Splunk Enterprise Security

Splunk Add-on for Microsoft Cloud Services: action="Unknown"

barcher83
Explorer

The Splunk Add-on for Microsoft Cloud Services is populating the Authentication datamodel in ES, however action="Unknown" for successful and failed logon events. Where would be a good place to start to look to correct this?

0 Karma
1 Solution

kchamplin_splun
Splunk Employee
Splunk Employee

I'd start with props.conf in that addon, specifically the stanza [ms:o365:management]. It doesn't look like they have a field alias set up for action, and that datamodel uses a calculated field to set "unknown" for any events that don't have an explicit "action" field or explicit "action" value.

As far as how to hunt this stuff down on your own, CIM usually leverages tag="some tag name" for its base search to pull events into a specific model. So normally, I look at tags.conf for the CIM datamodel I'm interested in, then look at the associated eventtype.conf that tags.conf pointed to. In this case, here's the eventtypes.conf:
[mso365_authentication]
search = sourcetype=ms:o365:management o365_audit_model_type=auth

tags = authentication

From there, just dig into the associated sourcetype in props for the same addon.

View solution in original post

kchamplin_splun
Splunk Employee
Splunk Employee

I'd start with props.conf in that addon, specifically the stanza [ms:o365:management]. It doesn't look like they have a field alias set up for action, and that datamodel uses a calculated field to set "unknown" for any events that don't have an explicit "action" field or explicit "action" value.

As far as how to hunt this stuff down on your own, CIM usually leverages tag="some tag name" for its base search to pull events into a specific model. So normally, I look at tags.conf for the CIM datamodel I'm interested in, then look at the associated eventtype.conf that tags.conf pointed to. In this case, here's the eventtypes.conf:
[mso365_authentication]
search = sourcetype=ms:o365:management o365_audit_model_type=auth

tags = authentication

From there, just dig into the associated sourcetype in props for the same addon.

View solution in original post

barcher83
Explorer

Thank you! I added this to my local/props.conf file and it seems to be working

EVAL-action = case(Operation=="UserLoggedIn", "success", Operation=="MailboxLogin", "success", Operation=="UserLoginFailed", "failure")
0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!