Authentication protocol field in SignIn logs

splunk / splunk-add-on-microsoft-azure

Splunk Add-on for Microsoft Azure

Apache License 2.0

11 stars 7 forks source link

Authentication protocol field in SignIn logs #56

Closed cdc-eba closed 1 year ago

cdc-eba commented 1 year ago

Hello,

I am not able to find the Authentication Protocol field in the SignIn logs, I am wondering if it is actually possible to retreive it as I can see the option to filter in the Azure Portal / SignIn view.

If it is possible, this information could be valuable, especially to detect the Device Code attack that has been described here: https://aadinternals.com/post/phishing/.

Best,

cdc-eba commented 1 year ago

This needs to use the beta version of the API on this file: https://github.com/splunk/splunk-add-on-microsoft-azure/blob/main/package/default/inputs.conf#L2

Is this planned to use the beta version sometime in the future?

JasonConger commented 1 year ago

You can specify the endpoint (v1.0 or Beta) when creating an input.

cdc-eba commented 1 year ago

Great thanks!!