Splunk Search

How do I find Active Directory usernames logging in to ADFS from the Outlook App for iOS or Android?

saltybeagle
Explorer

We'd like to identify all of the users that have set up the Outlook app for iOS or Android. All of the authentication events are coming in to AD and AD FS, but chaining them together is quite difficult. The Message field contains a bunch of information that needs to be extracted out to join the events in to a transaction. The first event contains the client user-agent (X-MS-Client-User-Agent), and an Activity ID. A single subsequent event contains that same Activity ID, and an Instance ID which refers to other related events.

e.g. First event:

...
Message=...
...
Activity ID: 6d98939d-5de1-48a6-87e1-b99e0930944b
...
X-MS-Client-User-Agent: Outlook-iOS-Android/1.0 
...

Next event:

...
Message=...
...
Instance ID: 2448ebd4-0eff-46a2-a172-e30c6684bb9c 
...
Activity ID: 6d98939d-5de1-48a6-87e1-b99e0930944b 

Next event:

...
Message=More information for the event entry with Instance ID 2448ebd4-0eff-46a2-a172-e30c6684bb9c. There may be more events with the same Instance ID with more information. 

Instance ID:  
2448ebd4-0eff-46a2-a172-e30c6684bb9c 
...

and so on with more events containing the same Instance ID.

1 Solution

saltybeagle
Explorer

This is tough. The trick is pulling out the Activity ID and Instance ID and building a transaction to chain them together. You then need to filter out only the events with the user agent you're looking for. It would be best to configure the events from AD to automatically extract the Activity ID and Instance ID fields, instead of running a rex to pull them out each time:

SourceName="AD FS Auditing" 
 | rex field=_raw "Activity ID: (?<Activity_ID>[^\ ]+)" 
 | rex field=Message "More information for the event entry with Instance ID (?<Instance_ID>[^\.]+)\." 
 | transaction Activity_ID Instance_ID maxpause=2s 
 | rex field=Message "EXAMPLE-AD\\\(?<domain_uid>.*).*" 
 | search domain_uid=*
 | rex field=Message "(?<clientip>[\d]+\.[\d]+\.[\d]+\.[\d]+)" 
 | search "Outlook-iOS-Android/1.0"
 | table domain_uid,clienthost,clientip,Activity_ID,Instance_ID,eventcount,_time

View solution in original post

ashishdesai
New Member
> index=AD host=YOURSTSBOX   
> EventCode=500 OR EventCode=501 OR
> EventCode=299 |  rex "Instance
> id:\s+(?<instance>\S+)"   |
> transaction instance maxspan=5s | rex
> "Relying party:\s+(?<rely>\S+)" | rex
> "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname\s+(?<nt_account>\S+)"
> | stats dc(nt_account) as count by
> rely|sort -count
0 Karma

saltybeagle
Explorer

This is tough. The trick is pulling out the Activity ID and Instance ID and building a transaction to chain them together. You then need to filter out only the events with the user agent you're looking for. It would be best to configure the events from AD to automatically extract the Activity ID and Instance ID fields, instead of running a rex to pull them out each time:

SourceName="AD FS Auditing" 
 | rex field=_raw "Activity ID: (?<Activity_ID>[^\ ]+)" 
 | rex field=Message "More information for the event entry with Instance ID (?<Instance_ID>[^\.]+)\." 
 | transaction Activity_ID Instance_ID maxpause=2s 
 | rex field=Message "EXAMPLE-AD\\\(?<domain_uid>.*).*" 
 | search domain_uid=*
 | rex field=Message "(?<clientip>[\d]+\.[\d]+\.[\d]+\.[\d]+)" 
 | search "Outlook-iOS-Android/1.0"
 | table domain_uid,clienthost,clientip,Activity_ID,Instance_ID,eventcount,_time
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...