We'd like to identify all of the users that have set up the Outlook app for iOS or Android. All of the authentication events are coming in to AD and AD FS, but chaining them together is quite difficult. The Message field contains a bunch of information that needs to be extracted out to join the events in to a transaction. The first event contains the client user-agent (X-MS-Client-User-Agent), and an Activity ID. A single subsequent event contains that same Activity ID, and an Instance ID which refers to other related events.
e.g. First event:
...
Message=...
...
Activity ID: 6d98939d-5de1-48a6-87e1-b99e0930944b
...
X-MS-Client-User-Agent: Outlook-iOS-Android/1.0
...
Next event:
...
Message=...
...
Instance ID: 2448ebd4-0eff-46a2-a172-e30c6684bb9c
...
Activity ID: 6d98939d-5de1-48a6-87e1-b99e0930944b
Next event:
...
Message=More information for the event entry with Instance ID 2448ebd4-0eff-46a2-a172-e30c6684bb9c. There may be more events with the same Instance ID with more information.
Instance ID:
2448ebd4-0eff-46a2-a172-e30c6684bb9c
...
and so on with more events containing the same Instance ID.
This is tough. The trick is pulling out the Activity ID and Instance ID and building a transaction to chain them together. You then need to filter out only the events with the user agent you're looking for. It would be best to configure the events from AD to automatically extract the Activity ID and Instance ID fields, instead of running a rex to pull them out each time:
SourceName="AD FS Auditing"
| rex field=_raw "Activity ID: (?<Activity_ID>[^\ ]+)"
| rex field=Message "More information for the event entry with Instance ID (?<Instance_ID>[^\.]+)\."
| transaction Activity_ID Instance_ID maxpause=2s
| rex field=Message "EXAMPLE-AD\\\(?<domain_uid>.*).*"
| search domain_uid=*
| rex field=Message "(?<clientip>[\d]+\.[\d]+\.[\d]+\.[\d]+)"
| search "Outlook-iOS-Android/1.0"
| table domain_uid,clienthost,clientip,Activity_ID,Instance_ID,eventcount,_time
> index=AD host=YOURSTSBOX
> EventCode=500 OR EventCode=501 OR
> EventCode=299 | rex "Instance
> id:\s+(?<instance>\S+)" |
> transaction instance maxspan=5s | rex
> "Relying party:\s+(?<rely>\S+)" | rex
> "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname\s+(?<nt_account>\S+)"
> | stats dc(nt_account) as count by
> rely|sort -count
This is tough. The trick is pulling out the Activity ID and Instance ID and building a transaction to chain them together. You then need to filter out only the events with the user agent you're looking for. It would be best to configure the events from AD to automatically extract the Activity ID and Instance ID fields, instead of running a rex to pull them out each time:
SourceName="AD FS Auditing"
| rex field=_raw "Activity ID: (?<Activity_ID>[^\ ]+)"
| rex field=Message "More information for the event entry with Instance ID (?<Instance_ID>[^\.]+)\."
| transaction Activity_ID Instance_ID maxpause=2s
| rex field=Message "EXAMPLE-AD\\\(?<domain_uid>.*).*"
| search domain_uid=*
| rex field=Message "(?<clientip>[\d]+\.[\d]+\.[\d]+\.[\d]+)"
| search "Outlook-iOS-Android/1.0"
| table domain_uid,clienthost,clientip,Activity_ID,Instance_ID,eventcount,_time