Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

General enhancement request #40

Open
a-blume opened this issue Jan 11, 2023 · 5 comments
Open

General enhancement request #40

a-blume opened this issue Jan 11, 2023 · 5 comments

Comments

@a-blume
Copy link

a-blume commented Jan 11, 2023
edited
Loading

After getting all the Azure AD inputs to work (enterprise environment) I thought I might as well dump my fixes somewhere, in case you think it would be a good idea to improve the add-on/wiki with them. Apologies for wall of text.

  1. TA-MS-AAD\appserver\static\js\build\globalConfig.json at line 1421: default value for name should be azure:aad:device, not 86400
  2. TA-MS-AAD\appserver\static\js\build\globalConfig.json at line 1421: add defaultValue with value e.g. 86400 missing in this section
  3. Add stanza for sourcetype azure:aad:device to props.conf
[azure:aad:device]
SHOULD_LINEMERGE = 0
TRUNCATE = 0
DATETIME_CONFIG = CURRENT
  1. Add stanza for sourcetype azure:aad:identity_protection:risk_detection to props.conf

Sample timestamp: 2023-01-11T05:29:18.0996085Z
Maybe add this as microseconds is probably good enough: TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N
If so MAX_TIMESTAMP_LOOKAHEAD = 26

[azure:aad:identity_protection:risk_detection]
SHOULD_LINEMERGE = 0
TIME_PREFIX = \"lastUpdatedDateTime"\:\s*\"
MAX_TIMESTAMP_LOOKAHEAD = 30
  1. Add stanza for sourcetype azure:aad:identity_protection:risky_user to props.conf (same time format as risk detection)
[azure:aad:identity_protection:risky_user]
SHOULD_LINEMERGE = 0
TIME_PREFIX = \"riskLastUpdatedDateTime"\:\s*\"
MAX_TIMESTAMP_LOOKAHEAD = 30
  1. MAX_TIMESTAMP_LOOKAHEAD missing for add-on logs
[source::...ta_ms_aad*.log*]
MAX_TIMESTAMP_LOOKAHEAD = 23

[source::...ta-ms-aad*.log*]
MAX_TIMESTAMP_LOOKAHEAD = 23

  1. The Add-on Required Permissions matrix (google sheet) is missing information around the risky_user input/endpoint (role IdentityRiskyUser.Read.All)
    However the API endpoint is listed on the wiki page
    https://docs.google.com/spreadsheets/d/1YJAqNmcXZU-7O9CxVKupOkR6q2S8TXriMeLAUMYmMs4/edit#gid=0

  2. Maybe clarify on the wiki that firewall openings will be required towards both these domains for Azure AD inputs. Since most likely a Heavy Forwarder running this won't have any internet access by default in an enterprise environment (it takes some time to figure out by inspecting the python scripts)
    login.microsoftonline.com TCP/443
    graph.microsoft.com TCP/443

Edit: added bullet 9)

  1. Minor CIM fix for Authentication and an attempt to map audit logs to Change in props.conf. Might want to add an eventtype and tags for the latter as well.
[azure:aad:signin]
EVAL-dest = if(resourceDisplayName == "","https://login.microsoftonline.com",lower(replace(resourceDisplayName, " ", ".")))
EVAL-authentication_service = "AzureAD"

[azure:aad:audit]
EVAL-object = case(category IN("Device","Policy","GroupManagement"),'targetResources{}.displayName', category=="UserManagement",'targetResources{}.userPrincipalName', true(), null())
EVAL-src_user = case(category=="UserManagement", 'initiatedBy.user.userPrincipalName', true(), null())
EVAL-user = case(category=="UserManagement", 'targetResources{}.userPrincipalName', true(),'initiatedBy.user.userPrincipalName')
EVAL-object_id = 'targetResources{}.id'
EVAL-object_category = lower(if('targetResources{}.type'=="Directory","core_directory",'targetResources{}.type'))
EVAL-action = case(operationType=="Update" OR operationType="Restore","updated",operationType=="Add",if(match(activityDisplayName,"Add*"),"created","updated"),operationType=="Delete","deleted",true(),null())
EVAL-dest = ltrim(source,"ms_aad_audit:tenant_id:")
EVAL-src = case('initiatedBy.user.ipAddress' IN("null",""), null(), true(), 'initiatedBy.user.ipAddress')
EVAL-vendor_product = "Microsoft Azure Active Directory"
FIELDALIAS-status = result AS status
FIELDALIAS-dvc = loggedByService as dvc
@kcphilipm
Copy link

Thanks for this post. A quick question for you. Were you able to get MFA statistics pulled from Azure?

@a-blume
Copy link
Author

a-blume commented Jan 23, 2023

Thanks for this post. A quick question for you. Were you able to get MFA statistics pulled from Azure?

Yes, MFA challenges are included in the signin logs (with status.additionalDetails, status.errorCode, status.failureReason). Not the best example of the response in API docs but format looks like this: https://learn.microsoft.com/en-us/graph/api/signin-list?view=graph-rest-1.0&tabs=http

@kcphilipm
Copy link

What I am trying to get into my dashboard is the MFA registration statistics that don't seem to be coming across in the Microsoft Azure App for Splunk. The "Accounts without Multi-Factor Authentication panel is not populating. I can see this data in the Azure portal and I assumed this was going to be pulled by the Splunk Add-on for Azure.

Microsoft Data:
https://portal.azure.com/#view/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/~/UserRegistrationDetails

@kcphilipm
Copy link

a-blume you can direct contact me if you'd like pmein _ at _ jccc.edu

@a-blume
Copy link
Author

a-blume commented Feb 2, 2023
edited
Loading

I looked into the app and to populate the "Accounts without MFA" panel it should be the sourcetype azure:securityCenter:task. We haven't onboarded that data yet ourselves but I believe the input "Azure Security Center Alerts & Tasks" is what you're looking for.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kcphilipm @a-blume