Skip to main content
Sumo Logic

Lab 2 - Azure Monitoring User Top 10 Active Directory Activity

Parsing your logs allow you to provide structure to your messages, identifying the fields that are meaningful to you.

Understanding what Active Directory activity you have helps you to understand what users are doing on your Azure cloud and how they are using the environment.  This will allow you to detect potential malicious activity.  So you will want create a query that will show the Top 10 Active Directory Activity with user information.     


Create the Azure User Top 10 AD query
  1. Create a new New Log Search from the +New button. For the time enter -24h and enter the following query_sourceCategory="Labs/Azure/AD" 

  2. You will notice that we are getting some data from Azure AD Cloud Sync and Microsoft.Azure.SyncFabric and we want to remove this.  So modify the scope line to this - NOTE we are using an exclamation mark (!) to denote that we do NOT want to see this information. Your results should look like this: 
    _sourceCategory="Labs/Azure/AD" !"Azure AD Cloud Sync" !"Microsoft.Azure.SyncFabric"

  3. You can use Sumo Logic to select the fields that you want in a JSON message, but highlighting  on the field you want.  In this case, you will select time and right-click to select Parse selected key, as shown below
    clipboard_e3870fa8e10319381b61e9e64d54b730d.png

  4. Since we want to call this event_time, we need to add an "as" clause to our query as shown below.
    _sourceCategory="Labs/Azure/AD" !"Azure AD Cloud Sync" !"Microsoft.Azure.SyncFabric"| json field=_raw "time" as event_time

5. Repeat steps 3 and 4 to select the following fields.  

Field Field name to display (need an As clause)
identity actor
operationName event_type
callerIPAddress  
resultType result

Your query should look like this

_sourceCategory="Labs/Azure/AD" !"Azure AD Cloud Sync" !"Microsoft.Azure.SyncFabric"

| json field=_raw "time" as event_time
| json field=_raw "identity" as actor
| json field=_raw "operationName" as event_type
| json field=_raw "callerIpAddress"
| json field=_raw "resultType" as result

 

  1. You now want to filter so that any Actors or Event_types that are blank are removed. Your query should now look like this: 

_sourceCategory="Labs/Azure/AD" !"Azure AD Cloud Sync" !"Microsoft.Azure.SyncFabric"
| json field=_raw "time" as event_time
| json field=_raw "identity" as actor
| json field=_raw "operationName" as event_type
| json field=_raw "callerIpAddress"
| json field=_raw "resultType" as result
| where !isEmpty(actor)
| where !isEmpty(event_type)

 

  1. Let's count by actor and event_type and sort your results in descending order and limit the order to the top 10 by actor, event_type and count.  You query should now look like this: _sourceCategory="Labs/Azure/AD" !"Azure AD Cloud Sync" !"Microsoft.Azure.SyncFabric"

| json field=_raw "time" as event_time
| json field=_raw "identity" as actor
| json field=_raw "operationName" as event_type
| json field=_raw "callerIpAddress"
| json field=_raw "resultType" as result
| where !isEmpty(actor)
| where !isEmpty(event_type)
| count by actor,event_type
| top 10 actor by actor,event_type,_count
| sort by _count

Now let's turn the results into a dashboard.
  1. You will notice that on the aggregates tab on the bottom portion of the screen,  you have the Top 10 results sorted in descending order.  Click on the Add to Dashboard button as shown below:

clipboard_e9284e79508b1505427d77778125b381b.png

  1. You will leave the panel name alone and in the dashboard name type SOC <Your Initials> <Unique number> as shown below and put it in your Personal Folder
    clipboard_e0bbe559e59ab8cac9e39b56ebfb54666.png
  2. Click the Add button and your dashboard will look like this. 
    clipboard_e112a811c4ebdb94dec0e765f9218700e.png
  3. You will build out this dashboard in other exercises.
Build a chart from this data

1. Click on the More Action button of your query tab and select Duplicate as shown below:
clipboard_e6da8b7781b1ee9fd449234ccc62b658d.png

2. Select the new query and click on the tab and rename the query to User Activity Chart.
clipboard_e6d62a6ad3bcf156b07fc8258a777546a.png

3. Because you do not want to limit yourself to the Top 10, delete the last two lines of the query, specifically top 10 actor by actor, event_type, _count and sort by _count desc.

You will add the Transpose operator to turn these results into a pivot table, or the modify the results to put it in the form of rows and columns. 

4. Add the following code:
| transpose row actor column event_type

You will notice that your event type is across the columns and your actor names are across the rows.

5. Change this to a line chart by clicking on the line icon on the aggregates tab.  You results should look like this:
clipboard_e9c54b6e549d67254effc46c26aeb101c.png

6. Click on the Add to Dashboard button and add it to your existing dashboard that you created earlier. You will organize and arrange the dashboard panels in a later exercise.