-
Notifications
You must be signed in to change notification settings - Fork 362
/
azure_active_directory_update_application.yml
83 lines (83 loc) · 4.54 KB
/
azure_active_directory_update_application.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
name: Azure Active Directory Update application
id: 2c08188a-ba25-496e-87c7-803cf28b6c90
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
description: Data source object for Azure Active Directory Update application
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
supported_TA:
- name: Splunk Add-on for Microsoft Cloud Services
url: https://splunkbase.splunk.com/app/3110
version: 5.4.1
fields:
- _time
- Level
- category
- correlationId
- date_hour
- date_mday
- date_minute
- date_month
- date_second
- date_wday
- date_year
- date_zone
- durationMs
- host
- index
- linecount
- operationName
- operationVersion
- properties.activityDateTime
- properties.activityDisplayName
- properties.additionalDetails{}.key
- properties.additionalDetails{}.value
- properties.category
- properties.correlationId
- properties.id
- properties.initiatedBy.user.displayName
- properties.initiatedBy.user.id
- properties.initiatedBy.user.ipAddress
- properties.initiatedBy.user.userPrincipalName
- properties.loggedByService
- properties.operationType
- properties.result
- properties.resultReason
- properties.targetResources{}.displayName
- properties.targetResources{}.id
- properties.targetResources{}.modifiedProperties{}.displayName
- properties.targetResources{}.modifiedProperties{}.newValue
- properties.targetResources{}.modifiedProperties{}.oldValue
- properties.targetResources{}.type
- properties.userAgent
- punct
- resourceId
- resultSignature
- source
- sourcetype
- splunk_server
- tenantId
- time
- timeendpos
- timestartpos
example_log: '{"time": "2024-01-29T21:31:03.0102031Z", "resourceId": "/tenants/75243ab2-44f8-435c-a7a6-b479385df6d4/providers/Microsoft.aadiam",
"operationName": "Update application", "operationVersion": "1.0", "category": "AuditLogs",
"tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "resultSignature": "None", "durationMs":
0, "correlationId": "a5396d2b-fcf6-41e7-9219-c6239f1298e3", "Level": 4, "properties":
{"id": "Directory_a5396d2b-fcf6-41e7-9219-c6239f1298e3_DGBDP_1548236", "category":
"ApplicationManagement", "correlationId": "a5396d2b-fcf6-41e7-9219-c6239f1298e3",
"result": "success", "resultReason": "", "activityDisplayName": "Update application",
"activityDateTime": "2024-01-29T21:31:03.0102031+00:00", "loggedByService": "Core
Directory", "operationType": "Update", "userAgent": null, "initiatedBy": {"user":
{"id": "e4c722ac-3b83-478d-8f52-c388885dc30f", "displayName": null, "userPrincipalName":
"[email protected]", "ipAddress": "", "roles": []}}, "targetResources":
[{"id": "75924835-d844-4947-96ba-18074e997386", "displayName": "MaliciousApp", "type":
"Application", "modifiedProperties": [{"displayName": "RequiredResourceAccess",
"oldValue": "[{\"ResourceAppId\":\"00000003-0000-0000-c000-000000000000\",\"RequiredAppPermissions\":[{\"EntitlementId\":\"570282fd-fa5c-430d-a7fd-fc8dc98a9dca\",\"DirectAccessGrant\":false,\"ImpersonationAccessGrants\":[20]},{\"EntitlementId\":\"7427e0e9-2fba-42fe-b0c0-848c9e6a8182\",\"DirectAccessGrant\":false,\"ImpersonationAccessGrants\":[20]},{\"EntitlementId\":\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\"DirectAccessGrant\":false,\"ImpersonationAccessGrants\":[20]},{\"EntitlementId\":\"810c84a8-4a9e-49e6-bf7d-12d183f40d01\",\"DirectAccessGrant\":true,\"ImpersonationAccessGrants\":[]}],\"EncodingVersion\":1}]",
"newValue": "[{\"ResourceAppId\":\"00000003-0000-0000-c000-000000000000\",\"RequiredAppPermissions\":[{\"EntitlementId\":\"570282fd-fa5c-430d-a7fd-fc8dc98a9dca\",\"DirectAccessGrant\":false,\"ImpersonationAccessGrants\":[20]},{\"EntitlementId\":\"7427e0e9-2fba-42fe-b0c0-848c9e6a8182\",\"DirectAccessGrant\":false,\"ImpersonationAccessGrants\":[20]},{\"EntitlementId\":\"e1fe6dd8-ba31-4d61-89e7-88639da4683d\",\"DirectAccessGrant\":false,\"ImpersonationAccessGrants\":[20]},{\"EntitlementId\":\"810c84a8-4a9e-49e6-bf7d-12d183f40d01\",\"DirectAccessGrant\":true,\"ImpersonationAccessGrants\":[]}],\"EncodingVersion\":1},{\"ResourceAppId\":\"00000002-0000-0ff1-ce00-000000000000\",\"RequiredAppPermissions\":[{\"EntitlementId\":\"dc890d15-9560-4a4c-9b7f-a736ec74ec40\",\"DirectAccessGrant\":true,\"ImpersonationAccessGrants\":[]}],\"EncodingVersion\":1}]"},
{"displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"RequiredResourceAccess\""}],
"administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value":
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/120.0.0.0 Safari/537.36"}, {"key": "AppId", "value": "867f0d29-0eab-4017-b691-c4713cc7d7b0"}]}}'