[ASIM] Authentication AADSigninLogs parser rewrite#13409
Conversation
| TargetSessionId = CorrelationId, | ||
| TargetUserId = UserId, | ||
| TargetUsername = UserPrincipalName, | ||
| TargetOriginalAppType = ClientAppUsed |
There was a problem hiding this comment.
You map client app (which is source) to targetapp. This also make the type lookup incorrect.
There was a problem hiding this comment.
Not sure if I follow.
We have source ClientAppUsed, which is mapped to TargetOriginalAppType, which is also used to map to the normalized TargetAppType column.
We will have both TargetOriginalAppType and TargetAppType
There was a problem hiding this comment.
I believe that ClientAppUsed is ActingApp and not TargetApp
Parsers/ASimAuthentication/Parsers/ASimAuthenticationAADSigninLogs.yaml
Outdated
Show resolved
Hide resolved
| SrcDvcOs = tostring(DeviceDetail.operatingSystem), | ||
| TargetUserIdType = 'AADID', | ||
| TargetUsernameType = 'UPN', | ||
| LogonMethod = coalesce(AuthenticationMethodsUsed, AuthenticationRequirement) |
There was a problem hiding this comment.
Just a comment: I am not happy with the fact that LogonMethod is not normalized. I assume it was requested by research, but if not normalized, how will it help them?
There was a problem hiding this comment.
LogonMethod is an optional string, and not an enumeration. Perhaps you would want some enumerations enforced here..?
There was a problem hiding this comment.
Normalized it, but we should look into updating the docs as well.
There was a problem hiding this comment.
Makes sense. Can you summarize for me the changes I need to make?
yummyblabla
changed the title
|
@yummyblabla : one comment still open about the acting vs. target app. |
4 participants
Additions:
Removals: