Splunk Search

How do I find Active Directory usernames logging in to ADFS from the Outlook App for iOS or Android?

saltybeagle
Explorer

We'd like to identify all of the users that have set up the Outlook app for iOS or Android. All of the authentication events are coming in to AD and AD FS, but chaining them together is quite difficult. The Message field contains a bunch of information that needs to be extracted out to join the events in to a transaction. The first event contains the client user-agent (X-MS-Client-User-Agent), and an Activity ID. A single subsequent event contains that same Activity ID, and an Instance ID which refers to other related events.

e.g. First event:

...
Message=...
...
Activity ID: 6d98939d-5de1-48a6-87e1-b99e0930944b
...
X-MS-Client-User-Agent: Outlook-iOS-Android/1.0 
...

Next event:

...
Message=...
...
Instance ID: 2448ebd4-0eff-46a2-a172-e30c6684bb9c 
...
Activity ID: 6d98939d-5de1-48a6-87e1-b99e0930944b 

Next event:

...
Message=More information for the event entry with Instance ID 2448ebd4-0eff-46a2-a172-e30c6684bb9c. There may be more events with the same Instance ID with more information. 

Instance ID:  
2448ebd4-0eff-46a2-a172-e30c6684bb9c 
...

and so on with more events containing the same Instance ID.

1 Solution

saltybeagle
Explorer

This is tough. The trick is pulling out the Activity ID and Instance ID and building a transaction to chain them together. You then need to filter out only the events with the user agent you're looking for. It would be best to configure the events from AD to automatically extract the Activity ID and Instance ID fields, instead of running a rex to pull them out each time:

SourceName="AD FS Auditing" 
 | rex field=_raw "Activity ID: (?<Activity_ID>[^\ ]+)" 
 | rex field=Message "More information for the event entry with Instance ID (?<Instance_ID>[^\.]+)\." 
 | transaction Activity_ID Instance_ID maxpause=2s 
 | rex field=Message "EXAMPLE-AD\\\(?<domain_uid>.*).*" 
 | search domain_uid=*
 | rex field=Message "(?<clientip>[\d]+\.[\d]+\.[\d]+\.[\d]+)" 
 | search "Outlook-iOS-Android/1.0"
 | table domain_uid,clienthost,clientip,Activity_ID,Instance_ID,eventcount,_time

View solution in original post

ashishdesai
New Member
> index=AD host=YOURSTSBOX   
> EventCode=500 OR EventCode=501 OR
> EventCode=299 |  rex "Instance
> id:\s+(?<instance>\S+)"   |
> transaction instance maxspan=5s | rex
> "Relying party:\s+(?<rely>\S+)" | rex
> "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname\s+(?<nt_account>\S+)"
> | stats dc(nt_account) as count by
> rely|sort -count
0 Karma

saltybeagle
Explorer

This is tough. The trick is pulling out the Activity ID and Instance ID and building a transaction to chain them together. You then need to filter out only the events with the user agent you're looking for. It would be best to configure the events from AD to automatically extract the Activity ID and Instance ID fields, instead of running a rex to pull them out each time:

SourceName="AD FS Auditing" 
 | rex field=_raw "Activity ID: (?<Activity_ID>[^\ ]+)" 
 | rex field=Message "More information for the event entry with Instance ID (?<Instance_ID>[^\.]+)\." 
 | transaction Activity_ID Instance_ID maxpause=2s 
 | rex field=Message "EXAMPLE-AD\\\(?<domain_uid>.*).*" 
 | search domain_uid=*
 | rex field=Message "(?<clientip>[\d]+\.[\d]+\.[\d]+\.[\d]+)" 
 | search "Outlook-iOS-Android/1.0"
 | table domain_uid,clienthost,clientip,Activity_ID,Instance_ID,eventcount,_time
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...