I’m in the process of on-boarding ADFS as a authentication and authorization log source for a number of applications that use ADFS to authenticate for a large number of related parties.

We’re looking to create derived security events as follows:
1. Logon Success by application,
2. Logon Failure by application,
3. Logoff by application.

I’ve on-boarded the unfiltered security logs for a sub-set of our ADFS servers and have analysed the large number of events produced.

I successfully correlated 299, 500 and 501 event codes to produce event items by time that includes a target applications server domain name (rely server) and user credentials for successful login and refresh ADFS security events.

I'm now working to refine the correlation for the logon failure events which in some ways are more important from a security perspective. I have a time stamp and credentials but don’t see the rely host name in the associated event type 4625 security events and don’t see a relationship with the 299 event code that carries the rely host name.

Given the follow: "User goes to the Application-> Application Redirects the Federated domain’s user to ADFS-> ADFS sends the user to AD for Kerberos Authentication-> If Kerberos Authentication succeeds, ADFS crafts a SAML token as per the Relying Party claims configuration-> User presents that SAML token to the application-> If Application identifies the token, it authorizes the user to access the Application".

In the above flow, if the Kerberos authentication fails, then the SAML token would not be crafted (because the authentication flow didn’t complete) and hence no event log is generated for any Relying Party. That’s why we are not seeing the Relying Party name in the failed logon requests.

Can we correlate the ADFS request with the Kerberos failure event. Does the Kerberos application know about the relay host? Does Kerberos application see the target relay host required to find the access groups?

For the logoff event, we may be able to generate these events by knowing the session timeout and combining these with the explicit 4647 session events. The idea is to generate virtual events following logon events with no refresh events within the session timeout values.

Any thoughts you may wish to share would be appreciated. Any Apps that do this out of the box would be of interest.

Given this capability, it would provide a valuable source of events to feed into the SIEM component regarding a large number of federated applications.