splunk · patel-bhavin · Aug 18, 2023 · Jun 16, 2023 · Jun 20, 2023 · Jun 20, 2023
@@ -29,12 +29,12 @@ tags:
   asset_type: AWS Account
   confidence: 80
   impact: 80
-  message: A new virtual device $virtualMFADeviceName$ is added to user  $user_arn$
+  message: A new virtual device $virtualMFADeviceName$ is added to user $user_arn$
   mitre_attack_id:
   - T1556
   - T1556.006
   observable:
-  - name: user_name
+  - name: user_arn
     type: User
     role:
     - Victim

@@ -2,21 +2,20 @@ name: Azure Active Directory High Risk Sign-in
 id: 1ecff169-26d7-4161-9a7b-2ac4c8e61bea
 version: 1
 date: '2022-07-11'
-author: Mauricio Velazco, Splunk
+author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
 status: production
 type: TTP
 description: The following analytic triggers on a high risk sign-in against Azure
   Active Directory identified by Azure Identity Protection. Identity Protection monitors
   sign-in events using heuristics and machine learning to identify potentially malicious
   events and categorizes them in three categories high, medium and low.
 data_source: []
-search: ' `azuread` body.category=UserRiskEvents body.properties.riskLevel=high |
-  rename body.properties.* as * |  stats values(userPrincipalName) by _time, ipAddress,
+search: ' `azuread` category=UserRiskEvents properties.riskLevel=high |
+  rename properties.* as * |  stats values(userPrincipalName) as userPrincipalName by _time, ipAddress,
   activity, riskLevel, riskEventType, additionalInfo | `azure_active_directory_high_risk_sign_in_filter`'
-how_to_implement: You must install the latest version of  Splunk Add-on for Microsoft
-  Cloud Services from  Splunkbase (https://splunkbase.splunk.com/app/3110/#/details).
-  You must be ingesting Azure Active Directory events into your Splunk environment.
-  You must be ingesting Azure Active Directory events in your Splunk environment.
+how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
+  Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details).
+  You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub.
   Specifically, this analytic leverages the RiskyUsers and UserRiskEvents log category.
 known_false_positives: Details for the risk calculation algorithm used by Identity
   Protection are unknown and may be prone to false positives.
@@ -31,7 +30,7 @@ tags:
   asset_type: Azure Active Directory
   confidence: 90
   impact: 60
-  message: A high risk event was identified by Identify Protection for user $body.properties.userPrincipalName$
+  message: A high risk event was identified by Identify Protection for user $userPrincipalName$
   mitre_attack_id:
   - T1586
   - T1586.003
@@ -52,13 +51,13 @@ tags:
   - Splunk Cloud
   required_fields:
   - _time
-  - body.category
-  - body.properties.riskLevel
-  - body.properties.userPrincipalName
-  - body.properties.ipAddress
-  - body.properties.activity
-  - body.properties.riskEventType
-  - body.properties.additionalInfo
+  - category
+  - properties.riskLevel
+  - properties.userPrincipalName
+  - properties.ipAddress
+  - properties.activity
+  - properties.riskEventType
+  - properties.additionalInfo
   risk_score: 54
   security_domain: identity
 tests:

@@ -2,7 +2,7 @@ name: Azure AD Application Administrator Role Assigned
 id: eac4de87-7a56-4538-a21b-277897af6d8d
 version: 1
 date: '2023-04-25'
-author: Mauricio Velazco, Splunk
+author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
 status: production
 type: TTP
 data_source: []
@@ -12,11 +12,11 @@ description: The following analytic identifies the assignment of the Application
   been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while
   impersonating the application. This ability to impersonate the applications identity may be an elevation of privilege over what the user can do via their role assignments.
   Red teams and adversaries alike may abuse this role to escalate their privileges in an Azure AD tenant.
-search: ' `azuread` "body.operationName"="Add member to role"  "body.properties.targetResources{}.modifiedProperties{}.newValue"="\"Application Administrator\"" 
-  | rename body.properties.* as * 
+search: ' `azuread` "operationName"="Add member to role"  "properties.targetResources{}.modifiedProperties{}.newValue"="\"Application Administrator\"" 
+  | rename properties.* as * 
   | rename targetResources{}.userPrincipalName as userPrincipalName 
   | rename initiatedBy.user.userPrincipalName as initiatedBy
-  | stats values(userPrincipalName) by _time, initiatedBy, result, body.operationName
+  | stats values(userPrincipalName) as userPrincipalName by _time, initiatedBy, result, operationName
   | `azure_ad_application_administrator_role_assigned_filter`'
 how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
   Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details).
@@ -57,10 +57,10 @@ tags:
   - Splunk Cloud
   required_fields:
   - _time
-  - body.properties.targetResources{}.userPrincipalName
-  - body.properties.targetResources{}.type
-  - body.properties.initiatedBy.user.userPrincipalName
-  - body.properties.result
+  - properties.targetResources{}.userPrincipalName
+  - properties.targetResources{}.type
+  - properties.initiatedBy.user.userPrincipalName
+  - properties.result
   risk_score: 35
   security_domain: endpoint
 tests:

