Archive

o365 logins

pacificcreek
Engager

We have been using splunk to help monitor compromised email accounts by looking for logins from countries other than the ones we operate in. I know this insn't a foolproof method but it gives us a good start. Last friday our queries stopped working altogether. I suspect that microsoft changed something. Has anyone else run into this and know a fix?

index=INDEXNAME earliest=-24h sourcetype="ms:o365:management" Workload=AzureActiveDirectory Operation=UserLoggedIn | fields _time, user, src_ip | iplocation src_ip | addinfo | where _time>relative_time(info_max_time, "-24h") | where Country!="redacted" AND Country!="redacted" AND Country!="redacted" | stats latest(_time) values(user) count by Country | rename latest() as * | rename values() as * | sort - _time | fieldformat _time=strftime(_time, "%Y-%m-%d %H:%M")

Tags (1)

pacificcreek
Engager

The data came back on its own today. We never did open a case with Microsoft but a sister company did. We are now getting the alerts but it just started today. Other individuals we knew to be traveling and logging in 5/17 were not logged.

0 Karma

neades
New Member

I had the same issue:

This is an issue seen across the board, not just for Splunk ingestion, but also for Cloud Access Security Brokers such as Skyhigh Networks.

If you want to solve your issue, place a detailed level B support ticket with Microsoft through the Azure support portal (portal.azure.com).

You will likely see logs come back within 24 hours.

0 Karma

markhill1
Path Finder

Yep, same here, we stopped getting the results on the 5th May.

0 Karma

MuS
SplunkTrust
SplunkTrust

a quick and dirty google research found me this https://developer.microsoft.com/en-us/graph/docs/concepts/changelog

Maybe you find some hints in the May 2018 changes 😉

cheers, MuS

0 Karma

centrafraserk
Path Finder

I think you are correct to assume that Microsoft changed something, because I also stopped receiving and user login authentication through the management API last Friday. So did this guy:

https://answers.splunk.com/answers/656188/only-pulling-user-change-logs-and-not-login-attemp.html

If you find an answer to the problem please let me know. It's not your query, its the fact you no longer are receiving that data. I'm going to call support tomorrow and see if I can get some assistance, I encourage you to do the same as it will let them know there is an issue.

0 Karma

adonio
SplunkTrust
SplunkTrust

although i kinda get what your search is doing, i am not sure what you are asking here exactly.
i do however remember couple times that MS changed items in Azure, or had a short outage (or anticipated one) there was a message from your company ms admin, there is a specific account name for them and message of what they are doing and when. was able to capture it and set alert on it.
maybe this is what you are after?

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!