search

splunk / splunk-add-on-microsoft-azure

Splunk Add-on for Microsoft Azure
Apache License 2.0
11 stars 7 forks source link

AAD signins - not all riskEventTypes_v2 values collected #63

Open hkelley opened 10 months ago

hkelley commented 10 months ago

Using the add-on, we don't see any riskyIPAddress values in the indexed riskEventTypes_v2 fields of Splunk events.

I have searched back over our entire index and don't get any hits for this:

index=azure  sourcetype="azure:aad:signin"   riskEventTypes_v2{}=*risk*

even though I can find events that should match when I query Graph directly:

Get-MgAuditLogSignIn -All -Filter "riskEventTypes_V2/any(c:c eq 'riskyIPAddress') and createdDateTime ge 2023-08-01T00:00:00Z and createdDateTime lt 2023-08-29T00:00:00Z"

An example of a Graph-fetched log:

  {
    "CorrelationId": "108e77d9-dd07-4455-8f2b-db3562c68d9d",
    "CreatedDateTime": "2023-08-16T03:31:47Z",
...
    "IPAddress": "185.220.101.20",
    "Id": "62b96348-b714-43a3-a909-cbf49e63cb00",
    "IsInteractive": true,
    "Location": {
      "City": "Schoenwalde-Glien",
      "CountryOrRegion": "DE",
...
      "State": "Brandenburg"
    },
    "ResourceDisplayName": "Office 365 Exchange Online",
    "ResourceId": "00000002-0000-0ff1-ce00-000000000000",
    "RiskDetail": "userPassedMFADrivenByRiskBasedPolicy",
    "RiskEventTypes": [
      "anonymizedIPAddress"
    ],
    "RiskEventTypesV2": [
      "anonymizedIPAddress",
      "riskyIPAddress"
    ],

and the same event logged in Splunk. Note the difference in the RiskEventTypesV2 field values

 {
   correlationId: 108e77d9-dd07-4455-8f2b-db3562c68d9d
   createdDateTime: 2023-08-16T03:31:47Z
...
   id: 62b96348-b714-43a3-a909-cbf49e63cb00
   ipAddress: 185.220.101.20
   isInteractive: true
   riskEventTypes: [ [-]
     anonymizedIPAddress
   ]
   riskEventTypes_v2: [ [-]
     anonymizedIPAddress
   ]
   riskLevelAggregated: none
   riskLevelDuringSignIn: medium
JasonConger commented 10 months ago

What do you see in Microsoft Graph Explorer?

Oftentimes, the beta endpoint returns more data => https://graph.microsoft.com/beta/auditLogs/signIns. If the beta endpoint has the data you're looking for, select the beta endpoint in the Splunk input dropdown.

hkelley commented 10 months ago

The non-beta endpoint returns these values whether I use Get-MgAuditLogSignIn (see example in original note) or https://developer.microsoft.com/en-us/graph/graph-explorer (pic below).

image