Splunk Search

How do I find Active Directory usernames logging in to ADFS from the Outlook App for iOS or Android?

saltybeagle
Explorer

We'd like to identify all of the users that have set up the Outlook app for iOS or Android. All of the authentication events are coming in to AD and AD FS, but chaining them together is quite difficult. The Message field contains a bunch of information that needs to be extracted out to join the events in to a transaction. The first event contains the client user-agent (X-MS-Client-User-Agent), and an Activity ID. A single subsequent event contains that same Activity ID, and an Instance ID which refers to other related events.

e.g. First event:

...
Message=...
...
Activity ID: 6d98939d-5de1-48a6-87e1-b99e0930944b
...
X-MS-Client-User-Agent: Outlook-iOS-Android/1.0 
...

Next event:

...
Message=...
...
Instance ID: 2448ebd4-0eff-46a2-a172-e30c6684bb9c 
...
Activity ID: 6d98939d-5de1-48a6-87e1-b99e0930944b 

Next event:

...
Message=More information for the event entry with Instance ID 2448ebd4-0eff-46a2-a172-e30c6684bb9c. There may be more events with the same Instance ID with more information. 

Instance ID:  
2448ebd4-0eff-46a2-a172-e30c6684bb9c 
...

and so on with more events containing the same Instance ID.

1 Solution

saltybeagle
Explorer

This is tough. The trick is pulling out the Activity ID and Instance ID and building a transaction to chain them together. You then need to filter out only the events with the user agent you're looking for. It would be best to configure the events from AD to automatically extract the Activity ID and Instance ID fields, instead of running a rex to pull them out each time:

SourceName="AD FS Auditing" 
 | rex field=_raw "Activity ID: (?<Activity_ID>[^\ ]+)" 
 | rex field=Message "More information for the event entry with Instance ID (?<Instance_ID>[^\.]+)\." 
 | transaction Activity_ID Instance_ID maxpause=2s 
 | rex field=Message "EXAMPLE-AD\\\(?<domain_uid>.*).*" 
 | search domain_uid=*
 | rex field=Message "(?<clientip>[\d]+\.[\d]+\.[\d]+\.[\d]+)" 
 | search "Outlook-iOS-Android/1.0"
 | table domain_uid,clienthost,clientip,Activity_ID,Instance_ID,eventcount,_time

View solution in original post

ashishdesai
New Member
> index=AD host=YOURSTSBOX   
> EventCode=500 OR EventCode=501 OR
> EventCode=299 |  rex "Instance
> id:\s+(?<instance>\S+)"   |
> transaction instance maxspan=5s | rex
> "Relying party:\s+(?<rely>\S+)" | rex
> "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname\s+(?<nt_account>\S+)"
> | stats dc(nt_account) as count by
> rely|sort -count
0 Karma

saltybeagle
Explorer

This is tough. The trick is pulling out the Activity ID and Instance ID and building a transaction to chain them together. You then need to filter out only the events with the user agent you're looking for. It would be best to configure the events from AD to automatically extract the Activity ID and Instance ID fields, instead of running a rex to pull them out each time:

SourceName="AD FS Auditing" 
 | rex field=_raw "Activity ID: (?<Activity_ID>[^\ ]+)" 
 | rex field=Message "More information for the event entry with Instance ID (?<Instance_ID>[^\.]+)\." 
 | transaction Activity_ID Instance_ID maxpause=2s 
 | rex field=Message "EXAMPLE-AD\\\(?<domain_uid>.*).*" 
 | search domain_uid=*
 | rex field=Message "(?<clientip>[\d]+\.[\d]+\.[\d]+\.[\d]+)" 
 | search "Outlook-iOS-Android/1.0"
 | table domain_uid,clienthost,clientip,Activity_ID,Instance_ID,eventcount,_time
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...