Security

o365 logins

pacificcreek
Engager

We have been using splunk to help monitor compromised email accounts by looking for logins from countries other than the ones we operate in. I know this insn't a foolproof method but it gives us a good start. Last friday our queries stopped working altogether. I suspect that microsoft changed something. Has anyone else run into this and know a fix?

index=INDEXNAME earliest=-24h sourcetype="ms:o365:management" Workload=AzureActiveDirectory Operation=UserLoggedIn | fields _time, user, src_ip | iplocation src_ip | addinfo | where _time>relative_time(info_max_time, "-24h") | where Country!="redacted" AND Country!="redacted" AND Country!="redacted" | stats latest(_time) values(user) count by Country | rename latest() as * | rename values() as * | sort - _time | fieldformat _time=strftime(_time, "%Y-%m-%d %H:%M")

Tags (1)

pacificcreek
Engager

The data came back on its own today. We never did open a case with Microsoft but a sister company did. We are now getting the alerts but it just started today. Other individuals we knew to be traveling and logging in 5/17 were not logged.

0 Karma

neades
New Member

I had the same issue:

This is an issue seen across the board, not just for Splunk ingestion, but also for Cloud Access Security Brokers such as Skyhigh Networks.

If you want to solve your issue, place a detailed level B support ticket with Microsoft through the Azure support portal (portal.azure.com).

You will likely see logs come back within 24 hours.

0 Karma

markhill1
Path Finder

Yep, same here, we stopped getting the results on the 5th May.

0 Karma

MuS
SplunkTrust
SplunkTrust

a quick and dirty google research found me this https://developer.microsoft.com/en-us/graph/docs/concepts/changelog

Maybe you find some hints in the May 2018 changes 😉

cheers, MuS

0 Karma

centrafraserk
Path Finder

I think you are correct to assume that Microsoft changed something, because I also stopped receiving and user login authentication through the management API last Friday. So did this guy:

https://answers.splunk.com/answers/656188/only-pulling-user-change-logs-and-not-login-attemp.html

If you find an answer to the problem please let me know. It's not your query, its the fact you no longer are receiving that data. I'm going to call support tomorrow and see if I can get some assistance, I encourage you to do the same as it will let them know there is an issue.

0 Karma

adonio
Ultra Champion

although i kinda get what your search is doing, i am not sure what you are asking here exactly.
i do however remember couple times that MS changed items in Azure, or had a short outage (or anticipated one) there was a message from your company ms admin, there is a specific account name for them and message of what they are doing and when. was able to capture it and set alert on it.
maybe this is what you are after?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...