(dvc_name) as dvc_name, values(sourcetype) as sourcetype, sum(*) as * by host
| eval VPN=if(VPN&gt;0,"Global Protect Present", "Global Protect Absent") | fields - Event_Count | sort - VPN</query>
<earliest>$timeRange.earliest$</earliest>
Expand Down
2 changes: 1 addition & 1 deletion cyences_app_for_splunk/default/data/ui/views/cs_vpn_reports.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
</init>
<search id="bs0">
<query>
| tstats `cs_summariesonly_authentication` values(Authentication.src) as src_ip from datamodel=Authentication where Authentication.dest_category="vpn_auth" AND `cs_vpn_indexes` by _time Authentication.action Authentication.user Authentication.dest span=1s
| tstats `cs_summariesonly_authentication` values(Authentication.src) as src_ip from datamodel=Cyences_Authentication where Authentication.dest_category="vpn_auth" AND `cs_vpn_indexes` by _time Authentication.action Authentication.user Authentication.dest span=1s
| rename Authentication.* as *
</query>
<earliest>$time.earliest$</earliest>
Expand Down
5 changes: 5 additions & 0 deletions cyences_app_for_splunk/default/datamodels.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,8 @@ acceleration.schedule_priority = highest
acceleration = false
acceleration.earliest_time = -6mon
acceleration.schedule_priority = highest

[Cyences_Authentication]
acceleration = false
acceleration.earliest_time = -1mon
acceleration.schedule_priority = highest
3 changes: 3 additions & 0 deletions cyences_app_for_splunk/default/eventtypes.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,9 @@ search = (sourcetype="cisco:estreamer:data" rec_type_desc="New VPN Device Logoff
[cs_o365_authentication]
search = sourcetype="o365:management:activity" Workload=AzureActiveDirectory Operation=UserLog*

[cs_o365_audit_sigin_authentication]
search = source="AuditLogs.SignIns"
mahirchavda marked this conversation as resolved.
Show resolved Hide resolved


##############
### GSuite ###
Expand Down
30 changes: 29 additions & 1 deletion cyences_app_for_splunk/default/macros.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -532,10 +532,13 @@ iseval = 0
[cs_current_week_login_count(1)]
args = sourcetypefilter
definition = eval main_event="1" \
| append [ | tstats count from datamodel=Authentication where Authentication.action="success" AND Authentication.user!="unknown" AND `cs_public_ips(Authentication.src)` AND sourcetype="$sourcetypefilter$" AND earliest="@w" latest="@d" by Authentication.app, Authentication.user, Authentication.src \
| append [ | tstats count, values(Authentication.org_country) as org_country from datamodel=Cyences_Authentication where Authentication.action="success" AND Authentication.user!="unknown" AND `cs_public_ips(Authentication.src)` AND sourcetype="$sourcetypefilter$" AND earliest="@w" latest="@d" by Authentication.app, Authentication.user, Authentication.src \
| `drop_dm_object_name(Authentication)` \
| iplocation src \
| eval user=lower(user) \
mahirchavda marked this conversation as resolved.
Show resolved Hide resolved
| eval Country = if(isnotnull(org_country), org_country, Country) \
| inputlookup cs_authentication_usual_location.csv append=true \
| eval user = lower(user) \
| stats sum(count) as count by user, app, Country \
| eventstats sum(count) as total by user, app \
| eval percentage_login_from_country = round(count*100/total, 2) \
Expand All @@ -546,6 +549,31 @@ definition = eval main_event="1" \
| fields - main_event
iseval = 0

[cs_current_week_login_count_o365]
definition = eval main_event="1" \
| append [ | tstats count, values(Authentication.org_country) as org_country from datamodel=Cyences_Authentication where Authentication.action="success" AND Authentication.user!="unknown" AND `cs_public_ips(Authentication.src)` AND `cs_o365_login_source` AND earliest="@w" latest="@d" by Authentication.app, Authentication.user, Authentication.src \
| `drop_dm_object_name(Authentication)` \
| iplocation src \
| eval user=lower(user) \
mahirchavda marked this conversation as resolved.
Show resolved Hide resolved
| eval Country = if(isnotnull(org_country), org_country, Country) \
| inputlookup cs_authentication_usual_location.csv append=true \
| eval user = lower(user) \
| stats sum(count) as count by user, app, Country \
| eventstats sum(count) as total by user, app \
| eval percentage_login_from_country = round(count*100/total, 2) \
| table user app Country percentage_login_from_country ] \
| eventstats values(eval(Country." (". percentage_login_from_country. "%)")) as usual_login_location by user, app \
| stats values(*) as * by user,app, Country \
| search main_event="1" \
| fields - main_event
iseval = 0

[cs_o365_login_source]
definition = [|search `cs_o365` (sourcetype="o365:management:activity" OR source="AuditLogs.SignIns") earliest=-2h latest=now \
| stats values(sourcetype) as sourcetype, dc(sourcetype) as count \
| eval search=if(count==2 or (count==1 and sourcetype=="o365:graph:api"), "source=AuditLogs.SignIns", "sourcetype=o365:management:activity") \
mahirchavda marked this conversation as resolved.
Show resolved Hide resolved
| table search | return $search]
iseval = 0

# ================================== #
# Update below macros based on your environment #
Expand Down
15 changes: 15 additions & 0 deletions cyences_app_for_splunk/default/props.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,21 @@ EXTRACT-msgfield = msg=(?<msg>.*)rt=\d+
[o365:management:activity]
EVAL-action = case(isnotnull(action),action,(Operation == "UserLoginFailed"),"failure",(Operation == "UserLoggedIn"),"success")

[source::AuditLogs.SignIns]
FIELDALIAS-country = location.countryOrRegion AS org_country_code
FIELDALIAS-region = location.state AS org_region
FIELDALIAS-city = location.city AS org_city
FIELDALIAS-lat = location.geoCoordinates.latitude AS org_lat
FIELDALIAS-lon = location.geoCoordinates.longitude AS org_lon
FIELDALIAS-user = userPrincipalName AS user
FIELDALIAS-src = ipAddress AS src

EVAL-action = case(isnotnull(action),action, 'status.errorCode' != 0,"failure", 'status.errorCode' == 0,"success")
EVAL-app = "AzureActiveDirectory"

LOOKUP-cs_obj_changes = cs_o365_error_codes ErrorCode AS status.errorCode OUTPUT LogonError
LOOKUP-cs_country = cs_country_code code AS location.countryOrRegion OUTPUT org_country


######################
### Global Protect ###
Expand Down
Loading
Loading