Gonna write this up better later. But thanks to npub1tnm9dfu5a5gk6v5dwkf2tmeend7m6vgvaq7ccvxs3697yaanpnaq5fm9wq (npub1tnm…m9wq) , we found a fluke in Microsoft's SignonLogs table. Sometime in the last few days they made UserPrincipalName case sensitive.
So our alerts looking for breakglassadmin@CompanyName.onmicrosoft.com started failing because we were using (==) instead of (has).
Would highly recommend you check your alerting and see which operands you're using in your queries.
#InfoSec #threatintel #Logging
IAintShootinMis /
npub12t…hveam
2023-10-26 23:09:41
Author Public Key
npub12tapuwr7rylsqq9sjq734awjffnrf32jrtluadq6q2g9x8k5lkqq6hveamPublished at
2023-10-26 23:09:41Event JSON
{
"id": "5b94c07cb5192c5ea26c6d8b6d52d84732847b435668bb8b27aa331dccfd068a",
"pubkey": "52fa1e387e193f0000b0903d1af5d24a6634c5521affceb41a0290531ed4fd80",
"created_at": 1698361781,
"kind": 1,
"tags": [
[
"p",
"5cf656a794ed116d328d7592a5ef399b7dbd310ce83d8c30d08e8be277b30cfa",
"wss://relay.mostr.pub"
],
[
"p",
"4320375e37d4756ab2c8654d4437dd0604adc0a70704ce2e4333cec15ea58e55",
"wss://relay.mostr.pub"
],
[
"t",
"infosec"
],
[
"t",
"threatintel"
],
[
"t",
"logging"
],
[
"proxy",
"https://digitaldarkage.cc/users/iaintshootinmis/statuses/111303837681737895",
"activitypub"
]
],
"content": "Gonna write this up better later. But thanks to nostr:npub1tnm9dfu5a5gk6v5dwkf2tmeend7m6vgvaq7ccvxs3697yaanpnaq5fm9wq , we found a fluke in Microsoft's SignonLogs table. Sometime in the last few days they made UserPrincipalName case sensitive. \n\nSo our alerts looking for breakglassadmin@CompanyName.onmicrosoft.com started failing because we were using (==) instead of (has). \n\nWould highly recommend you check your alerting and see which operands you're using in your queries. \n\n#InfoSec #threatintel #Logging",
"sig": "292b69c48e78c0b63a2edd88cc8589126b9c259771c6b5977e4f70a41bc3d99e702c8e006f13f8606a95af536aef29af22cc7ef53d8c3e39fa5ab6e4324091f0"
}