Skip to main content

MFA alert

  • November 19, 2024
  • 3 replies
  • 48 views
rahul7514
Forum|alt.badge.img+10

Hi 
Can someone tell me where i am going wrong , i getting this error 

 

events: $event.metadata.product_event_type = "Update user" $event.metadata.log_type = "AZURE_AD_AUDIT" $event.principal.application = "Azure MFA StrongAuthenticationService" $targetuser = $event.target.user.userid ( $event.src.resource.attribute.labels["StrongAuthenticationMethod"] != "" and $event.src.resource.attribute.labels["StrongAuthenticationMethod"] = $OldRememberTrustedDevices and $NewRememberTrustedDevices = $event.target.resource.attribute.labels["StrongAuthenticationMethod"] ) or ( $event.src.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"] != "" and $OldRememberTrustedPhone = $event.src.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"] and $NewRememberTrustedPhone = $event.target.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"] ) match: $targetuser over 10m

 

3 replies

jstoner
Staff
Forum|alt.badge.img+22
  • jstoner
  • Staff
  • November 19, 2024

I believe the issue is having the placeholder variables within the nested OR statements. I've seen this when building some of the community rules and the resolution I found was to move the placeholder variables outside the parentheses. The following compiles correctly, but not sure if the output aligns with what you are expecting. There may be something additional that will need to be added.

events:
$event.metadata.product_event_type = "Update user"
$event.metadata.log_type = "AZURE_AD_AUDIT"
$event.principal.application = "Azure MFA StrongAuthenticationService"
$targetuser = $event.target.user.userid

(
$event.src.resource.attribute.labels["StrongAuthenticationMethod"] != "" or
$event.src.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"] != ""
)

$OldRememberTrustedDevices = $event.src.resource.attribute.labels["StrongAuthenticationMethod"]
$NewRememberTrustedDevices = $event.target.resource.attribute.labels["StrongAuthenticationMethod"]
$OldRememberTrustedPhone = $event.src.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"]
$NewRememberTrustedPhone = $event.target.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"]
rahul7514
Forum|alt.badge.img+10
  • rahul7514Bronze 2
  • Author
  • Bronze 2
  • November 22, 2024

I believe the issue is having the placeholder variables within the nested OR statements. I've seen this when building some of the community rules and the resolution I found was to move the placeholder variables outside the parentheses. The following compiles correctly, but not sure if the output aligns with what you are expecting. There may be something additional that will need to be added.

events:
$event.metadata.product_event_type = "Update user"
$event.metadata.log_type = "AZURE_AD_AUDIT"
$event.principal.application = "Azure MFA StrongAuthenticationService"
$targetuser = $event.target.user.userid

(
$event.src.resource.attribute.labels["StrongAuthenticationMethod"] != "" or
$event.src.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"] != ""
)

$OldRememberTrustedDevices = $event.src.resource.attribute.labels["StrongAuthenticationMethod"]
$NewRememberTrustedDevices = $event.target.resource.attribute.labels["StrongAuthenticationMethod"]
$OldRememberTrustedPhone = $event.src.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"]
$NewRememberTrustedPhone = $event.target.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"]

@jstoner : What i am trying to get output is a perfect OR condition where alerts should trigger there is any changes observed in either StrongAuthenticationMethod or StrongAuthenticationPhoneAppDetail and even where there is change in both values for a user

I have tried 2 options both seem to be not working 
your method : it works if one of the value gets changes but not when both values are changed for a user it is not working 

 

 

$event.metadata.product_event_type = "Update user" $event.metadata.log_type = "AZURE_AD_AUDIT" $event.principal.application = "Azure MFA StrongAuthenticationService" $targetuser = $event.target.user.userid ( $event.src.resource.attribute.labels["StrongAuthenticationMethod"] != "" or $event.src.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"] != "" //$event.target.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"] = /DeviceName:NO_DEVICE/ and //$event.src.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"] != /DeviceName:NO_DEVICE/ ) $OldRememberTrustedDevices = $event.src.resource.attribute.labels["StrongAuthenticationMethod"] $NewRememberTrustedDevices = $event.target.resource.attribute.labels["StrongAuthenticationMethod"] $OldRememberTrustedPhone = $event.src.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"] $NewRememberTrustedPhone = $event.target.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"] match: $targetuser over 10m outcome: $changes = array_distinct(if($OldRememberTrustedDevices != $NewRememberTrustedDevices, "Yes", "No")) $phone_change = array_distinct(if($OldRememberTrustedPhone != $NewRememberTrustedPhone, "Yes", "No"))

