update T1098.003/azure_ad_assign_privileged_role/azure-audit.log

Update SPL due to Log syntax change
splunk · Jun 28, 2023 · 3ae03bf · 3ae03bf
1 parent c4e7112
commit 3ae03bf
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 17 deletions.
diff --git a/detections/cloud/azure_ad_application_administrator_role_assigned.yml b/detections/cloud/azure_ad_application_administrator_role_assigned.yml
@@ -12,8 +12,8 @@ description: The following analytic identifies the assignment of the Application
   been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while
   impersonating the application. This ability to impersonate the applications identity may be an elevation of privilege over what the user can do via their role assignments.
   Red teams and adversaries alike may abuse this role to escalate their privileges in an Azure AD tenant.
-search: ' `azuread` "body.operationName"="Add member to role"  "body.properties.targetResources{}.modifiedProperties{}.newValue"="\"Application Administrator\"" 
-  | rename body.properties.* as * 
+search: ' `azuread` "operationName"="Add member to role"  "properties.targetResources{}.modifiedProperties{}.newValue"="\"Application Administrator\"" 
+  | rename properties.* as * 
   | rename targetResources{}.userPrincipalName as userPrincipalName 
   | rename initiatedBy.user.userPrincipalName as initiatedBy
   | stats values(userPrincipalName) by _time, initiatedBy, result, body.operationName
@@ -57,10 +57,10 @@ tags:
   - Splunk Cloud
   required_fields:
   - _time
-  - body.properties.targetResources{}.userPrincipalName
-  - body.properties.targetResources{}.type
-  - body.properties.initiatedBy.user.userPrincipalName
-  - body.properties.result
+  - properties.targetResources{}.userPrincipalName
+  - properties.targetResources{}.type
+  - properties.initiatedBy.user.userPrincipalName
+  - properties.result
   risk_score: 35
   security_domain: endpoint
 tests:

diff --git a/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml b/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml
@@ -10,8 +10,8 @@ description: The following analytic identifies the assignment of the Privileged
   methods for any user in Azure Active Directory, including privileged roles like Global Administrators. Users with this role can change credentials for people who may have access to sensitive
   or private information or critical configuration inside and outside of Azure Active Directory. Changing the credentials of a user may mean the ability to assume that users identity and permissions.
   Red teams and adversaries alike may abuse this role to escalate their privileges.
-search: ' `azuread` "body.operationName"="Add member to role"  "body.properties.targetResources{}.modifiedProperties{}.newValue"="\"Privileged Authentication Administrator\"" 
-  | rename body.properties.* as * 
+search: ' `azuread` "operationName"="Add member to role"  "properties.targetResources{}.modifiedProperties{}.newValue"="\"Privileged Authentication Administrator\"" 
+  | rename properties.* as * 
   | rename targetResources{}.userPrincipalName as userPrincipalName 
   | rename initiatedBy.user.userPrincipalName as initiatedBy
   | stats values(userPrincipalName) by _time, initiatedBy, result, body.operationName
@@ -51,10 +51,10 @@ tags:
   - Splunk Cloud
   required_fields:
   - _time
-  - body.properties.targetResources{}.userPrincipalName
-  - body.properties.targetResources{}.type
-  - body.properties.initiatedBy.user.userPrincipalName
-  - body.properties.result
+  - properties.targetResources{}.userPrincipalName
+  - properties.targetResources{}.type
+  - properties.initiatedBy.user.userPrincipalName
+  - properties.result
   risk_score: 50
   security_domain: identity
 tests:

diff --git a/detections/cloud/azure_ad_privileged_role_assigned.yml b/detections/cloud/azure_ad_privileged_role_assigned.yml
@@ -10,7 +10,7 @@ description: The following analytic identifies the assignment of sensitive and p
   may assign these roles to a compromised account to establish Persistence in an Azure
   AD environment.
 data_source: []
-search: ' `azuread` "body.operationName"="Add member to role" | rename body.properties.*  as * 
+search: ' `azuread` "operationName"="Add member to role" | rename properties.*  as * 
   | rename targetResources{}.userPrincipalName as userPrincipalName 
   | rename initiatedBy.user.userPrincipalName as initiatedBy 
   | rename targetResources{}.modifiedProperties{}.newValue  as roles 
@@ -58,10 +58,10 @@ tags:
   - Splunk Cloud
   required_fields:
   - _time
-  - body.properties.targetResources{}.userPrincipalName
-  - body.properties.targetResources{}.type
-  - body.properties.initiatedBy.user.userPrincipalName
-  - body.properties.result
+  - properties.targetResources{}.userPrincipalName
+  - properties.targetResources{}.type
+  - properties.initiatedBy.user.userPrincipalName
+  - properties.result
   risk_score: 63
   security_domain: audit
 tests: