Splunk Enterprise Security

Splunk Add-on for Microsoft Cloud Services: action="Unknown"

barcher83
Explorer

The Splunk Add-on for Microsoft Cloud Services is populating the Authentication datamodel in ES, however action="Unknown" for successful and failed logon events. Where would be a good place to start to look to correct this?

0 Karma
1 Solution

kchamplin_splun
Splunk Employee
Splunk Employee

I'd start with props.conf in that addon, specifically the stanza [ms:o365:management]. It doesn't look like they have a field alias set up for action, and that datamodel uses a calculated field to set "unknown" for any events that don't have an explicit "action" field or explicit "action" value.

As far as how to hunt this stuff down on your own, CIM usually leverages tag="some tag name" for its base search to pull events into a specific model. So normally, I look at tags.conf for the CIM datamodel I'm interested in, then look at the associated eventtype.conf that tags.conf pointed to. In this case, here's the eventtypes.conf:
[mso365_authentication]
search = sourcetype=ms:o365:management o365_audit_model_type=auth

tags = authentication

From there, just dig into the associated sourcetype in props for the same addon.

View solution in original post

kchamplin_splun
Splunk Employee
Splunk Employee

I'd start with props.conf in that addon, specifically the stanza [ms:o365:management]. It doesn't look like they have a field alias set up for action, and that datamodel uses a calculated field to set "unknown" for any events that don't have an explicit "action" field or explicit "action" value.

As far as how to hunt this stuff down on your own, CIM usually leverages tag="some tag name" for its base search to pull events into a specific model. So normally, I look at tags.conf for the CIM datamodel I'm interested in, then look at the associated eventtype.conf that tags.conf pointed to. In this case, here's the eventtypes.conf:
[mso365_authentication]
search = sourcetype=ms:o365:management o365_audit_model_type=auth

tags = authentication

From there, just dig into the associated sourcetype in props for the same addon.

barcher83
Explorer

Thank you! I added this to my local/props.conf file and it seems to be working

EVAL-action = case(Operation=="UserLoggedIn", "success", Operation=="MailboxLogin", "success", Operation=="UserLoginFailed", "failure")
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...