Skip to content

Commit ff5a16b

Browse files
patel-bhavinpatel-bhavin
committed
updating data sources
1 parent d64e5c9 commit ff5a16b

5 files changed

+104
-4
lines changed

data_sources/azure_monitor_activity.yml

Lines changed: 96 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,96 @@
1+
name: Azure Monitor Activity
2+
id: 1997a515-a61a-4f78-ada9-54af34c764f2
3+
version: 1
4+
date: '2025-01-13'
5+
author: Bhavin Patel, Splunk
6+
description: Data source object for Azure Monitor Activity. The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest In-Tune audit logs via Azure EventHub. To configure this logging, visit Intune > Tenant administration > Diagnostic settings > Add diagnostic settings & send events to the activity audit event hub.
7+
source: Azure AD
8+
sourcetype: azure:monitor:activity
9+
separator: operationName
10+
supported_TA:
11+
- name: Splunk Add-on for Microsoft Cloud Services
12+
url: https://splunkbase.splunk.com/app/3110
13+
version: 5.4.1
14+
fields:
15+
- column
16+
- action
17+
- category
18+
- change_type
19+
- command
20+
- correlationId
21+
- dataset_name
22+
- date_hour
23+
- date_mday
24+
- date_minute
25+
- date_month
26+
- date_second
27+
- date_wday
28+
- date_year
29+
- date_zone
30+
- dest
31+
- dvc
32+
- eventtype
33+
- host
34+
- identity
35+
- image_id
36+
- index
37+
- instance_type
38+
- linecount
39+
- object
40+
- object_attrs
41+
- object_category
42+
- object_id
43+
- object_path
44+
- operationName
45+
- properties.ActivityDate
46+
- properties.ActivityResultStatus
47+
- properties.ActivityType
48+
- properties.Actor.ActorType
49+
- properties.Actor.Application
50+
- properties.Actor.ApplicationName
51+
- properties.Actor.IsDelegatedAdmin
52+
- properties.Actor.Name
53+
- properties.Actor.ObjectId
54+
- properties.Actor.PartnerTenantId
55+
- properties.Actor.UPN
56+
- properties.Actor.UserPermissions{}
57+
- properties.AdditionalDetails
58+
- properties.AuditEventId
59+
- properties.Category
60+
- properties.RelationId
61+
- properties.TargetDisplayNames{}
62+
- properties.TargetObjectIds{}
63+
- properties.Targets{}.ModifiedProperties{}.Name
64+
- properties.Targets{}.ModifiedProperties{}.New
65+
- properties.Targets{}.ModifiedProperties{}.Old
66+
- properties.Targets{}.Name
67+
- punct
68+
- resourceId
69+
- resource_provider
70+
- response_body
71+
- result
72+
- resultDescription
73+
- resultType
74+
- result_id
75+
- source
76+
- sourcetype
77+
- splunk_server
78+
- splunk_server_group
79+
- src
80+
- status
81+
- tag
82+
- tag::action
83+
- tag::eventtype
84+
- tag::object_category
85+
- tenantId
86+
- time
87+
- timeendpos
88+
- timestartpos
89+
- user
90+
- user_name
91+
- user_type
92+
- vendor_account
93+
- vendor_product
94+
- vendor_region
95+
- _time
96+
example_log: '{"time": "2024-04-29T13:30:28.8622000Z", "tenantId": "26db52ee-c1b5-4c96-a0d4-129e25dc0388", "category": "AuditLogs", "operationName": "createDeviceHealthScript DeviceHealthScript", "properties": {"ActivityDate": "4/29/2024 1:30:28 PM", "ActivityResultStatus": 1, "ActivityType": 0, "Actor": {"ActorType": 1, "Application": "5926fc8e-304e-4f59-8bed-58ca97cc39a4", "ApplicationName": "Microsoft Intune portal extension", "IsDelegatedAdmin": false, "Name": null, "ObjectId": "cf2ef473-7d3b-4f14-961c-2e470e9a70f2", "PartnerTenantId": "00000000-0000-0000-0000-000000000000", "UserPermissions": ["*"], "UPN": "[email protected]"}, "AdditionalDetails": "", "AuditEventId": "3e7e790e-f15a-4c2c-a91a-516483bb4e37", "Category": 3, "RelationId": null, "TargetDisplayNames": ["<null>"], "TargetObjectIds": ["b16fcad4-b9f5-46fe-9bf0-841cd9be7bc9"], "Targets": [{"ModifiedProperties": [{"Name": "DeviceManagementAPIVersion", "Old": null, "New": "5024-02-13"}], "Name": null}]}, "resultType": "Success", "resultDescription": "None", "correlationId": "949ac544-b4e5-4576-a117-915c47c0ee00", "identity": "[email protected]"}'

detections/cloud/microsoft_intune_device_health_scripts.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,8 @@ id: 6fe42e07-15b1-4caa-b547-7885666cb1bd
33
version: 1
44
date: '2025-01-06'
55
author: Dean Luxton
6-
data_sources: []
6+
data_sources:
7+
- Azure Monitor Activity
78
type: Hunting
89
status: production
910
description: >-

detections/cloud/microsoft_intune_devicemanagementconfigurationpolicies.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,8 @@ id: 3c49e5ed-625c-408c-a2c7-8e2b524efb2c
33
version: 1
44
date: '2025-01-07'
55
author: Dean Luxton
6-
data_sources: []
6+
data_sources:
7+
- Azure Monitor Activity
78
type: Hunting
89
status: production
910
description: >-

detections/cloud/microsoft_intune_manual_device_management.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,8 @@ id: 5ca7ebee-4ee7-4cf2-b3be-0ea26a00d822
33
version: 1
44
date: '2025-01-07'
55
author: Dean Luxton
6-
data_sources: []
6+
data_sources:
7+
- Azure Monitor Activity
78
type: Hunting
89
status: production
910
description: >-

detections/cloud/microsoft_intune_mobile_apps.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,8 @@ id: 98e6b389-2806-4426-a580-8a92cb0d9710
33
version: 1
44
date: '2025-01-07'
55
author: Dean Luxton
6-
data_sources: []
6+
data_sources:
7+
- Azure Monitor Activity
78
type: Hunting
89
status: experimental
910
description: >-

0 commit comments

Comments
 (0)