We have been using splunk to help monitor compromised email accounts by looking for logins from countries other than the ones we operate in. I know this insn't a foolproof method but it gives us a good start. Last friday our queries stopped working altogether. I suspect that microsoft changed something. Has anyone else run into this and know a fix?
index=INDEXNAME earliest=-24h sourcetype="ms:o365:management" Workload=AzureActiveDirectory Operation=UserLoggedIn | fields _time, user, src_ip | iplocation src_ip | addinfo | where _time>relative_time(info_max_time, "-24h") | where Country!="redacted" AND Country!="redacted" AND Country!="redacted" | stats latest(_time) values(user) count by Country | rename latest() as * | rename values() as * | sort - _time | fieldformat _time=strftime(_time, "%Y-%m-%d %H:%M")
The data came back on its own today. We never did open a case with Microsoft but a sister company did. We are now getting the alerts but it just started today. Other individuals we knew to be traveling and logging in 5/17 were not logged.
I had the same issue:
This is an issue seen across the board, not just for Splunk ingestion, but also for Cloud Access Security Brokers such as Skyhigh Networks.
If you want to solve your issue, place a detailed level B support ticket with Microsoft through the Azure support portal (portal.azure.com).
You will likely see logs come back within 24 hours.
I think you are correct to assume that Microsoft changed something, because I also stopped receiving and user login authentication through the management API last Friday. So did this guy:
If you find an answer to the problem please let me know. It's not your query, its the fact you no longer are receiving that data. I'm going to call support tomorrow and see if I can get some assistance, I encourage you to do the same as it will let them know there is an issue.
although i kinda get what your search is doing, i am not sure what you are asking here exactly.
i do however remember couple times that MS changed items in Azure, or had a short outage (or anticipated one) there was a message from your company ms admin, there is a specific account name for them and message of what they are doing and when. was able to capture it and set alert on it.
maybe this is what you are after?