updating example

patel-bhavin · patel-bhavin · commit 0bf1bac91808 · 2025-02-21T13:21:47.000-08:00
diff --git a/data_sources/aws_cloudtrail_describesnapshotattribute.yml b/data_sources/aws_cloudtrail_describesnapshotattribute.yml
@@ -12,5 +12,126 @@ supported_TA:
   url: https://splunkbase.splunk.com/app/1876
   version: 7.9.0
 fields:
+- action
+- app
+- authentication_method
+- awsRegion
+- aws_account_id
+- change_type
+- command
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- desc
+- dest
+- dest_ip_range
+- dest_port_range
+- direction
+- dvc
+- errorCode
+- errorMessage
+- eventCategory
+- eventID
+- eventName
+- eventSource
+- eventTime
+- eventType
+- eventVersion
+- eventtype
+- host
+- image_id
+- index
+- instance_type
+- linecount
+- managementEvent
+- msg
+- object
+- object_attrs
+- object_category
+- object_id
+- product
+- protocol
+- protocol_code
+- punct
+- readOnly
+- reason
+- recipientAccountId
+- region
+- requestID
+- requestParameters.attributeType
+- requestParameters.snapshotId
+- responseElements
+- result
+- result_id
+- rule_action
+- signature
+- source
+- sourceIPAddress
+- sourcetype
+- splunk_server
+- splunk_server_group
+- src
+- src_ip
+- src_ip_range
+- src_port_range
+- src_user
+- src_user_id
+- src_user_name
+- src_user_role
+- src_user_type
+- start_time
+- status
+- tag
+- tag::action
+- tag::app
+- tag::eventtype
+- tag::object_category
+- temp_access_key
+- timeendpos
+- timestartpos
+- tlsDetails.cipherSuite
+- tlsDetails.clientProvidedHostHeader
+- tlsDetails.tlsVersion
+- user
+- userAgent
+- userIdentity.accessKeyId
+- userIdentity.accountId
+- userIdentity.arn
+- userIdentity.principalId
+- userIdentity.sessionContext.attributes.creationDate
+- userIdentity.sessionContext.attributes.mfaAuthenticated
+- userIdentity.sessionContext.sessionIssuer.accountId
+- userIdentity.sessionContext.sessionIssuer.arn
+- userIdentity.sessionContext.sessionIssuer.principalId
+- userIdentity.sessionContext.sessionIssuer.type
+- userIdentity.sessionContext.sessionIssuer.userName
+- userIdentity.type
+- userName
+- user_access_key
+- user_agent
+- user_arn
+- user_group_id
+- user_id
+- user_name
+- user_role
+- user_type
+- vendor
+- vendor_account
+- vendor_product
+- vendor_region
+- _bkt
+- _cd
+- _eventtype_color
+- _indextime
+- _raw
+- _serial
+- _si
+- _sourcetype
 - _time
 example_log: |-
+ {"eventVersion": "1.10", "userIdentity": {"type": "AssumedRole", "principalId": "AROAYTOGP2RLBXYPYUKBH:aws-go-sdk-1740131590946446551", "arn": "arn:aws:sts::111111111111111:assumed-role/DAFTPUNK-cloud-security-audit/aws-go-sdk-1740131590946446551", "accountId": "111111111111111", "accessKeyId": "DAFTPUNK", "sessionContext": {"sessionIssuer": {"type": "Role", "principalId": "AROAYTOGP2RLBXYPYUKBH", "arn": "arn:aws:iam::111111111111111:role/DAFTPUNK-cloud-security-audit", "accountId": "111111111111111", "userName": "DAFTPUNK-cloud-security-audit"}, "attributes": {"creationDate": "2025-02-21T10:48:43Z", "mfaAuthenticated": "false"}}}, "eventTime": "2025-02-21T11:29:27Z", "eventSource": "ec2.amazonaws.com", "eventName": "DescribeSnapshotAttribute", "awsRegion": "eu-central-1", "sourceIPAddress": "54.203.114.197", "userAgent": "m/E aws-sdk-go-v2/1.30.5 os/linux lang/go#1.22.4 md/GOOS#linux md/GOARCH#amd64 api/ec2#1.177.3", "requestParameters": {"snapshotId": "snap-082bd5016636bbd94", "attributeType": "PRODUCT_CODES"}, "responseElements": null, "requestID": "70339070-6038-40b7-9acf-5ecb85cda843", "eventID": "bcc65c3f-a997-4a01-90bf-3b85f7268e70", "readOnly": true, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256", "clientProvidedHostHeader": "ec2.eu-central-1.amazonaws.com"}}
diff --git a/data_sources/azure_active_directory_microsoftgraphactivitylogs.yml b/data_sources/azure_active_directory_microsoftgraphactivitylogs.yml
@@ -14,3 +14,4 @@ supported_TA:
 fields:
 - _time
 example_log: |-
+  {"time": "2024-04-30T01:22:46.4948958Z", "resourceId": "/TENANTS/225E05A1-5914-4688-A404-7030E60F3143/PROVIDERS/MICROSOFT.AADIAM", "operationName": "Microsoft Graph Activity", "operationVersion": "beta", "category": "MicrosoftGraphActivityLogs", "resultSignature": "200", "durationMs": "948894", "callerIpAddress": "45.83.145.6", "correlationId": "8fb849dd-2abe-4c3e-b202-d71af8d1555b", "level": "Informational", "location": "East US 2", "properties": {"__UDI_RequiredFields_TenantId": "225e05a1-5914-4688-a404-7030e60f3143", "__UDI_RequiredFields_UniqueId": "8fb849dd-2abe-4c3e-b202-d71af8d1555b", "__UDI_RequiredFields_EventTime": 638500369660000000, "__UDI_RequiredFields_RegionScope": "NA", "timeGenerated": "2024-04-30T01:22:46.4948958Z", "location": "East US 2", "requestId": "8fb849dd-2abe-4c3e-b202-d71af8d1555b", "operationId": "8fb849dd-2abe-4c3e-b202-d71af8d1555b", "clientRequestId": "8fb849dd-2abe-4c3e-b202-d71af8d1555b", "apiVersion": "beta", "requestMethod": "GET", "responseStatusCode": 200, "tenantId": "225e05a1-5914-4688-a404-7030e60f3143", "durationMs": 948894, "responseSizeBytes": 91, "signInActivityId": "KRsphQ_4s0-oHv_Br8qSAQ", "roles": "", "appId": "1950a258-227b-4e31-a9cf-717495945fc2", "UserPrincipalObjectID": "7b934539-7366-494e-a8ac-3517694d32db", "scopes": "AuditLog.Read.All Directory.AccessAsUser.All email openid profile", "identityProvider": "", "clientAuthMethod": "0", "wids": "b79fbf4d-3ef9-4689-8143-76b194e85509", "C_Idtyp": "user", "C_Iat": "1714439850", "ipAddress": "45.83.145.6", "userAgent": "azurehound/v2.1.8", "requestUri": "https://graph.microsoft.com/beta/servicePrincipals/ffe3e001-d8cf-43a4-89ab-bfce35fd7786/owners?%24top=999", "userId": "7b934539-7366-494e-a8ac-3517694d32db", "tokenIssuedAt": "2024-04-30T01:17:30.0000000Z"}, "tenantId": "225e05a1-5914-4688-a404-7030e60f3143"}
