fixing up yamls for testing

Author: patel-bhavin

detections/cloud/azure_ad_azurehound_useragent_detected.yml

@@ -21,6 +21,15 @@ references:
 - https://github.com/SpecterOps/AzureHound
 - https://splunkbase.splunk.com/app/3110
 - https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Install
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search  user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 tags:
   analytic_story:
   - Azure Active Directory Privilege Escalation
@@ -33,16 +42,16 @@ tags:
   - T1087.004
   - T1526
   observable:
-  - name: src
-    type: IP Address
-    role:
-    - Attacker
   - name: user
     type: User
     role:
+    - Victim
+  - name: src
+    type: IP Address
+    role:
     - Attacker
   - name: user_agent
-    type: User Agent
+    type: Other
     role:
     - Attacker
   product:
@@ -61,3 +70,4 @@ tests:
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.004/azurehound/azurehound.log
     sourcetype: azure:monitor:aad
+    source: Azure AD

detections/cloud/azure_ad_service_principal_enumeration.yml

@@ -26,6 +26,15 @@ references:
 - https://github.com/dirkjanm/ROADtools
 - https://splunkbase.splunk.com/app/3110
 - https://docs.splunk.com/Documentation/AddOns/released/MSCloudServices/Install
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search  user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 tags:
   analytic_story:
   - Azure Active Directory Privilege Escalation
@@ -45,9 +54,9 @@ tags:
   - name: user
     type: User
     role:
-    - Attacker
+    - Victim
   - name: user_agent
-    type: User Agent
+    type: Other
     role:
     - Attacker
   product:
@@ -66,3 +75,4 @@ tests:
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.004/azurehound/azurehound.log
     sourcetype: azure:monitor:aad
+    source: Azure AD

detections/cloud/azure_ad_service_principal_privilege_escalation.yml

@@ -26,6 +26,15 @@ references:
 - https://github.com/mvelazc0/BadZure
 - https://www.splunk.com/en_us/blog/security/hunting-m365-invaders-navigating-the-shadows-of-midnight-blizzard.html
 - https://posts.specterops.io/microsoft-breach-what-happened-what-should-azure-admins-do-da2b7e674ebc
+drilldown_searches:
+- name: View the detection results for - "$servicePrincipal$"
+  search: '%original_detection_search% | search  servicePrincipal = "$servicePrincipal$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$servicePrincipal$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$servicePrincipal$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 tags:
   analytic_story:
   - Azure Active Directory Privilege Escalation
@@ -40,9 +49,9 @@ tags:
   - name: servicePrincipal
     type: User
     role:
-    - Attacker
+    - Victim
   - name: user_agent
-    type: User Agent
+    type: Other
     role:
     - Attacker
   product:
@@ -68,3 +77,4 @@ tests:
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_spn_privesc/azure_ad_spn_privesc.log
     sourcetype: azure:monitor:aad
+    source: Azure AD

detections/cloud/microsoft_intune_device_health_scripts.yml

@@ -40,11 +40,11 @@ tags:
   - name: user
     type: User
     role:
-    - Attacker
+    - Victim
   - name: TargetObjectId
-    type: TargetObjectId
+    type: Other
     role:
-    - Object
+    - Attacker
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
@@ -59,4 +59,5 @@ tests:
 - name: True Positive Test
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1072/intune/intune.log
-    sourcetype: azure:monitor:activity
+    sourcetype: azure:monitor:activity
+    source: Azure AD

detections/cloud/microsoft_intune_devicemanagementconfigurationpolicies.yml

@@ -43,11 +43,11 @@ tags:
   - name: user
     type: User
     role:
-    - Attacker
+    - Victim
   - name: TargetObjectId
-    type: TargetObjectId
+    type: Other
     role:
-    - Object
+    - Attacker
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
@@ -63,3 +63,4 @@ tests:
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1072/intune/intune.log
     sourcetype: azure:monitor:activity
+    source: Azure AD

detections/cloud/microsoft_intune_manual_device_management.yml

@@ -41,11 +41,11 @@ tags:
   - name: user
     type: User
     role:
-    - Attacker
+    - Victim
   - name: TargetObjectId
-    type: TargetObjectId
+    type: Other
     role:
-    - Object
+    - Attacker
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
@@ -61,3 +61,4 @@ tests:
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1072/intune/intune.log
     sourcetype: azure:monitor:activity
+    source: Azure AD

detections/cloud/microsoft_intune_mobile_apps.yml

@@ -42,9 +42,9 @@ tags:
     role:
     - Attacker
   - name: TargetObjectId
-    type: TargetObjectId
+    type: Other
     role:
-    - Object
+    - Attacker
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
@@ -60,3 +60,4 @@ tests:
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1072/intune/intune.log
     sourcetype: azure:monitor:activity
+    source: Azure AD

detections/cloud/o365_service_principal_privilege_escalation.yml

@@ -15,14 +15,23 @@ search: >-
   | spath input=targetServicePrincipal path=NewValue output=targetServicePrincipal
   | where servicePrincipal=targetServicePrincipal
   | table _time Operation servicePrincipal servicePrincipalId appRole targetAppContext user_agent tenant_id InterSystemsId
-  | `o365_service_principal_privilege_escalation_filter
+  | `o365_service_principal_privilege_escalation_filter`
 how_to_implement: The Splunk Add-on for Microsoft Office 365 add-on is required to ingest EntraID audit logs via the 365 API. See references for links for further details on how to onboard this log source. 
 known_false_positives: Unknown
 references:
 - https://splunkbase.splunk.com/app/4055
 - https://github.com/mvelazc0/BadZure
 - https://www.splunk.com/en_us/blog/security/hunting-m365-invaders-navigating-the-shadows-of-midnight-blizzard.html
 - https://posts.specterops.io/microsoft-breach-what-happened-what-should-azure-admins-do-da2b7e674ebc
+drilldown_searches:
+- name: View the detection results for - "$servicePrincipal$"
+  search: '%original_detection_search% | search  servicePrincipal = "$servicePrincipal$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$servicePrincipal$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$servicePrincipal$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 tags:
   analytic_story:
   - Azure Active Directory Privilege Escalation
@@ -38,9 +47,9 @@ tags:
   - name: servicePrincipal
     type: User
     role:
-    - Attacker
+    - Victim
   - name: user_agent
-    type: User Agent
+    type: Other
     role:
     - Attacker
   product:
@@ -63,3 +72,4 @@ tests:
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/o365_spn_privesc/o365_spn_privesc.log
     sourcetype: o365:management:activity
+    source: Office 365