Security

Is there a Splunk App or Add-on that will help read and comprehend ADFS 3.0 authentication logs?

mgrulke
Explorer

We are working on making sense of our ADFS 3.0 authentication logs.

We are currently looking into tying the IP address from these 3 "AD FS Auditing" source logs:
1) EventCode 410 has the IP address and Activity_ID.

2) EventCode 500 has the username
3) EventCode 299 has both the Activity_ID and Instance_ID (which we need to use to correlate the 410 and 500 from different hosts)

We are currently looking at a way to tie all 3 together if we know one of the fields such as a few bad IP's trying to authenticate as a compromised user.

Is there anyone else out there trying to make sense of ADFS authentication logs and if so, are there any tools or Splunk Apps that may be of help? We are close on our script but I would have to think there's a better way or Splunk Add-on or App.

Thanks

skrok
New Member

Not really, this is what I was looking for:

host=adfs.contoso.com EventCode=501 x-ms-forwarded-client-ip | rex "(?\d+\.\d+\.\d+\.\d+)" | rex "(?CHICO.+)" | table user,ip,_time |  iplocation ip

This last query fixed my issue. I'm not sure if running the | transaction Activity_ID Instance_ID on other queries made Splunk learn/group adfs transactions or if this was being logged all along and I couldn't find it.

0 Karma

mgrulke
Explorer

Ah, in our ADFS logs the IP's are in a separate log ad the only way to correlate them that I have found is to use the 299 event that has the both the Activity_ID from the 410 event and the Instance_ID from the 500 event that allows you to tie them together.
The 500 events have the username and the 410's or 403's have the ip.

0 Karma

mgrulke
Explorer

Ah, ya the ip in our ADFS logs the IP's are in a separate log ad the only way to correlate them that I have found is to use the 299 event that has the both the Activity_ID from the 410 event and the Instance_ID from the 500 event that allows you to tie them together.
The 500 events have the username and the 410's or 403's have the ip.

0 Karma

mgrulke
Explorer

Well we haven't had any luck with an application for this however one of our Linux guys is very good with splunk searches and helped us create this dashboard. The user_tok is gotten from the dashboard. It basically searches for any logons for that username and gives us the IP address.

sourcetype="WinEventLog:security" AND (host="hostsnameshere") AND  (EventCode=299 OR EventCode=410 OR EventCode=403) OR (EventCode=500 $user_tok$   | streamstats last(username) as User_Name by Instance_ID |  transaction Activity_ID maxspan=1s  | where User_Name!="" |  rename X_MS_Forwarded_Client_IP as Client_IP2 | table _time Activity_ID  Client_IP2 Client_IP Instance_ID User_Name

We have a reverse one that looks at any logons from IP's we've identified as bad as well if its of any interest to you.

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

Hi @mgrulke - Did your answer provide a working solution to your question? If yes and you would like to close out your post, don't forget to click "Accept". But if you'd like to keep it open for possibilities of other answers, you don't have to take action on it yet. Thanks!

0 Karma

jmjssplunkthing
New Member

@mgrulke Can you post the reverse one?

0 Karma

skrok
New Member

Did you find an answer? I'd love to get a nice UID & IP Report.

I am looking up IP's in ADFS logs to track down some things:

EventCode=501 [search EventCode=299 [search | table Activity_ID] | table Instance_ID | rename Instance_ID as search]

I'm still working to get a better query, but yeah, one query to find Activity ID, then search for the Instance IDs, and the User ID probably needs to be extracted next because it doesn't auto-extract and is in the message text. regex should work otherwise.

It would be awesome if their were an addon for this.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!