I'm trying to create alerts for the Disabled account for Azure SSO but not able to find the context to that. Disabled account checks for event.code : 4725
Failed account checks for event.code : "4625"
The logs do not show anything related to the disabled account. Is there a way the alerts can this can be accomplished?
Hello @ajoshi37 , and thanks for reaching out to the community. I'm having a little difficulty understanding what you're trying to achieve, but it sounds like getting alert data from azure to show up in Kibana.
Have you successfully set up an Azure integration with Kibana, and if so which one? From the looks of your question Im guessing you'd be looking for this one:
and from there creating your own rule based on whatever criteria you want. In your case a custom query of event.code : "4625" might be what youre looking for, but ensure that Kibana is querying the right indices or data view based on your Azure integration
thanks for the follow-up. My alert is a little different.
We have Azure AD accounts which are disabled but we still use them for mailboxes/emails.
I'm trying to create an alert for the failed login attempt for the disabled Azure AD account which was disabled by us.
I'm not sure how to loop 2 Event.code into one alert.
Like first check for event.code : 4625 if only that matches than check for the event.code : "4725" for the same account.
Like if the login was failed from any account than, after that check for the disabled account list if that's from the disabled account.
But disabled account only have one event.code which is "4725" right.? Not sure how to implement that.
Hope I make sense now, thanks and let me know your thoughts.
I'm wondering if you could go about it a different way. I'm not an Azure expert so feel free to correct me here, but what of doing a compound query for the failure to login alert.
Something like: error_code: 4625 and result_description: *account disabled*
The use of the asterisks would imply a partial match. So the query would look for failed login attempts based on the code 4625, and check that the result_description field has something related to account being disabled. You could take it a step further and use the precise language of the result_description, then the asterisks could be replaced with quotation marks.
Of course the fields may be named differently (event.code instead of error_code for eg), but theoretically this should work.
@ajoshi37, I reached out to some other elasticians and they shared that it seems like you want a sequence query. You could couple this with an event correlation query:
I tried using your suggested method but it was not successful for me.
We disabled one account today and it was not showing in the below "Rule Preview" after I tried failed attempt for the account as I saw your updates on the case. I can see failed attempt for the same account in Azure and Elastic but not in the Rule preview after applying the query for today
I was not able to check the suggested query in Discover < Logs*. Is there a way I can test the query and then update you if that will that work or not.?
Thanks and let me know your thought.
Apricate you are helping while as an Elastic Cloud Platinum member I was thrown at some docs which do not make any sense to this problem.
Can you share an entire event (the thing you truncated in your last picture on the left side. I want to see all the fields, feel free to hide the values if need be. Looks like since it's an EQL query it needs to match on an event category
sequence
[ event_category_1 where condition_1 ]
[ event_category_2 where condition_2 ]
It kind of looks like your category field has the value iam
So you could maybe do:
sequence
[ iam where event.code == "4725" ]
[ iam where event.code == "4625" ]
Send a better picture though so i can get a better look at your avaialble fields.
Note that Im using behaviour as the event category. I knew it would be possible as the events I have in my database have behavior as a value for category.
I have attached the details of the log-in below screenshot with some of the private values changed.
And I tried the query in the Dev tools as you suggested and got a valid response but not many details.
There is no IAM event in 4625, the category for that is authentication (line 129). Attaching the screenshot for your reference.
I tried the Query in Dev tools also with 4625 above but no luck, still the error.
Do the two events happen right after each other? Or is the disabled one from way in the past? This might be problematic if so.
Is the data going to two different indices?
I see 1 index as .ds-logs-system-security, is this the index that both events get sent to?
If not you would need to create or use a data view to pool data from multiple sources. It looks like both events regardless of what indices they are, may be a part of your default data view so maybe that.
sequence
[ authentication where event.code == "4625" ]
[ iam where event.code == "4725" ]
Will be closer to what youre looking for. With a consideration being a data view as mentioned above, and keeping in mind that this would work best if there is a usable time window. Meaning the disabled account events arent from 2 years ago, and the failed login attempt is yesterday, but rather when the failed login attempt happens, and triggers event A (bad login), another event- event B is also triggered soon after (disabled account), or vice versa. This way the sequence query has a small window of time to search.
I just did GET _cat/indices/logs-* and too many results came so, not sure which data stream they all going to.
These do not happen in a quick interval or it takes around 2-3 months to get the failed event details from the blocked account. It will be good if I can create that for some time, too.
I just tested one for the disabled user and nothing showed up. (provided the wrong password for the disabled account)
I have saved the query and created the rule, but not seeing any alerts from that when I do a wrong password in the below screenshot but I see some output from the DEV tools.
The DEV tool output is not tailored it throws bad password for today and blocked account details for 3 months before which is odd and they do not match.
Like Alice wrong password today and Bob blocked account last month. (Has too many private information otherwise had attached a screenshot)
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.