@@ -2,7 +2,7 @@ name: Azure AD Authentication Failed During MFA Challenge
 id: e62c9c2e-bf51-4719-906c-3074618fcc1c
 version: 1
 date: '2022-07-14'
-author: Mauricio Velazco, Splunk
+author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
 status: production
 type: TTP
 description: 'The following analytic identifies an authentication attempt event against
@@ -11,12 +11,12 @@ description: 'The following analytic identifies an authentication attempt event
   This behavior may represent an adversary trying to authenticate with compromised
   credentials for an account that has multi-factor authentication enabled. '
 data_source: []
-search: ' `azuread` body.category=SignInLogs body.properties.status.errorCode=500121
-  | rename body.properties.* as * | stats values(userPrincipalName) by _time, ipAddress,
+search: ' `azuread` category=SignInLogs properties.status.errorCode=500121
+  | rename properties.* as * | stats values(userPrincipalName) as userPrincipalName by _time, ipAddress,
   status.additionalDetails, appDisplayName, userAgent | `azure_ad_authentication_failed_during_mfa_challenge_filter`'
-how_to_implement: You must install the latest version of  Splunk Add-on for Microsoft
-  Cloud Services from  Splunkbase(https://splunkbase.splunk.com/app/3110/#/details).
-  You must be ingesting Azure Active Directory events in your Splunk environment.
+how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
+  Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details).
+  You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub.
   Specifically, this analytic leverages the SignInLogs log category.
 known_false_positives: Legitimate users may miss to reply the MFA challenge within
   the time window or deny it by mistake.
@@ -30,7 +30,7 @@ tags:
   asset_type: Azure Active Directory
   confidence: 90
   impact: 60
-  message: User $body.properties.userPrincipalName$ failed to pass MFA challenge
+  message: User $userPrincipalName$ failed to pass MFA challenge
   mitre_attack_id:
   - T1586
   - T1586.003
@@ -52,13 +52,13 @@ tags:
   - Splunk Cloud
   required_fields:
   - _time
-  - body.category
-  - body.properties.status.errorCode
-  - body.properties.userPrincipalName
-  - body.properties.ipAddress
-  - body.properties.status.additionalDetails
-  - body.properties.appDisplayName
-  - body.properties.userAgent
+  - category
+  - properties.status.errorCode
+  - properties.userPrincipalName
+  - properties.ipAddress
+  - properties.status.additionalDetails
+  - properties.appDisplayName
+  - properties.userAgent
   risk_score: 54
   security_domain: identity
 tests:

@@ -14,11 +14,11 @@ description: The following analytic identifies an Azure AD account with concurre
 data_source: []
 search: ' `azuread` properties.authenticationDetails{}.succeeded=true category=NonInteractiveUserSignInLogs
   | rename properties.* as * | bucket span=5m _time | stats  dc(ipAddress) AS unique_ips
-  values(ipAddress) values(appDisplayName) by _time, userPrincipalName | where unique_ips
+  values(ipAddress) as ipAddress values(appDisplayName) by _time, userPrincipalName | where unique_ips
   > 1 | `azure_ad_concurrent_sessions_from_different_ips_filter`'
 how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
   Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details).
-  You must be ingesting Azure Active Directory events into your Splunk environment.
+  You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub.
   Specifically, this analytic leverages the SignInLogs log category.
 known_false_positives: A user with concurrent sessions from different Ips may also
   represent the legitimate use of more than one device. Filter as needed and/or customize

