Forum Discussion

kinomakino's avatar
kinomakino
Copper Contributor
Sep 07, 2024

oproblemas

First of all, thanks for the help.


I'm trying an attack/detection of an azure activity rule and I have several questions.
The attack is to register a new ADFS server.
It is supposed that according to the rule, when I register it, it should appear in the AzureActivity table. I paste the rule:
AzureActivity
| where CategoryValue =~ 'Administrative'
| where ResourceProviderValue =~ 'Microsoft.ADHybridHealthService'
| where _ResourceId has 'AdFederationService'
| where OperationNameValue =~ 'Microsoft.ADHybridHealthService/services/servicemembers/action'
| extend claimsJson = parse_json(Claims)
| extend AppId = tostring(claimsJson.appid), AccountName = tostring(claimsJson.name), Name = tostring(split(Caller,'@',0)[0]), UPNSuffix = tostring(split(Caller,'@',1)[0])
| project-away claimsJson

 

But AzureActivity doesn't have any log of this type.
I'm pasting the image where the event DOES appear.

 

 

If I search for Msgraph api, these logs appear, I paste the search here.

 

 

 

My conclusion is that the directory activity log is not being saved in AzureActivity, but I'm confused because the rule refers to that table. The rule is: 88f453ff-7b9e-45bb-8c12-4058ca5e44ee ( Microsoft Entra ID Hybrid Health AD FS New Server )

Can you help me with this case?

Thanks!!

No RepliesBe the first to reply

Resources