Skip to main content
Sumo Logic

Lab 7 - Investigating with Azure Active Directory Security Dashboard Effectively

Putting the previous four labs together to build the Azure Active Directory dashboard.

Let's finish the dashboard so you have a final product for all of these queries. Additionally you will turn some of your queries into parameters so that the specific users and event types can be selected and filtered.  In order to accomplish this, you will need to a) modify the query by adding parameters, b) modify the properties of the parameters to use a Lookup for the specific values of user or event type c) create those lookups for the user and event type. 

Organize and put the finishing touches on your dashboard

 

  1. Open up the dashboard you have been creating and allow it to be edited, but clicking on then edit pencil on the upper right toolbar.
    clipboard_ebc361fbdde70b97895fa90fbdd505aca.png
  2. Now let's change the title by clicking on the edit pencil just to right of the Dashboard Title 
    clipboard_ecd154b4e6f3c5b4cf4a83746dcaec191.png
  3. Change this title to Azure Active Directory Security 
  4. Since we want the Map and Azure AD Geo of SigninActivity listed side by size.  Adjust their size to make them each 1/2 the width of the dashboard and move them to the first row.
  5. Then add the other three dashboards in the second row side by side, in the order that you feel provides the best information.  Expand the bottom of each of those panels so that the scrollbars on the right side of each panel are removed. NOTE: It might be difficult to adjust the Top 10 High Number of Password Updates since to remove the scroll bar.  So this panel can maintain the scroll bar to the right. 
  6. If you want to change the theme from a light theme to a dark theme, select the More Action button on the tool bar and select Toggle Theme
    clipboard_e5abd43eb966240af515f55796691d975.png
  7. Choose the theme that you like best. 
  8. Click the Done Editing button and your dashboard should look something like this. 
    clipboard_e8e34cacf8fb1b9a085da93afe83c11a7.png

     
Create a Parameter 

Edit section

  1. For deeper investigation from what you detected, you can single out a particular user (actor) or event_type. In the Azure AD Geo of SignInActivity click Open In Search.
    clipboard_e9fab7e9e15b30e891bec65d7d406d877.png

  2. To create a parameter you need to add matching filters for each of the parameters user (actor) and eventtype. NOTE use matches instead of = to support wildcards (*). In the query builder after
    |  where !isEmpty(event_type) insert the following 2 lines:

| where event_type matches {{event_type}}
|  where actor matches {{actor}}

Your code should look like this: 

_sourceCategory="Labs/Azure/AD" !"Azure AD Cloud Sync" !"Microsoft.Azure.SyncFabric"
| json field=_raw "time" as event_time
| json field=_raw "identity" as actor
| json field=_raw "operationName" as event_type
| json field=_raw "callerIpAddress"
| json field=_raw "resultType" as result
| where !isEmpty(actor)
| where !isEmpty(event_type)
| where event_type matches{{event_type}}
| where actor matches {{actor}}
| count by actor,event_type
| top 10 actor by actor,event_type,_count
| sort by _count desc

  1. Next to the query you will now see a parameter window with fields for you to enter your values for event_type and actor.  For the event_type type in Sign-in activity and for the actor type in tgugler@yxshop.com.  While you will not get results on these two values, we will create lookup tables and make it easier to select values rather then type them in. clipboard_e174869de9d7275e4b55a03b4b9f7eac0.png

Add a lookup table to the parameter Actor
  1. To add a lookup table, you will need to create the table by using this query.  In a new query, select -24 hours as your timeframe and copy and paste this query in. 

_sourceCategory="Labs/Azure/AD" !"Azure AD Cloud Sync" !"Microsoft.Azure.SyncFabric"
| json field=_raw "identity" as actor
| count by actor
| fields - _count
| save shared/azure_actor_list     

  1. When you run this query, you will see this panel appear to confirm that you want to save the results inside of Sumo Logic. Click the Run button  

Screen Shot 2020-07-17 at 1.19.04 PM.png

  1. To confirm that this query ran successfully, in another search query run the following query.  cat shared/azure_actor_list
  2. You should see the contents of your file. It should look something like this:
    clipboard_e823e61880bf705028b5f0a446bac3de3.png
  3. Now you need to modify the parameter settings by clicking on the More Action button as shown below and select Manage Parameter Settings.Screen Shot 2020-07-17 at 1.20.51 PM.png
  4. In this panel set the default value to * and then expand the Set Values for Parameter and in the Choose  how you want to build a list to autocomplete  values for your users - select Lookup.
    Screen Shot 2020-07-17 at 1.21.48 PM.png
  5. In the Lookup file - enter shared/azure_actor_list. for the Select a Field for Values, you should see Actor appear, if not click in it and select it. Click the Save button

Screen Shot 2020-07-17 at 1.24.43 PM.png

Add a lookup table to the parameter Event_Type
  1. To add a lookup table, you will need to create the table by using this query.  In a new query, select -24 hours as your timeframe and copy and paste this query in. 
    _sourceCategory="Labs/Azure/AD" !"Azure AD Cloud Sync" !"Microsoft.Azure.SyncFabric"
    | json field=_raw "operationName" as event_type
    | count by event_type
    | fields - _count
    | save shared/azure_eventtype_list   
  2. When you run this query, you will see this panel appear to confirm that you want to save the results inside of Sumo Logic. Click the Run button  

Screen Shot 2020-07-17 at 1.19.04 PM.png

  1. To confirm that this query ran successfully, in another search query run the following query.  cat shared/azure_eventtype_list
  2. You should see the contents of your file. It should look something like this:
    clipboard_ed37343866e7875d4c35ca21e3711f6ab.png
  3. Now you need to modify the parameter settings by clicking on the More Action button as shown below and select Manage Parameter Settings.Screen Shot 2020-07-17 at 1.20.51 PM.png
  4. In this panel set the default value to * and then expand the Set Values for Parameter and in the Choose  how you want to build a list to autocomplete  values for your users - select Lookup.
    Screen Shot 2020-07-17 at 1.21.48 PM.png
  5. In the Lookup file - enter shared/azure_eventtype_list. for the Select a Field for Values, you should see event_type appear, if not click in it and select it. Click the Save button

Screen Shot 2020-07-17 at 1.24.43 PM.png

  1. In the query for Azure AD Geo of SigninActivity query, click the Update Dashboard button on the Aggregates tab. 

On the Dashboard, select the filter icon for the dashboard, this will open the filter panel and show you that you can select either the user or the event type.
clipboard_e1b77abd42ee37d4a9f58ee8f8e45a056.png

If you backspace over the * in the user field, you will see a picklist of users.  That picklist is from our lookup file azure_actor_list.  
clipboard_e48eedf1c835d94e7667fcafce5d38cc3.png

Then as you select a specific user or event type the data is your Azure AD Geo of SignInActivity is filtered by that user or event type. 

You can modify the other queries by adding these lines to them.  NOTE do to forget to select the Update Dashboard button to update the dashboard. 
| where event_type matches {{event_type}}
|  where actor matches {{actor}}

This will allow those queries to use the parameters and lookup tables and be filtered based on the values you choose from the filter panel of your dashboard.