Splunk Enterprise Security

Splunk Add-on for Microsoft Cloud Services: action="Unknown"

barcher83
Explorer

The Splunk Add-on for Microsoft Cloud Services is populating the Authentication datamodel in ES, however action="Unknown" for successful and failed logon events. Where would be a good place to start to look to correct this?

0 Karma
1 Solution

kchamplin_splun
Splunk Employee
Splunk Employee

I'd start with props.conf in that addon, specifically the stanza [ms:o365:management]. It doesn't look like they have a field alias set up for action, and that datamodel uses a calculated field to set "unknown" for any events that don't have an explicit "action" field or explicit "action" value.

As far as how to hunt this stuff down on your own, CIM usually leverages tag="some tag name" for its base search to pull events into a specific model. So normally, I look at tags.conf for the CIM datamodel I'm interested in, then look at the associated eventtype.conf that tags.conf pointed to. In this case, here's the eventtypes.conf:
[mso365_authentication]
search = sourcetype=ms:o365:management o365_audit_model_type=auth

tags = authentication

From there, just dig into the associated sourcetype in props for the same addon.

View solution in original post

kchamplin_splun
Splunk Employee
Splunk Employee

I'd start with props.conf in that addon, specifically the stanza [ms:o365:management]. It doesn't look like they have a field alias set up for action, and that datamodel uses a calculated field to set "unknown" for any events that don't have an explicit "action" field or explicit "action" value.

As far as how to hunt this stuff down on your own, CIM usually leverages tag="some tag name" for its base search to pull events into a specific model. So normally, I look at tags.conf for the CIM datamodel I'm interested in, then look at the associated eventtype.conf that tags.conf pointed to. In this case, here's the eventtypes.conf:
[mso365_authentication]
search = sourcetype=ms:o365:management o365_audit_model_type=auth

tags = authentication

From there, just dig into the associated sourcetype in props for the same addon.

barcher83
Explorer

Thank you! I added this to my local/props.conf file and it seems to be working

EVAL-action = case(Operation=="UserLoggedIn", "success", Operation=="MailboxLogin", "success", Operation=="UserLoginFailed", "failure")
0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...