Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I find Active Directory usernames logging in to ADFS from the Outlook App for iOS or Android?

saltybeagle
Explorer
‎02-10-2015 02:00 PM

We'd like to identify all of the users that have set up the Outlook app for iOS or Android. All of the authentication events are coming in to AD and AD FS, but chaining them together is quite difficult. The Message field contains a bunch of information that needs to be extracted out to join the events in to a transaction. The first event contains the client user-agent (X-MS-Client-User-Agent), and an Activity ID. A single subsequent event contains that same Activity ID, and an Instance ID which refers to other related events.

e.g. First event:

...
Message=...
...
Activity ID: 6d98939d-5de1-48a6-87e1-b99e0930944b
...
X-MS-Client-User-Agent: Outlook-iOS-Android/1.0 
...

Next event:

...
Message=...
...
Instance ID: 2448ebd4-0eff-46a2-a172-e30c6684bb9c 
...
Activity ID: 6d98939d-5de1-48a6-87e1-b99e0930944b

Next event:

...
Message=More information for the event entry with Instance ID 2448ebd4-0eff-46a2-a172-e30c6684bb9c. There may be more events with the same Instance ID with more information. 

Instance ID:  
2448ebd4-0eff-46a2-a172-e30c6684bb9c 
...

and so on with more events containing the same Instance ID.

Reply
1 Solution
Solved! Jump to solution
Solution

saltybeagle
Explorer
‎02-10-2015 02:04 PM

This is tough. The trick is pulling out the Activity ID and Instance ID and building a transaction to chain them together. You then need to filter out only the events with the user agent you're looking for. It would be best to configure the events from AD to automatically extract the Activity ID and Instance ID fields, instead of running a rex to pull them out each time:

SourceName="AD FS Auditing" 
 | rex field=_raw "Activity ID: (?<Activity_ID>[^\ ]+)" 
 | rex field=Message "More information for the event entry with Instance ID (?<Instance_ID>[^\.]+)\." 
 | transaction Activity_ID Instance_ID maxpause=2s 
 | rex field=Message "EXAMPLE-AD\\\(?<domain_uid>.*).*" 
 | search domain_uid=*
 | rex field=Message "(?<clientip>[\d]+\.[\d]+\.[\d]+\.[\d]+)" 
 | search "Outlook-iOS-Android/1.0"
 | table domain_uid,clienthost,clientip,Activity_ID,Instance_ID,eventcount,_time

View solution in original post

Reply
Solved! Jump to solution

ashishdesai
New Member
‎02-24-2017 02:22 PM 
> index=AD host=YOURSTSBOX   
> EventCode=500 OR EventCode=501 OR
> EventCode=299 |  rex "Instance
> id:\s+(?<instance>\S+)"   |
> transaction instance maxspan=5s | rex
> "Relying party:\s+(?<rely>\S+)" | rex
> "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname\s+(?<nt_account>\S+)"
> | stats dc(nt_account) as count by
> rely|sort -count
0 Karma
Reply
Solved! Jump to solution
Solution

saltybeagle
Explorer
‎02-10-2015 02:04 PM

This is tough. The trick is pulling out the Activity ID and Instance ID and building a transaction to chain them together. You then need to filter out only the events with the user agent you're looking for. It would be best to configure the events from AD to automatically extract the Activity ID and Instance ID fields, instead of running a rex to pull them out each time:

SourceName="AD FS Auditing" 
 | rex field=_raw "Activity ID: (?<Activity_ID>[^\ ]+)" 
 | rex field=Message "More information for the event entry with Instance ID (?<Instance_ID>[^\.]+)\." 
 | transaction Activity_ID Instance_ID maxpause=2s 
 | rex field=Message "EXAMPLE-AD\\\(?<domain_uid>.*).*" 
 | search domain_uid=*
 | rex field=Message "(?<clientip>[\d]+\.[\d]+\.[\d]+\.[\d]+)" 
 | search "Outlook-iOS-Android/1.0"
 | table domain_uid,clienthost,clientip,Activity_ID,Instance_ID,eventcount,_time
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...