Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure AD Multi-Source Failed Authentications Spike - Missing ADFSSignInLogs category #2980

Open
atgithub11 opened this issue Mar 20, 2024 · 0 comments
Open

Azure AD Multi-Source Failed Authentications Spike - Missing ADFSSignInLogs category #2980

atgithub11 opened this issue Mar 20, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@atgithub11
Copy link

For signin activity from ADFS, category is ADFSSignInLogs. This correlation would miss those due to category=SignInLogs.

I would recommend to either include ADFS, category IN (SignInLogs, ADFSSignInLogs) or maybe using a wildcard such as category=*SignInLogs (in case there are other type of Signinlogs with similar events).

Also for the filter, I think uniqueUserAgents = 1 should be removed(or changed to look for >=1). These strings can easily be scripted to change on the fly for every attempt and those instances would be missed with this constraint.

Thanks
@atgithub11 atgithub11 added the enhancement New feature or request label Mar 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@atgithub11