@@ -13,10 +13,10 @@ description: The following analytic identifies the invitation of an external gue
   2022 by security researcher Dirk-Jan during his tall `Backdooring and Hijacking
   Azure AD Accounts by Abusing External Identities`
 data_source: []
-search: '`azuread` "body.operationName"="Invite external user" | rename body.properties.*
+search: '`azuread` "operationName"="Invite external user" | rename properties.*
   as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename
   initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.type
-  as type | stats values(userPrincipalName) by _time, type, initiatedBy, result, body.operationName
+  as type | stats values(userPrincipalName) as userPrincipalName by _time, type, initiatedBy, result, operationName
   | `azure_ad_external_guest_user_invited_filter`'
 how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
   Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details).
@@ -53,10 +53,10 @@ tags:
   - Splunk Cloud
   required_fields:
   - _time
-  - body.properties.targetResources{}.userPrincipalName
-  - body.properties.targetResources{}.type
-  - body.properties.initiatedBy.user.userPrincipalName
-  - body.properties.result
+  - properties.targetResources{}.userPrincipalName
+  - properties.targetResources{}.type
+  - properties.initiatedBy.user.userPrincipalName
+  - properties.result
   risk_score: 45
   security_domain: threat
 tests:

@@ -1,6 +1,6 @@
 name: Azure AD Global Administrator Role Assigned
 id: 825fed20-309d-4fd1-8aaf-cd49c1bb093c
-version: 2
+version: 3
 date: '2022-08-17'
 author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk
 status: production
@@ -14,14 +14,15 @@ description: The following analytic identifies the assignment of the Azure AD Gl
   to gain control of Azure resources. Adversaries and red teams alike may assign this
   role to a compromised account to establish Persistence or escalate their privileges in an Azure AD environment.
 data_source: []
-search: '`azuread` "body.operationName"="Add member to role"  "body.properties.targetResources{}.modifiedProperties{}.newValue"="\"Global
-  Administrator\"" | rename body.properties.* as * | rename targetResources{}.userPrincipalName
-  as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy
-  | stats values(userPrincipalName) by _time, initiatedBy, result, body.operationName
+search: '`azuread` operationName="Add member to role"  properties.targetResources{}.modifiedProperties{}.newValue="\"Global Administrator\""
+  | rename properties.* as *
+  | rename targetResources{}.userPrincipalName as userPrincipalName
+  | rename initiatedBy.user.userPrincipalName as initiatedBy
+  | stats values(userPrincipalName) as userPrincipalName by _time, initiatedBy, result, operationName
   | `azure_ad_global_administrator_role_assigned_filter`'
 how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
   Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details).
-  You must be ingesting Azure Active Directory events into your Splunk environment.
+  You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub.
   Specifically, this analytic leverages the AuditLogs log category.
 known_false_positives: Administrators may legitimately assign the Global Administrator
   role to a user. Filter as needed.
@@ -58,10 +59,10 @@ tags:
   - Splunk Cloud
   required_fields:
   - _time
-  - body.properties.targetResources{}.userPrincipalName
-  - body.properties.targetResources{}.type
-  - body.properties.initiatedBy.user.userPrincipalName
-  - body.properties.result
+  - properties.targetResources{}.userPrincipalName
+  - properties.targetResources{}.type
+  - properties.initiatedBy.user.userPrincipalName
+  - properties.result
   risk_score: 72
   security_domain: threat
 tests:

@@ -15,7 +15,7 @@ search: ' `azuread` category= SignInLogs properties.status.errorCode=50126 prope
   by userPrincipalName, _time | where failed_attempts > 20 | `azure_ad_high_number_of_failed_authentications_for_user_filter`'
 how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
   Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details).
-  You must be ingesting Azure Active Directory events into your Splunk environment.
+  You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub.
   Specifically, this analytic leverages the SignInLogs log category.
 known_false_positives: A user with more than 20 failed authentication attempts in
   the span of 5 minutes may also be triggered by a broken application.

@@ -13,10 +13,10 @@ description: The following analytic identifies an Ip address failing to authenti
 data_source: []
 search: ' `azuread` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false
   | rename properties.* as * | bucket span=5m _time | stats  dc(_raw) AS failed_attempts
-  values(userPrincipalName) by ipAddress, _time | where failed_attempts > 20 | `azure_ad_high_number_of_failed_authentications_from_ip_filter`'
+  values(userPrincipalName) as userPrincipalName by ipAddress, _time | where failed_attempts > 20 | `azure_ad_high_number_of_failed_authentications_from_ip_filter`'
 how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
   Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details).
-  You must be ingesting Azure Active Directory events into your Splunk environment.
+  You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub.
   Specifically, this analytic leverages the SignInLogs log category.
 known_false_positives: An Ip address with more than 20 failed authentication attempts
   in the span of 5 minutes may also be triggered by a broken application.

