Skip to content

Commit 6c82ebb

Browse files
patel-bhavinpatel-bhavin
authored
Merge pull request #3315 from splunk/output_normalization_azure_ad
Output normalization azure ad detections
2 parents b99d558 + 34dc8eb commit 6c82ebb

File tree

71 files changed

+677
-402
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

71 files changed

+677
-402
lines changed

data_sources/azure_active_directory.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,3 +11,9 @@ supported_TA:
1111
- name: Splunk Add-on for Microsoft Cloud Services
1212
url: https://splunkbase.splunk.com/app/3110
1313
version: 5.4.3
14+
output_fields:
15+
- dest
16+
- user
17+
- src
18+
- vendor_account
19+
- vendor_product

data_sources/azure_active_directory_add_app_role_assignment_to_service_principal.yml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -118,3 +118,10 @@ example_log: '{"time": "2024-02-08T21:49:53.7643129Z", "resourceId": "/tenants/7
118118
"Mozilla/5.0 (Macintosh; Darwin 23.3.0 Darwin Kernel Version 23.3.0: Wed Dec 20
119119
21:28:58 PST 2023; root:xnu-10002.81.5~7/RELEASE_X86_64; en-US) PowerShell/7.3.4"},
120120
{"key": "AppId", "value": "00000002-0000-0ff1-ce00-000000000000"}]}}'
121+
output_fields:
122+
- dest
123+
- user
124+
- src
125+
- vendor_account
126+
- vendor_product
127+

data_sources/azure_active_directory_add_member_to_role.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -84,3 +84,9 @@ example_log:
8484
[]}, {"id": "38bf5baf-7ec7-4bc2-8920-6d4044da12c2", "displayName": null, "type":
8585
"Role", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails":
8686
[]}}'
87+
output_fields:
88+
- dest
89+
- user
90+
- src
91+
- vendor_account
92+
- vendor_product

data_sources/azure_active_directory_add_owner_to_application.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -89,3 +89,9 @@ example_log:
8989
"additionalDetails": [{"key": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Darwin
9090
22.4.0 Darwin Kernel Version 22.4.0: Mon Mar 6 21:00:17 PST 2023; root:xnu-8796.101.5~3/RELEASE_X86_64;
9191
en-US) PowerShell/7.3.4"}]}}'
92+
output_fields:
93+
- dest
94+
- user
95+
- src
96+
- vendor_account
97+
- vendor_product

data_sources/azure_active_directory_add_service_principal.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -87,3 +87,9 @@ example_log:
8787
"administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value":
8888
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like
8989
Gecko) Chrome/121.0.0.0 Safari/537.36"}, {"key": "AppId", "value": "e06366ca-8489-4748-b6a2-d7e4332f45c1"}]}}'
90+
output_fields:
91+
- dest
92+
- user
93+
- src
94+
- vendor_account
95+
- vendor_product

data_sources/azure_active_directory_add_unverified_domain.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -82,3 +82,9 @@ example_log:
8282
"newValue": "\"Name,LiveType\""}], "administrativeUnits": []}], "additionalDetails":
8383
[{"key": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
8484
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"}]}}'
85+
output_fields:
86+
- dest
87+
- user
88+
- src
89+
- vendor_account
90+
- vendor_product

data_sources/azure_active_directory_consent_to_application.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -97,3 +97,9 @@ example_log:
9797
null, "newValue": "\"Microsoft.Online.Security.UserConsentBlockedForRiskyAppsException\""}],
9898
"administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value":
9999
"EvoSTS"}, {"key": "AppId", "value": "96f6a3d6-d5aa-4af5-a77a-9319b5283712"}]}}'
100+
output_fields:
101+
- dest
102+
- user
103+
- src
104+
- vendor_account
105+
- vendor_product

data_sources/azure_active_directory_disable_strong_authentication.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -79,3 +79,9 @@ example_log:
7979
"newValue": "[]"}, {"displayName": "Included Updated Properties", "oldValue": null,
8080
"newValue": "\"StrongAuthenticationRequirement\""}], "administrativeUnits": []}],
8181
"additionalDetails": []}}'
82+
output_fields:
83+
- dest
84+
- user
85+
- src
86+
- vendor_account
87+
- vendor_product

data_sources/azure_active_directory_enable_account.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -80,3 +80,9 @@ example_log:
8080
"newValue": "[true]"}, {"displayName": "Included Updated Properties", "oldValue":
8181
null, "newValue": "\"AccountEnabled\""}], "administrativeUnits": []}], "additionalDetails":
8282
[]}}'
83+
output_fields:
84+
- dest
85+
- user
86+
- src
87+
- vendor_account
88+
- vendor_product

data_sources/azure_active_directory_invite_external_user.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -81,3 +81,9 @@ example_log:
8181
{"key": "wids", "value": "62e90394-69f5-4237-9190-012177145e10"}, {"key": "InvitationId",
8282
"value": "65c7d12f-c6f3-44f0-8fad-4f57a1020484"}, {"key": "invitedUserEmailAddress",
8383
"value": "oops360@gmail.com"}]}}'
84+
output_fields:
85+
- dest
86+
- user
87+
- src
88+
- vendor_account
89+
- vendor_product

0 commit comments

Comments
 (0)