udpating SPL

patel-bhavin · patel-bhavin · commit b97cf5714e60 · 2025-01-07T13:14:24.000-08:00
diff --git a/detections/cloud/azure_ad_azurehound_useragent_detected.yml b/detections/cloud/azure_ad_azurehound_useragent_detected.yml
@@ -2,17 +2,18 @@ name: Azure AD AzureHound UserAgent Detected
 id: d62852db-a1f1-40db-a7fc-c3d56fa8bda3
 version: 1
 date: '2025-01-06'
-author: Dean Luxton
+author: Dean Luxton 
 data_sources:
 - Azure Active Directory NonInteractiveUserSignInLogs
 - Azure Active Directory MicrosoftGraphActivityLogs
 type: TTP
 status: production
-description: This detection looks for the default AzureHound useragent string within Graph Activity logs and NonInteractive SignIn Logs. 
+description: This detection identifies the presence of the default AzureHound user-agent string within Microsoft Graph Activity logs and NonInteractive SignIn Logs. AzureHound is a tool used for gathering information about Azure Active Directory environments, often employed by security professionals for legitimate auditing purposes. However, it can also be leveraged by malicious actors to perform reconnaissance activities, mapping out the Azure AD infrastructure to identify potential vulnerabilities and targets for further exploitation. Detecting its usage can help in identifying unauthorized access attempts and preemptively mitigating potential security threats to your Azure environment.
 search: >-
-  `azure_monitor_aad` category IN (MicrosoftGraphActivityLogs, NonInteractiveUserSignInLogs) properties.userAgent=azurehound*
-  | eval createdDateTime=strptime('properties.createdDateTime',"%Y-%m-%dT%H:%M:%S.%7Q%z")
-  | stats min(createdDateTime) as _time values(user_agent) as user_agent values(user) as user count values(src_category) as src_category by src tenantId
+ `azure_monitor_aad` category IN (MicrosoftGraphActivityLogs, NonInteractiveUserSignInLogs) properties.userAgent=azurehound* 
+  | stats  count min(_time) as firstTime max(_time) as lastTime values(properties.userAgent) as user_agent values(properties.userId) as user values(src_category) as src_category by src tenantId 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
   | iplocation src
   | `azure_ad_azurehound_useragent_detected_filter`
 how_to_implement: The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest NonInteractiveUserSignInLogs and MicrosoftGraphActivityLogs via an Azure EventHub. See reference for links for further details. 
