Azure AD Multi-Source Failed Authentications Spike - Missing ADFSSignInLogs category
atgithub11 opened this issue · comments
For signin activity from ADFS, category is ADFSSignInLogs. This correlation would miss those due to category=SignInLogs.
I would recommend to either include ADFS, category IN (SignInLogs, ADFSSignInLogs) or maybe using a wildcard such as category=*SignInLogs (in case there are other type of Signinlogs with similar events).
Also for the filter, I think uniqueUserAgents = 1 should be removed(or changed to look for >=1). These strings can easily be scripted to change on the fly for every attempt and those instances would be missed with this constraint.
Thanks