 

When i ran this logic i can see there are users for which both values (StrongAuthenticationMethod and StrongAuthenticationPhoneAppDetail are changing for a user

events: ($event.metadata.product_event_type = "Update user" and $event.metadata.log_type = "AZURE_AD_AUDIT" and $event.principal.application = "Azure MFA StrongAuthenticationService" and $targetuser = $event.target.user.userid and $event.src.resource.attribute.labels["StrongAuthenticationMethod"] != "" and $event.target.resource.attribute.labels["StrongAuthenticationMethod"] != "" and $event.src.resource.attribute.labels["StrongAuthenticationMethod"] = $OldRememberTrustedDevices and $NewRememberTrustedDevices = $event.target.resource.attribute.labels["StrongAuthenticationMethod"] ) and ($event1.metadata.product_event_type = "Update user" and $event1.metadata.log_type = "AZURE_AD_AUDIT" and $event1.principal.application = "Azure MFA StrongAuthenticationService" and $targetuser = $event1.target.user.userid and $event1.src.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"] != "" and $event1.target.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"] != "" and $OldRememberTrustedPhone = $event1.src.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"] and $NewRememberTrustedPhone = $event1.target.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"] )




I tried in a similar way the or option but it does not seem to be working 

 

 

events: ($event.metadata.product_event_type = "Update user" and $event.metadata.log_type = "AZURE_AD_AUDIT" and $event.principal.application = "Azure MFA StrongAuthenticationService" and $targetuser = $event.target.user.userid and $event.src.resource.attribute.labels["StrongAuthenticationMethod"] != "" and $event.target.resource.attribute.labels["StrongAuthenticationMethod"] != "" and $event.src.resource.attribute.labels["StrongAuthenticationMethod"] = $OldRememberTrustedDevices and $NewRememberTrustedDevices = $event.target.resource.attribute.labels["StrongAuthenticationMethod"] ) or ($event1.metadata.product_event_type = "Update user" and $event1.metadata.log_type = "AZURE_AD_AUDIT" and $event1.principal.application = "Azure MFA StrongAuthenticationService" and $targetuser = $event1.target.user.userid and $event1.src.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"] != "" and $event1.target.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"] != "" and $OldRememberTrustedPhone = $event1.src.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"] and $NewRememberTrustedPhone = $event1.target.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"] ) match: $targetuser over 10m outcome: $changes = array_distinct(if($OldRememberTrustedDevices != $NewRememberTrustedDevices, "Yes", "No")) $phone_change = array_distinct(if($OldRememberTrustedPhone != $NewRememberTrustedPhone, "Yes", "No")) condition: $event and $event1 }

 

 

 

Not sure where i am going wrong 

jstoner
Staff
Forum|alt.badge.img+22
  • jstoner
  • Staff
  • November 22, 2024

The placeholder variables within the parenthesis are where the problem exists which is why i tried to move these outside the parenthesis...

The piece still in parenthesis not equal null OR not equal null....should this be AND instead?  Not sure if that would help but figure i would mention as I don't have your data...

Could you do something like what i showed with the placeholder variables outside of the parenthesis but maybe with the outcome variables being being something like if the first set of criteria is X, then 1, else 0. Then do the same for the second set of criteria, so it would look something like this:

 
events:
$event.metadata.product_event_type = "Update user"
$event.metadata.log_type = "AZURE_AD_AUDIT"
$event.principal.application = "Azure MFA StrongAuthenticationService"
$targetuser = $event.target.user.userid

(
$event.src.resource.attribute.labels["StrongAuthenticationMethod"] != "" or
$event.src.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"] != ""
)

$OldRememberTrustedDevices = $event.src.resource.attribute.labels["StrongAuthenticationMethod"]
$NewRememberTrustedDevices = $event.target.resource.attribute.labels["StrongAuthenticationMethod"]
$OldRememberTrustedPhone = $event.src.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"]
$NewRememberTrustedPhone = $event.target.resource.attribute.labels["StrongAuthenticationPhoneAppDetail"]

match:
$targetuser over 10m 

outcome:
$changes = max(if($OldRememberTrustedDevices != $NewRememberTrustedDevices, 1, 0))
$phone_change = max(if($OldRememberTrustedPhone != $NewRememberTrustedPhone, 1, 0))
$sum_change = $changes + $phone_change

condition:
$event and $sum_change > 1
}

 

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.