Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azure_ad_datadumper not working to create ADFS log file #56

Open
A4M5 opened this issue Sep 13, 2023 · 1 comment
Open

azure_ad_datadumper not working to create ADFS log file #56

A4M5 opened this issue Sep 13, 2023 · 1 comment

Comments

@A4M5
Copy link

A4M5 commented Sep 13, 2023

馃悰 Summary

ADFS log file has not been created for 2 days. I don't know whether this is due to the tool or a change in the Microsoft Graph API.

To reproduce

Version used : 1.2.5.

I tried these steps with the previous versions of UntitledGooseTool.

.conf :

[config]
tenant=*****
us_government=False
mde_gcc=False
mde_gcc_high=False
exo_us_government=False
subscriptionid=All
m365=True

[filters]
date_start=2023-09-12
date_end=2023-09-13

[azure]
activity_log=False
alerts=False
all_azure_subscriptions=False
all_resources=False
assessments=False
bastion_logs=False
compliance=False
container_config=False
diagnostic_settings=False
file_shares=False
key_vault_log=False
network=False
nsg_flow_logs=False
portal_alerts=False
portal_defendersettings=False
portal_pcap=False
portal_sensors=False
security_center=False
storage_accounts=False
vm_config=False

[azuread]
applications=True
azuread_audit=True
azuread_provisioning=True
conditional_access=True
devices=True
directory_roles=True
groups=True
identity_provider=True
organization=True
policies=True
risk_detections=True
risky_objects=True
security=True
service_principals=True
signins_adfs=True
signins_msi=True
signins_rt=True
signins_sp=True
summaries=True
users=True

[m365]
exo_addins=False
exo_groups=False
exo_inboxrules=False
exo_mailbox=False
powershell_calls=False
ual=False

[mde]
advanced_hunting_query=False
advanced_identity_hunting_query=False
alerts=False
indicators=False
investigations=False
library_files=False
machine_vulns=False
machines=False
recommendations=False
software=False

[msgtrc]
setemailaddress=
direction=
notifyaddress=
originalclientip=
recipientaddress=
reporttitle=
reporttype=
senderaddress=

signins_adfs is set to True.

goosey honk :

2023-09-13 15:15:32,136 - honk - INFO - Reading in auth: .auth (honk.py:246)
2023-09-13 15:15:32,137 - honk - INFO - Reading in authfile: .ugt_auth (honk.py:275)
2023-09-13 15:15:32,138 - honk - INFO - Goosey beginning to honk. (honk.py:296)
2023-09-13 15:15:32,143 - azure_ad_datadumper - INFO - Getting AzureAD provisioning logs... (azure_ad_datadumper.py:306)
2023-09-13 15:15:32,201 - azure_ad_datadumper - INFO - msi signin dump save state file found. Continuing from last checkpoint. (azure_ad_datadumper.py:77)
2023-09-13 15:15:32,202 - azure_ad_datadumper - INFO - Finished dumping signin logs for source: msi (azure_ad_datadumper.py:165)
2023-09-13 15:15:32,203 - utils - INFO - Dumping applications information... (utils.py:322)
2023-09-13 15:15:32,203 - utils - INFO - Dumping microsoft.graph.application information... (utils.py:322)
2023-09-13 15:15:32,203 - utils - INFO - Dumping appConsentRequests information... (utils.py:322)
2023-09-13 15:15:32,205 - utils - INFO - Dumping authenticationContextClassReferences information... (utils.py:322)
2023-09-13 15:15:32,205 - utils - INFO - Dumping namedLocations information... (utils.py:322)
2023-09-13 15:15:32,206 - utils - INFO - Dumping policies information... (utils.py:322)
2023-09-13 15:15:32,206 - utils - INFO - Dumping devices information... (utils.py:322)
2023-09-13 15:15:32,207 - utils - INFO - Dumping directoryRoles information... (utils.py:322)
2023-09-13 15:15:32,207 - utils - INFO - Dumping roleDefinitions information... (utils.py:322)
2023-09-13 15:15:32,207 - utils - INFO - Dumping roleAssignmentSchedules information... (utils.py:322)
2023-09-13 15:15:32,207 - utils - INFO - Dumping roleEligibilitySchedules information... (utils.py:322)
2023-09-13 15:15:32,208 - utils - INFO - Dumping roleEligibilityScheduleInstances information... (utils.py:322)
2023-09-13 15:15:32,208 - utils - INFO - Dumping groups information... (utils.py:322)
2023-09-13 15:15:32,209 - utils - INFO - Dumping microsoft.graph.group information... (utils.py:322)
2023-09-13 15:15:32,209 - utils - INFO - Dumping identityProviders information... (utils.py:322)
2023-09-13 15:15:32,210 - utils - INFO - Dumping availableProviderTypes information... (utils.py:322)
2023-09-13 15:15:32,210 - utils - INFO - Dumping apiConnectors information... (utils.py:322)
2023-09-13 15:15:32,210 - utils - INFO - Dumping directorySettingTemplates information... (utils.py:322)
2023-09-13 15:15:32,211 - utils - INFO - Dumping graph.samlOrWsFedExternalDomainFederation information... (utils.py:322)
2023-09-13 15:15:32,211 - utils - INFO - Dumping domains information... (utils.py:322)
2023-09-13 15:15:32,211 - utils - INFO - Dumping organization information... (utils.py:322)
2023-09-13 15:15:32,211 - utils - INFO - Dumping subscribedSkus information... (utils.py:322)
2023-09-13 15:15:32,212 - utils - INFO - Dumping continuousAccessEvaluationPolicy information... (utils.py:322)
2023-09-13 15:15:32,212 - utils - INFO - Dumping onSignupStart information... (utils.py:322)
2023-09-13 15:15:32,212 - utils - INFO - Dumping activityBasedTimeoutPolicies information... (utils.py:322)
2023-09-13 15:15:32,213 - utils - INFO - Dumping defaultAppManagementPolicy information... (utils.py:322)
2023-09-13 15:15:32,213 - utils - INFO - Dumping tokenLifetimePolicies information... (utils.py:322)
2023-09-13 15:15:32,213 - utils - INFO - Dumping tokenIssuancePolicies information... (utils.py:322)
2023-09-13 15:15:32,213 - utils - INFO - Dumping authenticationFlowsPolicy information... (utils.py:322)
2023-09-13 15:15:32,214 - utils - INFO - Dumping authenticationMethodsPolicy information... (utils.py:322)
2023-09-13 15:15:32,214 - utils - INFO - Dumping authorizationPolicy information... (utils.py:322)
2023-09-13 15:15:32,214 - utils - INFO - Dumping claimsMappingPolicies information... (utils.py:322)
2023-09-13 15:15:32,214 - utils - INFO - Dumping homeRealmDiscoveryPolicies information... (utils.py:322)
2023-09-13 15:15:32,215 - utils - INFO - Dumping permissionGrantPolicies information... (utils.py:322)
2023-09-13 15:15:32,215 - utils - INFO - Dumping identitySecurityDefaultsEnforcementPolicy information... (utils.py:322)
2023-09-13 15:15:32,215 - utils - INFO - Dumping accessReviewPolicy information... (utils.py:322)
2023-09-13 15:15:32,216 - utils - INFO - Dumping adminConsentRequestPolicy information... (utils.py:322)
2023-09-13 15:15:32,216 - utils - INFO - Dumping riskDetections information... (utils.py:322)
2023-09-13 15:15:32,216 - utils - INFO - Dumping servicePrincipalRiskDetections information... (utils.py:322)
2023-09-13 15:15:32,216 - utils - INFO - Dumping riskyUsers information... (utils.py:322)
2023-09-13 15:15:32,217 - utils - INFO - Dumping riskyServicePrincipals information... (utils.py:322)
2023-09-13 15:15:32,217 - utils - INFO - Dumping securityActions information... (utils.py:322)
2023-09-13 15:15:32,218 - utils - INFO - Dumping alerts information... (utils.py:322)
2023-09-13 15:15:32,218 - utils - INFO - Dumping secureScores information... (utils.py:322)
2023-09-13 15:15:32,218 - utils - INFO - Dumping servicePrincipals information... (utils.py:322)
2023-09-13 15:15:32,221 - utils - INFO - Dumping getRelyingPartyDetailedSummary(period='D30') information... (utils.py:322)
2023-09-13 15:15:32,221 - utils - INFO - Dumping getAzureADApplicationSignInSummary(period='D30') information... (utils.py:322)
2023-09-13 15:15:32,222 - utils - INFO - Dumping applicationSignInDetailedSummary information... (utils.py:322)
2023-09-13 15:15:32,222 - utils - INFO - Dumping getCredentialUsageSummary(period='D30') information... (utils.py:322)
