-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Missing Logs from Entra ID on Sentinel #10439
Comments
Hi @ojomanuel, |
Hi @ojomanuel, |
Hello
There are no logs for Activity='Add user' Status='Success' on sentinel
Regards,
[cid:a25ec868-0c0d-47e5-b636-8fef8d60e06e]
Avwerosuo Ojo-Manuel
Team Lead
Cybersecurity Operations Center - Blue Team
8022721787
***@***.***
www.fidelitybank.ng
https://loyalty.fidelitybank.ng/
Please think before you print this email.
The information contained in this email and any attachments may be legally privileged and confidential
…________________________________
From: v-rusraut ***@***.***>
Sent: Friday, May 10, 2024 1:39 PM
To: Azure/Azure-Sentinel ***@***.***>
Cc: Avwerosuo Ojo-Manuel ***@***.***>; Mention ***@***.***>
Subject: Re: [Azure/Azure-Sentinel] Missing Logs from Entra ID on Sentinel (Issue #10439)
External Email: Do not click on any link or attachment unless you recognize the sender and know the content is safe.
Hi @ojomanuel<https://github.com/ojomanuel>,
The below screen shot shared by you is from Entra ID, there is no record with Activity='Add user' Status='Success'.
image.png (view on web)<https://github.com/Azure/Azure-Sentinel/assets/167873834/87c1e158-9305-44bd-995a-9d6b2ed6145d>
Please confirm it once, there are records present or not with Activity='Add user' Status='Success'.
And please share screen shot if there are records present with Activity='Add user' Status='Success'.
Thanks
—
Reply to this email directly, view it on GitHub<#10439 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BIAY2KSXPSWS2ENZILKGDA3ZBS5XHAVCNFSM6AAAAABHGIGDYGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMBUGUZTONZQHE>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Please check in Entra Id's Audit log table. |
Hello @v-rusraut The Entra ID audit log table have both success and failures, but Sentinel have only the failures |
Hi @ojomanuel, AuditLogs Thanks |
Hello
See below.
[cid:21d20f2e-2d12-41a0-88e7-00cb50751efb]
[cid:4a70ba85-695e-4c39-83db-e2e4a82198bb]
Avwerosuo Ojo-Manuel
Team Lead
Cybersecurity Operations Center - Blue Team
8022721787
***@***.***
www.fidelitybank.ng
https://loyalty.fidelitybank.ng/
Please think before you print this email.
The information contained in this email and any attachments may be legally privileged and confidential
…________________________________
From: v-rusraut ***@***.***>
Sent: Wednesday, May 15, 2024 2:48 PM
To: Azure/Azure-Sentinel ***@***.***>
Cc: Avwerosuo Ojo-Manuel ***@***.***>; Mention ***@***.***>
Subject: Re: [Azure/Azure-Sentinel] Missing Logs from Entra ID on Sentinel (Issue #10439)
External Email: Do not click on any link or attachment unless you recognize the sender and know the content is safe.
Hi @ojomanuel<https://github.com/ojomanuel>,
Please use below query and let us know that issue resolved or not?
AuditLogs
| where ActivityDisplayName == "Add user" and Result == "success
Thanks
—
Reply to this email directly, view it on GitHub<#10439 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BIAY2KSOOR3KAXJJXM2SRRDZCNRTBAVCNFSM6AAAAABHGIGDYGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJSGU4TGNBQGM>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Hi @ojomanuel, |
Hello,
The issue still persists.
Regards,
[cid:d5bb8a17-0ade-49ff-87ed-27dd2b60f822]
Avwerosuo Ojo-Manuel
Team Lead
Cybersecurity Operations Center - Blue Team
8022721787
***@***.***
www.fidelitybank.ng
https://loyalty.fidelitybank.ng/
Please think before you print this email.
The information contained in this email and any attachments may be legally privileged and confidential
…________________________________
From: v-rusraut ***@***.***>
Sent: Monday, May 20, 2024 9:29 AM
To: Azure/Azure-Sentinel ***@***.***>
Cc: Avwerosuo Ojo-Manuel ***@***.***>; Mention ***@***.***>
Subject: Re: [Azure/Azure-Sentinel] Missing Logs from Entra ID on Sentinel (Issue #10439)
External Email: Do not click on any link or attachment unless you recognize the sender and know the content is safe.
Hi @ojomanuel<https://github.com/ojomanuel>,
Not able to view the screen shots, please share screen shots to email. Also share data from AuditLogs (Sentinel side)
Email id: ***@***.******@***.***>
Thanks
—
Reply to this email directly, view it on GitHub<#10439 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BIAY2KTGEX7UKXSPBXVIY4DZDGX5BAVCNFSM6AAAAABHGIGDYGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJZHE2DEMRSGM>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Hi @ojomanuel, AuditLogs Thanks |
Hi @ojomanuel, |
Hi @ojomanuel,
Thanks |
Describe the bug
It is observed that not all logs are received from Entra ID to the Sentinel Solution.
The rule for new account created returns only a single account that was not successful. Further review shows that the Successful account created logs are showing in Audit logs in Entra ID but not getting to Sentinel.
To Reproduce
Out of Audit Log
Expected behavior
Success and Failures as shown in Entra ID audit Log
Screenshots
If applicable, add screenshots to help explain your problem.
The text was updated successfully, but these errors were encountered: