forked from reprise99/Sentinel-Queries
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Duo-LogParserwithIdentityInfo.kql
32 lines (32 loc) · 1.07 KB
/
Duo-LogParserwithIdentityInfo.kql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
//Parser for Duo data sent to a custom table and join to identity info to correlate legacy usernames with userprincipalname
let id=
IdentityInfo
| where TimeGenerated > ago(21d)
| summarize arg_max(TimeGenerated, *) by AccountUPN
| extend DuoUserName = AccountName
| project AccountUPN, DuoUserName;
DuoLogs_CL
| where TimeGenerated > ago(1d)
| extend logs = split(SyslogMessage_s, "|")
| extend vendor = logs[1]
| extend app = logs[2]
| extend version = logs[3]
| extend event = logs[4]
| extend msg = (logs[5])
| where event == "authentication"
| extend DuoTime = EventTime_t
| extend DuoApplication = extract("cs1=(.*?) c", 1, SyslogMessage_s)
| extend DuoIPAddr = extract("src=(.*?) c", 1, SyslogMessage_s)
| extend DuoMethod = extract("cs3=(.*?) o", 1, SyslogMessage_s)
| extend DuoOutcome = extract("outcome=(.*?) r", 1, SyslogMessage_s)
| parse SyslogMessage_s with * "duser=" DuoUserName
| join kind=inner id on DuoUserName
| project
DuoTime,
DuoUserName,
AccountUPN,
DuoIPAddr,
DuoApplication,
DuoOutcome,
DuoMethod
| sort by DuoTime desc