Device details in the logs from Jumpcloud to sentinel are missing in randam sso event logs

[harishmenti]

Hi Team,

We have integrated Jump Cloud with Sentinel to forward all the logs to Sentinel using the function app with the code found in GitHub. We've been encountering a few logs with missing device details and IP addresses, leading to incident creation ( as we have custom rules to compare IPs against device details). We contacted Jumpcloud, and they stated it was not their responsibility to troubleshoot since the data connector was developed and managed by Azure..

[v-sudkharat]

Hi @harishmenti, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!

[v-sudkharat]

@harishmenti, want to confirm, is this a path for function app -https://github.com/Azure/Azure-Sentinel/tree/5891abc456cd8cceb0b724a9f737b81aae67298a/DataConnectors/JumpCloud%20Single%20Sign%20On which has been configured?
And, can you please check if those logs (device details and IP addresses) are available in source itself? could you please share the logs with us, to understand the issue. Thanks!

[harishmenti]

Yes, that was the path for the function app that had been configured. I'm attaching the logs and highlighting the events where the device details and IP were not captured. Just a heads up, the device details and IP are missing in the “push_mfa_attempt_failed” events. Best regards, Harish Menti. [signature_1067390269]Permitted by SAMA for Regulatory Sandbox testing and regulated by the CBB and the DFSA as an AISP/PISP. Harish Menti Cybersecurity Analyst Permitted by SAMA for Regulatory Sandbox testing and regulated by the CBB as an AISP/PISP. From: v-sudkharat ***@***.***> Date: Thursday, 12 December 2024 at 10:58 AM To: Azure/Azure-Sentinel ***@***.***> Cc: Harish Menti ***@***.***>, Mention ***@***.***> Subject: Re: [Azure/Azure-Sentinel] Device details in the logs from Jumpcloud to sentinel are missing in randam sso event logs (Issue #11535) CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. @harishmenti<https://github.com/harishmenti>, want to confirm, is this a path for function app -https://github.com/Azure/Azure-Sentinel/tree/5891abc456cd8cceb0b724a9f737b81aae67298a/DataConnectors/JumpCloud%20Single%20Sign%20On which has been configured? And could you please share the log's with us, to understand the issue. Thanks! — Reply to this email directly, view it on GitHub<#11535 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BIJEQKWX5ZNBEVD73WQGABL2FEXX7AVCNFSM6AAAAABTHGE7JCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMZXHE3DMNRUGY>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[v-sudkharat]

@harishmenti, Not able to see the logs here, can you plz share it on this mail ID - v-sudkharat@microsoft.com

[harishmenti]

Please take a look at the logs in the attachments. Best regards, Harish Menti. [signature_1067390269]Permitted by SAMA for Regulatory Sandbox testing and regulated by the CBB and the DFSA as an AISP/PISP. Harish Menti Cybersecurity Analyst Permitted by SAMA for Regulatory Sandbox testing and regulated by the CBB as an AISP/PISP. From: v-sudkharat ***@***.***> Date: Thursday, 12 December 2024 at 1:46 PM To: Azure/Azure-Sentinel ***@***.***> Cc: Harish Menti ***@***.***>, Mention ***@***.***> Subject: Re: [Azure/Azure-Sentinel] Device details in the logs from Jumpcloud to sentinel are missing in randam sso event logs (Issue #11535) CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. @harishmenti<https://github.com/harishmenti>, Not able to see the logs here, can you plz share it on this mail ID - ***@***.******@***.***> — Reply to this email directly, view it on GitHub<#11535 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BIJEQKXF53Q7VL4CYEAEXJD2FFLOTAVCNFSM6AAAAABTHGE7JCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMZYGM4DQNRVG4>. You are receiving this because you were mentioned.Message ID: ***@***.***>