19 строки
1.2 KiB
Plaintext
19 строки
1.2 KiB
Plaintext
// ForgeRock Audit Handler - Data Parser
|
|
// Last Updated Date: July 18, 2020
|
|
//
|
|
//This parses ForgeRock Indentity and Access Management Audit Events and extract keys based events and their various components. It is assumed that ForgeRock Common Audit for Microsoft Azure Sentinel logging is enabled in the tenant.
|
|
// https://github.com/javaservlets/SentinelAuditEventHandler
|
|
////
|
|
// Usage Instruction :
|
|
// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias. To work with pre-built ForgeRock queries this function should be given the alias of getForgeRockUsers. You can then use function alias from any other queries (e.g. getForgeRockUsers | take 10).
|
|
//
|
|
// References :
|
|
// Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
|
|
// Tech Community Blog on KQL Functions : https://techcommunity.microsoft.com/t5/Azure-Sentinel/Using-KQL-functions-to-speed-up-analysis-in-Azure-Sentinel/ba-p/712381
|
|
//
|
|
//
|
|
|
|
CommonSecurityLog
|
|
| where DeviceVendor =~ "ForgeRock Inc"
|
|
| extend User_Name = split(split(AdditionalExtensions, ";", 3)[0], "=", 1)[0] // extract userID from 4th field in json payload
|