2023-09-13 15:15:32,222 - utils - INFO - Dumping getCredentialUserRegistrationCount information... (utils.py:322)
2023-09-13 15:15:32,223 - utils - INFO - Dumping credentialUserRegistrationDetails information... (utils.py:322)
2023-09-13 15:15:32,223 - utils - INFO - Dumping userCredentialUsageDetails information... (utils.py:322)
2023-09-13 15:15:32,223 - utils - INFO - Dumping users information... (utils.py:322)
2023-09-13 15:15:32,223 - utils - INFO - Dumping contacts information... (utils.py:322)
2023-09-13 15:15:32,224 - utils - INFO - Dumping oauth2PermissionGrants information... (utils.py:322)
2023-09-13 15:15:32,224 - utils - INFO - Dumping microsoft.graph.user information... (utils.py:322)
2023-09-13 15:15:32,494 - utils - INFO - Finished dumping domains information. (utils.py:380)
2023-09-13 15:15:32,495 - utils - INFO - Finished dumping homeRealmDiscoveryPolicies information. (utils.py:380)
2023-09-13 15:15:32,495 - utils - INFO - Finished dumping riskyUsers information. (utils.py:380)
2023-09-13 15:15:32,495 - utils - INFO - Finished dumping riskyServicePrincipals information. (utils.py:380)
2023-09-13 15:15:32,501 - utils - INFO - Finished dumping tokenIssuancePolicies information. (utils.py:380)
2023-09-13 15:15:32,502 - utils - INFO - Finished dumping activityBasedTimeoutPolicies information. (utils.py:380)
2023-09-13 15:15:32,502 - utils - INFO - Finished dumping servicePrincipalRiskDetections information. (utils.py:380)
2023-09-13 15:15:32,502 - utils - INFO - Finished dumping claimsMappingPolicies information. (utils.py:380)
2023-09-13 15:15:32,503 - utils - INFO - Finished dumping tokenLifetimePolicies information. (utils.py:380)
2023-09-13 15:15:32,510 - utils - INFO - Finished dumping authorizationPolicy information. (utils.py:380)
2023-09-13 15:15:32,515 - utils - INFO - Finished dumping authenticationContextClassReferences information. (utils.py:380)
2023-09-13 15:15:32,520 - azure_ad_datadumper - INFO - Dumping domains federationConfiguration information... (azure_ad_datadumper.py:389)
2023-09-13 15:15:32,528 - utils - INFO - Finished dumping defaultAppManagementPolicy information. (utils.py:380)
2023-09-13 15:15:32,541 - utils - INFO - Finished dumping microsoft.graph.application information. (utils.py:380)
2023-09-13 15:15:32,549 - utils - INFO - Finished dumping contacts information. (utils.py:380)
2023-09-13 15:15:32,553 - azure_ad_datadumper - INFO - Dumping directoryRoles members information... (azure_ad_datadumper.py:389)
2023-09-13 15:15:32,554 - utils - INFO - Finished dumping directorySettingTemplates information. (utils.py:380)
2023-09-13 15:15:32,556 - utils - INFO - Finished dumping identitySecurityDefaultsEnforcementPolicy information. (utils.py:380)
2023-09-13 15:15:32,582 - utils - INFO - Finished dumping permissionGrantPolicies information. (utils.py:380)
2023-09-13 15:15:32,591 - utils - INFO - Finished dumping organization information. (utils.py:380)
2023-09-13 15:15:32,599 - utils - INFO - Finished dumping policies information. (utils.py:380)
2023-09-13 15:15:32,613 - utils - INFO - Finished dumping applications information. (utils.py:380)
2023-09-13 15:15:32,615 - azure_ad_datadumper - INFO - Dumping applications tokenLifetimePolicies information... (azure_ad_datadumper.py:389)
2023-09-13 15:15:32,616 - azure_ad_datadumper - INFO - Dumping applications extensionProperties information... (azure_ad_datadumper.py:389)
2023-09-13 15:15:32,617 - utils - INFO - Finished dumping namedLocations information. (utils.py:380)
2023-09-13 15:15:32,620 - azure_ad_datadumper - INFO - Dumping applications tokenIssuancePolicies information... (azure_ad_datadumper.py:389)
2023-09-13 15:15:32,624 - utils - INFO - Finished dumping continuousAccessEvaluationPolicy information. (utils.py:380)
2023-09-13 15:15:32,646 - utils - INFO - Finished dumping directoryRoles information. (utils.py:380)
2023-09-13 15:15:32,647 - azure_ad_datadumper - INFO - Dumping applications federatedIdentityCredentials information... (azure_ad_datadumper.py:389)
2023-09-13 15:15:32,662 - azure_ad_datadumper - INFO - Dumping applications owners information... (azure_ad_datadumper.py:389)
2023-09-13 15:15:32,664 - utils - INFO - Finished dumping authenticationMethodsPolicy information. (utils.py:380)
2023-09-13 15:15:32,683 - utils - INFO - Finished dumping securityActions information. (utils.py:380)
2023-09-13 15:15:32,683 - utils - INFO - Finished dumping onSignupStart information. (utils.py:380)
2023-09-13 15:15:32,691 - utils - INFO - Finished dumping microsoft.graph.group information. (utils.py:380)
2023-09-13 15:15:32,701 - utils - INFO - Finished dumping roleDefinitions information. (utils.py:380)
2023-09-13 15:15:32,701 - utils - INFO - Finished dumping authenticationFlowsPolicy information. (utils.py:380)
2023-09-13 15:15:32,703 - utils - INFO - Finished dumping appConsentRequests information. (utils.py:380)

Only msi log file is generated.

./output/azuread/adfs is empty.
./output/azuread/msi contains msi_signin_log_2023-09-12.json
./output/azuread/azure_audit_logs is empty.
./output/azuread/rt is empty.
./output/azuread/sp is empty.

The other files were generated in spite of everything :
image

I remain available should you require any further information.
Thank you very much.
@clairecasalnova-cisa
Copy link

Thanks for bringing this to our attention! The date filters are currently causing issues. If you would like to get the ADFS sign in log, please remove the date filters and try running it again. The next release of the tool will provide the update to fix the date filters.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@clairecasalnova-cisa @A4M5