We are doing analytics on ADFS logon failures - Windows event ID 364. We are interested the Relying Party specifically. We want to get counts of the logon failures by the Relying Party. We can see the relying party in the raw event message but it cannot be queried on in the analytics or selected as a display column. Does anybody know how to handle this situation?
Solved! Go to Solution.
After opening a ticket with Fortinet support this has classified as a bug: bug report #1028529
Can you post a sanitized raw message from FortiSIEM and I can take a look?
Here is the raw message format:
"
2024-04-03T15:05:04Z ADFS.ABDEF.com 192.168.194.244 celOps-WUA-WinLog-AD xx/xxxx [phCustId]="1" [customer]="super" [monitorStatus]="Success" [Locale]="en-US" [MachineGuid]="92bb4a15-e201-4a1c-a415-db27b1ec3e32" [timeZone]="-0500" [eventName]="AD xx/xxxx" [eventSource]="AD FS" [eventId]="364" [eventType]="Warning" [domain]="abcdefg" [computer]="ADFS.ABDEF.com" [user]="bob" [userSID]="S-1-5-21-1960408961-1303643608-1801674531-49031" [userSIDAcctType]="User" [eventTime]="Apr 03 2024 15:05:03" [deviceTime]="Apr 03 2024 15:05:03" [msg]="Encountered error during federation passive request.
Additional Data
Protocol Name:
Saml
Relying Party:
https://app.company.com/application
Exception details:
Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSignatureAlgorithmMismatchException: MSIS7093: The message is not signed with expected signature algorithm."
Thank you.
If you are using ClickHouse as the database you can use the EXTRACT function as follows in a Display Field..
EXTRACT(Raw Event Log, "Relying Party: (.*?\n)")
This should give you what you need in a field, and then you can add the COUNT.
Our version is 6.7.9. Is Phoenix the clickhouse database? I thought it was based on Postgres.
The way to check would be under Admin -> Setup -> Storage / Online and look the Event Database.
if this is EventDB then your only option would be a parser modification to extract the value.
It's eventDB. Modifying the parser doesn't sound like an easy task.
After opening a ticket with Fortinet support this has classified as a bug: bug report #1028529
Welcome to your new Fortinet Community!
You'll find your previous forum posts under "Forums"
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.