@@ -2,7 +2,7 @@ name: Azure AD Multi-Factor Authentication Disabled
 id: 482dd42a-acfa-486b-a0bb-d6fcda27318e
 version: 1
 date: '2022-08-10'
-author: Mauricio Velazco, Splunk
+author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
 status: production
 type: TTP
 description: The following analytic identifies an attempt to disable multi-factor
@@ -11,14 +11,14 @@ description: The following analytic identifies an attempt to disable multi-facto
   and maintain persistence using a valid account. This way the attackers can keep
   persistance in the environment without adding new users.
 data_source: []
-search: '`azuread` body.category=AuditLogs body.operationName="Disable Strong Authentication"
-  | rename body.properties.* as * | rename targetResources{}.userPrincipalName as
+search: '`azuread` category=AuditLogs operationName="Disable Strong Authentication"
+  | rename properties.* as * | rename targetResources{}.userPrincipalName as
   userPrincipalName | rename targetResources{}.type as type | rename initiatedBy.user.userPrincipalName
-  as initiatedBy | stats values(userPrincipalName) by _time, type, body.operationName,
+  as initiatedBy | stats values(userPrincipalName) as userPrincipalName by _time, type, operationName,
   initiatedBy, result | `azure_ad_multi_factor_authentication_disabled_filter`'
 how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
-  Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details).
-  You must be ingesting Azure Active Directory events into your Splunk environment.
+  Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details).
+  You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub.
   Specifically, this analytic leverages the AuditLogs log category.
 known_false_positives: Legitimate use case may require for users to disable MFA. Filter
   as needed.
@@ -54,10 +54,10 @@ tags:
   - Splunk Cloud
   required_fields:
   - _time
-  - body.properties.targetResources{}.userPrincipalName
-  - body.properties.targetResources{}.type
-  - body.properties.initiatedBy.user.userPrincipalName
-  - body.properties.result
+  - properties.targetResources{}.userPrincipalName
+  - properties.targetResources{}.type
+  - properties.initiatedBy.user.userPrincipalName
+  - properties.result
   risk_score: 45
   security_domain: identity
 tests:

@@ -2,7 +2,7 @@ name: Azure AD Multiple Failed MFA Requests For User
 id: 264ea131-ab1f-41b8-90e0-33ad1a1888ea
 version: 1
 date: '2022-08-25'
-author: Mauricio Velazco, Splunk
+author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
 status: production
 type: TTP
 description: The following analytic identifies multiple failed multi-factor authentication
@@ -18,13 +18,13 @@ description: The following analytic identifies multiple failed multi-factor auth
   this technique to bypass multi-factor authentication controls as reported by Mandiant
   and others.
 data_source: []
-search: ' `azuread` body.category=SignInLogs body.properties.status.errorCode=500121
-  | rename body.properties.* as * | bucket span=10m _time | stats dc(_raw) AS mfa_prompts
-  values(userPrincipalName) by userPrincipalName, status.additionalDetails, appDisplayName,
+search: ' `azuread` category=SignInLogs properties.status.errorCode=500121
+  | rename properties.* as * | bucket span=10m _time | stats dc(_raw) AS mfa_prompts
+  values(ipAddress) as ipAddress by userPrincipalName, status.additionalDetails, appDisplayName,
   userAgent, _time | where mfa_prompts > 10 | `azure_ad_multiple_failed_mfa_requests_for_user_filter`'
 how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
   Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details).
-  You must be ingesting Azure Active Directory events into your Splunk environment.
+  You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub.
   Specifically, this analytic leverages the SignInLogs log category.
 known_false_positives: Multiple Failed MFA requests may also be a sign of authentication
   or application issues. Filter as needed.
@@ -40,7 +40,7 @@ tags:
   asset_type: Azure Active Directory
   confidence: 90
   impact: 60
-  message: Multiple Failed MFA requests for user $body.properties.userPrincipalName$
+  message: Multiple Failed MFA requests for user $userPrincipalName$
   mitre_attack_id:
   - T1586
   - T1586.003
@@ -62,11 +62,11 @@ tags:
   - Splunk Cloud
   required_fields:
   - _time
-  - body.properties.status.errorCode
-  - body.category
-  - body.properties.authenticationDetails
-  - body.properties.userPrincipalName
-  - body.properties.ipAddress
+  - properties.status.errorCode
+  - category
+  - properties.authenticationDetails
+  - properties.userPrincipalName
+  - properties.ipAddress
   risk_score: 54
   security_domain: identity
 tests: