Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing Logs from Entra ID on Sentinel #10439

Open
ojomanuel opened this issue May 3, 2024 · 13 comments
Open

Missing Logs from Entra ID on Sentinel #10439

ojomanuel opened this issue May 3, 2024 · 13 comments
Assignees
@v-rusraut @v-sudkharat
Labels
Connector Connector specialty review needed

Comments

@ojomanuel
Copy link

Describe the bug
It is observed that not all logs are received from Entra ID to the Sentinel Solution.

The rule for new account created returns only a single account that was not successful. Further review shows that the Successful account created logs are showing in Audit logs in Entra ID but not getting to Sentinel.

To Reproduce
Out of Audit Log
image

image

Expected behavior
Success and Failures as shown in Entra ID audit Log
image

Screenshots
If applicable, add screenshots to help explain your problem.
@v-sudkharat v-sudkharat added the Connector Connector specialty review needed label May 6, 2024
@v-rusraut
Copy link
Contributor

Hi @ojomanuel,
Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 13 May 2024. Thanks!

@v-rusraut
Copy link
Contributor

Hi @ojomanuel,
The below screen shot shared by you is from Entra ID, there is no record with Activity='Add user' Status='Success'.
image
Please confirm it once, there are records present or not with Activity='Add user' Status='Success'.
And please share screen shot if there are records present with Activity='Add user' Status='Success'.
Thanks

@ojomanuel
Copy link
Author

ojomanuel commented May 10, 2024 via email

@v-rusraut
Copy link
Contributor

Hello There are no logs for Activity='Add user' Status='Success' on sentinel Regards, [cid:a25ec868-0c0d-47e5-b636-8fef8d60e06e] Avwerosuo Ojo-Manuel Team Lead Cybersecurity Operations Center - Blue Team 8022721787 @.*** www.fidelitybank.ng https://loyalty.fidelitybank.ng/​Please think before you print this email. The information contained in this email and any attachments may be legally privileged and confidential

________________________________ From: v-rusraut @.> Sent: Friday, May 10, 2024 1:39 PM To: Azure/Azure-Sentinel @.> Cc: Avwerosuo Ojo-Manuel @.>; Mention @.> Subject: Re: [Azure/Azure-Sentinel] Missing Logs from Entra ID on Sentinel (Issue #10439) External Email: Do not click on any link or attachment unless you recognize the sender and know the content is safe. Hi @ojomanuelhttps://github.com/ojomanuel, The below screen shot shared by you is from Entra ID, there is no record with Activity='Add user' Status='Success'. image.png (view on web)https://github.com/Azure/Azure-Sentinel/assets/167873834/87c1e158-9305-44bd-995a-9d6b2ed6145d Please confirm it once, there are records present or not with Activity='Add user' Status='Success'. And please share screen shot if there are records present with Activity='Add user' Status='Success'. Thanks — Reply to this email directly, view it on GitHub<#10439 (comment)>, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BIAY2KSXPSWS2ENZILKGDA3ZBS5XHAVCNFSM6AAAAABHGIGDYGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMBUGUZTONZQHE. You are receiving this because you were mentioned.Message ID: @.***>

Please check in Entra Id's Audit log table.

@ojomanuel
Copy link
Author

Hello @v-rusraut

The Entra ID audit log table have both success and failures, but Sentinel have only the failures

image

image

@v-rusraut
Copy link
Contributor

Hi @ojomanuel,
Please use below query and let us know that issue resolved or not?

AuditLogs
| where ActivityDisplayName == "Add user" and Result == "success

Thanks

@ojomanuel
Copy link
Author

ojomanuel commented May 16, 2024 via email

@v-rusraut
Copy link
Contributor

Hi @ojomanuel,
Not able to view the screen shots, please share screen shots to email. Also share data from AuditLogs (Sentinel side)
Email id: v-rusraut@microsoft.com
Thanks

@ojomanuel
Copy link
Author

ojomanuel commented May 20, 2024 via email

@v-rusraut
Copy link
Contributor

Hi @ojomanuel,
Please run below query and provide the result screen shots.

AuditLogs
| where ActivityDisplayName == "Add user" and Result == "success"
| count

Thanks

@v-rusraut
Copy link
Contributor

Hi @ojomanuel,
Please provide update on above comment.
Thanks

@ojomanuel
Copy link
Author

image image

@v-rusraut
Copy link
Contributor

Hi @ojomanuel,
please share the logs from AuditLogs(Sentinel) table with us.you can follow below steps to share the logs :

  1. Run the AuditLogs in your sentinel workspace (you can keep custom timestamp with last 7 days)
  2. Once all the result get displayed Click on Export tab with CSV (all columns)
  3. Sharing screenshot for your reference-
4
  1. send the downloaded file to email ID : v-rusraut@microsoft.com .

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@v-rusraut v-rusraut

@v-sudkharat v-sudkharat

Labels
Connector Connector specialty review needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@v-rusraut @v-sudkharat @ojomanuel