Azure Graph API SignIn Log logstash configuration #342
Conversation
This is a minor change: only change the sort while importing Python modules. The objective is to make the code more readable and standardized.
# Conflicts: # configfiles/1010-preprocess-snare.conf # configfiles/1801-preprocess-azure.conf # configfiles/6010-snare.conf # configfiles/6901-aws.conf
|
Thank you! I've changed the base branch to the one that will be used for the pending updated release. I'm wondering if it would be better to add this handling to the existing signinlogs section ( sof-elk/configfiles/6801-azure.conf Line 58 in f8439d4 if [raw][category] == "GraphSignInLogs" or [raw][authenticationMethodsUsed] logic to line 60, and add the rename{} block and [raw][authenticationProcessingDetails] restructuring to the conditional block at line 60.
Also, do you have any samples of these logs that I could test with? Emailing them would be fine if they cannot be shared publicly. |
|
I spoke with the FOR509 team and they've been unable to find a record with Do you have information on the native Azure workflow to get logs with this category value? My strong preference is to handle logs in their most native form, rather than restructuring done by third party tools. However, in some cases that's inevitable - I just want to be sure it's an informed decision. |
|
The data for this logstash snippet is obtained using the Graph API endpoint While testing, I saw that there was already a SignInLog parser: sof-elk/configfiles/6801-azure.conf Line 60 in f8439d4 But I was unable to make sense of the category values, the key mapping (as the Microsoft documentation does not contain the property key that many of the mapped values use as well as a different capitalization of keys), and many values present in the original logs were not parsed at all. I suspect, that the parser for the sign in logs is either outdated, Microsoft changed things in the last 2-3 years, or there is another endpoint from Microsoft, which returns SignInLog data, which is not in the format of any of theese tables:
After researching a bit, it looks like, the It would be really nice, if we could merge the existing implementation and my implementation for the Graph API endpoint. Do you know, where the data, the FOR509 team ingests, is sourced from and if the current SignInLog logstash implemention is still used? |
|
Thanks for the detail - this is helpful in figuring out how to proceed. I do not want to start by using data from the MES tool, but rather with the native data format from Microsoft's own export/API/etc. As you've seen, the capitalization is one of the headaches that demonstrate the reason for this: MS exports in From the resources you've provided, these entries seem to be an entirely different object type. (Using Could you provide a sample collected from the source (directly, not from the MES tool) so I can take a closer look? The documentation links are mostly helpful, but especially in Microsoft's case, the real-world samples are commonly mismatched with the documentation so I always try to work from a sample first. I'll also defer to @Pierre450 (and @aNerdFromDuval) for their comment on the native sourcing of Azure log data. |
|
@0xffr In the FOR509 class, I store the logs in a storage account blob and retrieve them from there. That method works with every type of Azure log (except the UAL) and is reliable. |
|
SHOOT! I didn't mean to close this - it was automatic on deletion of the branch
|
|
I realized that if I re-created a branch with the same name, I can re-open this PR and then change its base. Sorry about that again! |
This pull-request contains the configuration required to parse Azure Graph API SignIn Logs.
Together with this pull-request another pull request in the Microsoft-extraction-suite repo will be opened, which adds an output option, so that the output of that tool can be seamlessly imported into the sof-elk.