I believe the issue is having the placeholder variables within the nested OR statements. I've seen this when building some of the community rules and the resolution I found was to move the placeholder variables outside the parentheses. The following compiles correctly, but not sure if the output aligns with what you are expecting. There may be something additional that will need to be added.
events:
$event.metadata.product_event_type = "Update user"
$event.metadata.log_type = "AZURE_AD_AUDIT"
$event.principal.application = "Azure MFA StrongAuthenticationService"
$targetuser = $event.target.user.userid
(
$event.src.resource.attribute.labels["StrongAuthenticationMethod"] != "" or
$event.src.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"] != ""
)
$OldRememberTrustedDevices = $event.src.resource.attribute.labels["StrongAuthenticationMethod"]
$NewRememberTrustedDevices = $event.target.resource.attribute.labels["StrongAuthenticationMethod"]
$OldRememberTrustedPhone = $event.src.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"]
$NewRememberTrustedPhone = $event.target.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"]
I believe the issue is having the placeholder variables within the nested OR statements. I've seen this when building some of the community rules and the resolution I found was to move the placeholder variables outside the parentheses. The following compiles correctly, but not sure if the output aligns with what you are expecting. There may be something additional that will need to be added.
events:
$event.metadata.product_event_type = "Update user"
$event.metadata.log_type = "AZURE_AD_AUDIT"
$event.principal.application = "Azure MFA StrongAuthenticationService"
$targetuser = $event.target.user.userid
(
$event.src.resource.attribute.labels["StrongAuthenticationMethod"] != "" or
$event.src.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"] != ""
)
$OldRememberTrustedDevices = $event.src.resource.attribute.labels["StrongAuthenticationMethod"]
$NewRememberTrustedDevices = $event.target.resource.attribute.labels["StrongAuthenticationMethod"]
$OldRememberTrustedPhone = $event.src.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"]
$NewRememberTrustedPhone = $event.target.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"]
@jstoner : What i am trying to get output is a perfect OR condition where alerts should trigger there is any changes observed in either StrongAuthenticationMethod or StrongAuthenticationPhoneAppDetail and even where there is change in both values for a user
I have tried 2 options both seem to be not working
your method : it works if one of the value gets changes but not when both values are changed for a user it is not working
$event.metadata.product_event_type = "Update user"
$event.metadata.log_type = "AZURE_AD_AUDIT"
$event.principal.application = "Azure MFA StrongAuthenticationService"
$targetuser = $event.target.user.userid
(
$event.src.resource.attribute.labels["StrongAuthenticationMethod"] != "" or
$event.src.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"] != ""
//$event.target.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"] = /DeviceName:NO_DEVICE/ and
//$event.src.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"] != /DeviceName:NO_DEVICE/
)
$OldRememberTrustedDevices = $event.src.resource.attribute.labels["StrongAuthenticationMethod"]
$NewRememberTrustedDevices = $event.target.resource.attribute.labels["StrongAuthenticationMethod"]
$OldRememberTrustedPhone = $event.src.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"]
$NewRememberTrustedPhone = $event.target.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"]
match:
$targetuser over 10m
outcome:
$changes = array_distinct(if($OldRememberTrustedDevices != $NewRememberTrustedDevices, "Yes", "No"))
$phone_change = array_distinct(if($OldRememberTrustedPhone != $NewRememberTrustedPhone, "Yes", "No"))
When i ran this logic i can see there are users for which both values (StrongAuthenticationMethod and StrongAuthenticationPhoneAppDetail are changing for a user
events:
($event.metadata.product_event_type = "Update user" and
$event.metadata.log_type = "AZURE_AD_AUDIT" and
$event.principal.application = "Azure MFA StrongAuthenticationService" and
$targetuser = $event.target.user.userid and
$event.src.resource.attribute.labels["StrongAuthenticationMethod"] != "" and
$event.target.resource.attribute.labels["StrongAuthenticationMethod"] != "" and
$event.src.resource.attribute.labels["StrongAuthenticationMethod"] = $OldRememberTrustedDevices and
$NewRememberTrustedDevices = $event.target.resource.attribute.labels["StrongAuthenticationMethod"]
)
and
($event1.metadata.product_event_type = "Update user" and
$event1.metadata.log_type = "AZURE_AD_AUDIT" and
$event1.principal.application = "Azure MFA StrongAuthenticationService" and
$targetuser = $event1.target.user.userid and
$event1.src.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"] != "" and
$event1.target.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"] != "" and
$OldRememberTrustedPhone = $event1.src.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"] and
$NewRememberTrustedPhone = $event1.target.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"]
)
I tried in a similar way the or option but it does not seem to be working
events:
($event.metadata.product_event_type = "Update user" and
$event.metadata.log_type = "AZURE_AD_AUDIT" and
$event.principal.application = "Azure MFA StrongAuthenticationService" and
$targetuser = $event.target.user.userid and
$event.src.resource.attribute.labels["StrongAuthenticationMethod"] != "" and
$event.target.resource.attribute.labels["StrongAuthenticationMethod"] != "" and
$event.src.resource.attribute.labels["StrongAuthenticationMethod"] = $OldRememberTrustedDevices and
$NewRememberTrustedDevices = $event.target.resource.attribute.labels["StrongAuthenticationMethod"]
)
or
($event1.metadata.product_event_type = "Update user" and
$event1.metadata.log_type = "AZURE_AD_AUDIT" and
$event1.principal.application = "Azure MFA StrongAuthenticationService" and
$targetuser = $event1.target.user.userid and
$event1.src.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"] != "" and
$event1.target.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"] != "" and
$OldRememberTrustedPhone = $event1.src.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"] and
$NewRememberTrustedPhone = $event1.target.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"]
)
match:
$targetuser over 10m
outcome:
$changes = array_distinct(if($OldRememberTrustedDevices != $NewRememberTrustedDevices, "Yes", "No"))
$phone_change = array_distinct(if($OldRememberTrustedPhone != $NewRememberTrustedPhone, "Yes", "No"))
condition:
$event and $event1
}
Not sure where i am going wrong
The placeholder variables within the parenthesis are where the problem exists which is why i tried to move these outside the parenthesis...
The piece still in parenthesis not equal null OR not equal null....should this be AND instead? Not sure if that would help but figure i would mention as I don't have your data...
Could you do something like what i showed with the placeholder variables outside of the parenthesis but maybe with the outcome variables being being something like if the first set of criteria is X, then 1, else 0. Then do the same for the second set of criteria, so it would look something like this:
events:
$event.metadata.product_event_type = "Update user"
$event.metadata.log_type = "AZURE_AD_AUDIT"
$event.principal.application = "Azure MFA StrongAuthenticationService"
$targetuser = $event.target.user.userid
(
$event.src.resource.attribute.labels["StrongAuthenticationMethod"] != "" or
$event.src.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"] != ""
)
$OldRememberTrustedDevices = $event.src.resource.attribute.labels["StrongAuthenticationMethod"]
$NewRememberTrustedDevices = $event.target.resource.attribute.labels["StrongAuthenticationMethod"]
$OldRememberTrustedPhone = $event.src.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"]
$NewRememberTrustedPhone = $event.target.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"]
match:
$targetuser over 10m
outcome:
$changes = max(if($OldRememberTrustedDevices != $NewRememberTrustedDevices, 1, 0))
$phone_change = max(if($OldRememberTrustedPhone != $NewRememberTrustedPhone, 1, 0))
$sum_change = $changes + $phone_change
condition:
$event and $sum_change > 1
}
