diff --git a/contentctl.yml b/contentctl.yml index 0a0e902160..d08325087b 100644 --- a/contentctl.yml +++ b/contentctl.yml @@ -29,199 +29,200 @@ mode: {} splunk_api_username: null post_test_behavior: pause_on_failure apps: -- uid: 1621 - title: Splunk_SA_CIM - appid: Splunk_SA_CIM - version: 6.0.2 - description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-common-information-model-cim_602.tgz -- uid: 6553 - title: Splunk Add-on for Okta Identity Cloud - appid: Splunk_TA_okta_identity_cloud - version: 3.0.0 - description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-okta-identity-cloud_300.tgz -- uid: 7404 - title: Cisco Security Cloud - appid: CiscoSecurityCloud - version: 3.0.1 - description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/cisco-security-cloud_301.tgz -- uid: 6652 - title: Add-on for Linux Sysmon - appid: Splunk_TA_linux_sysmon - version: 1.0.0 - description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-sysmon-for-linux_100.tgz -- uid: null - title: Splunk Fix XmlWinEventLog HEC Parsing - appid: Splunk_FIX_XMLWINEVENTLOG_HEC_PARSING - version: '0.1' - description: This TA is required for replaying Windows Data into the Test Environment. - The Default TA does not include logic for properly splitting multiple log events - in a single file. In production environments, this logic is applied by the Universal - Forwarder. - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/Splunk_TA_fix_windows.tgz -- uid: 742 - title: Splunk Add-on for Microsoft Windows - appid: SPLUNK_ADD_ON_FOR_MICROSOFT_WINDOWS - version: 9.0.1 - description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Splunk_TA_windows-9.0.1.spl -- uid: 5709 - title: Splunk Add-on for Sysmon - appid: Splunk_TA_microsoft_sysmon - version: 4.0.2 - description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-sysmon_402.tgz -- uid: 833 - title: Splunk Add-on for Unix and Linux - appid: Splunk_TA_nix - version: 10.0.0 - description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-unix-and-linux_1000.tgz -- uid: 5579 - title: Splunk Add-on for CrowdStrike FDR - appid: Splunk_TA_CrowdStrike_FDR - version: 2.0.3 - description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-crowdstrike-fdr_203.tgz -- uid: 3185 - title: Splunk Add-on for Microsoft IIS - appid: SPLUNK_TA_FOR_IIS - version: 1.3.0 - description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-iis_130.tgz -- uid: 4242 - title: TA for Suricata - appid: SPLUNK_TA_FOR_SURICATA - version: 2.3.4 - description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/ta-for-suricata_234.tgz -- uid: 5466 - title: TA for Zeek - appid: SPLUNK_TA_FOR_ZEEK - version: 1.0.8 - description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/ta-for-zeek_108.tgz -- uid: 3258 - title: Splunk Add-on for NGINX - appid: SPLUNK_ADD_ON_FOR_NGINX - version: 3.3.0 - description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-nginx_330.tgz -- uid: 5238 - title: Splunk Add-on for Stream Forwarders - appid: SPLUNK_ADD_ON_FOR_STREAM_FORWARDERS - version: 8.1.3 - description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-stream-forwarders_813.tgz -- uid: 5234 - title: Splunk Add-on for Stream Wire Data - appid: SPLUNK_ADD_ON_FOR_STREAM_WIRE_DATA - version: 8.1.3 - description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-stream-wire-data_813.tgz -- uid: 2757 - title: Palo Alto Networks Add-on for Splunk - appid: PALO_ALTO_NETWORKS_ADD_ON_FOR_SPLUNK - version: 8.1.3 - description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/palo-alto-networks-add-on-for-splunk_813.tgz -- uid: 3865 - title: Zscaler Technical Add-On for Splunk - appid: Zscaler_CIM - version: 4.0.16 - description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/zscaler-technical-add-on-for-splunk_4016.tgz -- uid: 3719 - title: Splunk Add-on for Amazon Kinesis Firehose - appid: SPLUNK_ADD_ON_FOR_AMAZON_KINESIS_FIREHOSE - version: 1.3.2 - description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-amazon-kinesis-firehose_132.tgz -- uid: 1876 - title: Splunk Add-on for AWS - appid: Splunk_TA_aws - version: 7.9.1 - description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-amazon-web-services-aws_791.tgz -- uid: 3088 - title: Splunk Add-on for Google Cloud Platform - appid: SPLUNK_ADD_ON_FOR_GOOGLE_CLOUD_PLATFORM - version: 4.7.0 - description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-google-cloud-platform_470.tgz -- uid: 5556 - title: Splunk Add-on for Google Workspace - appid: SPLUNK_ADD_ON_FOR_GOOGLE_WORKSPACE - version: 3.0.2 - description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-google-workspace_302.tgz -- uid: 3110 - title: Splunk Add-on for Microsoft Cloud Services - appid: SPLUNK_TA_MICROSOFT_CLOUD_SERVICES - version: 5.4.3 - description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-cloud-services_543.tgz -- uid: 4055 - title: Splunk Add-on for Microsoft Office 365 - appid: SPLUNK_ADD_ON_FOR_MICROSOFT_OFFICE_365 - version: 4.7.0 - description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-office-365_470.tgz -- uid: 2890 - title: Splunk Machine Learning Toolkit - appid: SPLUNK_MACHINE_LEARNING_TOOLKIT - version: 5.5.0 - description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-machine-learning-toolkit_550.tgz -- uid: 5518 - title: Splunk add on for Microsoft Defender Advanced Hunting - appid: SPLUNK_ADD_ON_FOR_MICROSOFT_DEFENDER_ADVANCED_HUNTING - version: 1.4.1 - description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/microsoft-defender-advanced-hunting-add-on-for-splunk_141.tgz -- uid: 6207 - title: Splunk Add-on for Microsoft Security - appid: Splunk_TA_MS_Security - version: 2.4.1 - description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-security_241.tgz -- uid: 2734 - title: URL Toolbox - appid: URL_TOOLBOX - version: 1.9.4 - description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/url-toolbox_194.tgz -- uid: 6853 - title: Splunk Add-on for Admon Enrichment - appid: SA-admon - version: 1.1.2 - description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-admon-enrichment_112.tgz -- uid: 5082 - title: CrowdStrike Falcon Event Streams Technical Add-On - appid: TA-crowdstrike-falcon-event-streams - version: 3.2.1 - description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/crowdstrike-falcon-event-streams-technical-add-on_321.tgz -- uid: 2882 - title: Python for Scientific Computing (for Linux 64-bit) - appid: Splunk_SA_Scientific_Python_linux_x86_64 - version: 4.2.2 - description: PSC for MLTK - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/python-for-scientific-computing-for-linux-64-bit_422.tgz -- uid: 6254 - title: Splunk Add-on for Github - appid: Splunk_TA_github - version: 3.1.0 - description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-github_310.tgz -- uid: 2882 - title: Splunk Add-on for AppDynamics - appid: Splunk_TA_AppDynamics - version: 3.0.0 - description: The Splunk Add-on for AppDynamics enables you to easily configure data inputs to pull data from AppDynamics' REST APIs - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-appdynamics_300.tgz + - uid: 1621 + title: Splunk_SA_CIM + appid: Splunk_SA_CIM + version: 6.0.2 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-common-information-model-cim_602.tgz + - uid: 6553 + title: Splunk Add-on for Okta Identity Cloud + appid: Splunk_TA_okta_identity_cloud + version: 3.0.0 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-okta-identity-cloud_300.tgz + - uid: 7404 + title: Cisco Security Cloud + appid: CiscoSecurityCloud + version: 3.0.1 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/cisco-security-cloud_301.tgz + - uid: 6652 + title: Add-on for Linux Sysmon + appid: Splunk_TA_linux_sysmon + version: 1.0.0 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-sysmon-for-linux_100.tgz + - uid: null + title: Splunk Fix XmlWinEventLog HEC Parsing + appid: Splunk_FIX_XMLWINEVENTLOG_HEC_PARSING + version: "0.1" + description: + This TA is required for replaying Windows Data into the Test Environment. + The Default TA does not include logic for properly splitting multiple log events + in a single file. In production environments, this logic is applied by the Universal + Forwarder. + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/Splunk_TA_fix_windows.tgz + - uid: 742 + title: Splunk Add-on for Microsoft Windows + appid: SPLUNK_ADD_ON_FOR_MICROSOFT_WINDOWS + version: 9.0.1 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Splunk_TA_windows-9.0.1.spl + - uid: 5709 + title: Splunk Add-on for Sysmon + appid: Splunk_TA_microsoft_sysmon + version: 4.0.2 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-sysmon_402.tgz + - uid: 833 + title: Splunk Add-on for Unix and Linux + appid: Splunk_TA_nix + version: 10.0.0 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-unix-and-linux_1000.tgz + - uid: 5579 + title: Splunk Add-on for CrowdStrike FDR + appid: Splunk_TA_CrowdStrike_FDR + version: 2.0.3 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-crowdstrike-fdr_203.tgz + - uid: 3185 + title: Splunk Add-on for Microsoft IIS + appid: SPLUNK_TA_FOR_IIS + version: 1.3.0 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-iis_130.tgz + - uid: 4242 + title: TA for Suricata + appid: SPLUNK_TA_FOR_SURICATA + version: 2.3.4 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/ta-for-suricata_234.tgz + - uid: 5466 + title: TA for Zeek + appid: SPLUNK_TA_FOR_ZEEK + version: 1.0.8 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/ta-for-zeek_108.tgz + - uid: 3258 + title: Splunk Add-on for NGINX + appid: SPLUNK_ADD_ON_FOR_NGINX + version: 3.3.0 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-nginx_330.tgz + - uid: 5238 + title: Splunk Add-on for Stream Forwarders + appid: SPLUNK_ADD_ON_FOR_STREAM_FORWARDERS + version: 8.1.3 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-stream-forwarders_813.tgz + - uid: 5234 + title: Splunk Add-on for Stream Wire Data + appid: SPLUNK_ADD_ON_FOR_STREAM_WIRE_DATA + version: 8.1.3 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-stream-wire-data_813.tgz + - uid: 2757 + title: Palo Alto Networks Add-on for Splunk + appid: PALO_ALTO_NETWORKS_ADD_ON_FOR_SPLUNK + version: 8.1.3 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/palo-alto-networks-add-on-for-splunk_813.tgz + - uid: 3865 + title: Zscaler Technical Add-On for Splunk + appid: Zscaler_CIM + version: 4.0.16 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/zscaler-technical-add-on-for-splunk_4016.tgz + - uid: 3719 + title: Splunk Add-on for Amazon Kinesis Firehose + appid: SPLUNK_ADD_ON_FOR_AMAZON_KINESIS_FIREHOSE + version: 1.3.2 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-amazon-kinesis-firehose_132.tgz + - uid: 1876 + title: Splunk Add-on for AWS + appid: Splunk_TA_aws + version: 7.9.1 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-amazon-web-services-aws_791.tgz + - uid: 3088 + title: Splunk Add-on for Google Cloud Platform + appid: SPLUNK_ADD_ON_FOR_GOOGLE_CLOUD_PLATFORM + version: 4.7.0 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-google-cloud-platform_470.tgz + - uid: 5556 + title: Splunk Add-on for Google Workspace + appid: SPLUNK_ADD_ON_FOR_GOOGLE_WORKSPACE + version: 3.0.3 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-google-workspace_303.tgz + - uid: 3110 + title: Splunk Add-on for Microsoft Cloud Services + appid: SPLUNK_TA_MICROSOFT_CLOUD_SERVICES + version: 5.4.3 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-cloud-services_543.tgz + - uid: 4055 + title: Splunk Add-on for Microsoft Office 365 + appid: SPLUNK_ADD_ON_FOR_MICROSOFT_OFFICE_365 + version: 4.8.0 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-office-365_480.tgz + - uid: 2890 + title: Splunk Machine Learning Toolkit + appid: SPLUNK_MACHINE_LEARNING_TOOLKIT + version: 5.5.0 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-machine-learning-toolkit_550.tgz + - uid: 5518 + title: Splunk add on for Microsoft Defender Advanced Hunting + appid: SPLUNK_ADD_ON_FOR_MICROSOFT_DEFENDER_ADVANCED_HUNTING + version: 1.4.1 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/microsoft-defender-advanced-hunting-add-on-for-splunk_141.tgz + - uid: 6207 + title: Splunk Add-on for Microsoft Security + appid: Splunk_TA_MS_Security + version: 2.4.1 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-security_241.tgz + - uid: 2734 + title: URL Toolbox + appid: URL_TOOLBOX + version: 1.9.4 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/url-toolbox_194.tgz + - uid: 6853 + title: Splunk Add-on for Admon Enrichment + appid: SA-admon + version: 1.1.2 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-admon-enrichment_112.tgz + - uid: 5082 + title: CrowdStrike Falcon Event Streams Technical Add-On + appid: TA-crowdstrike-falcon-event-streams + version: 3.2.1 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/crowdstrike-falcon-event-streams-technical-add-on_321.tgz + - uid: 2882 + title: Python for Scientific Computing (for Linux 64-bit) + appid: Splunk_SA_Scientific_Python_linux_x86_64 + version: 4.2.2 + description: PSC for MLTK + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/python-for-scientific-computing-for-linux-64-bit_422.tgz + - uid: 6254 + title: Splunk Add-on for Github + appid: Splunk_TA_github + version: 3.1.0 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-github_310.tgz + - uid: 2882 + title: Splunk Add-on for AppDynamics + appid: Splunk_TA_AppDynamics + version: 3.0.0 + description: The Splunk Add-on for AppDynamics enables you to easily configure data inputs to pull data from AppDynamics' REST APIs + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-appdynamics_300.tgz githash: d6fac80e6d50ae06b40f91519a98489d4ce3a3fd diff --git a/data_sources/g_suite_drive.yml b/data_sources/g_suite_drive.yml index 0b3b02e79e..202dea0c7c 100644 --- a/data_sources/g_suite_drive.yml +++ b/data_sources/g_suite_drive.yml @@ -1,48 +1,49 @@ name: G Suite Drive id: 5f79120f-a235-4468-bd0d-55203758ac22 version: 1 -date: '2024-07-18' +date: "2024-07-18" author: Patrick Bareiss, Splunk description: Data source object for G Suite Drive source: http:gsuite sourcetype: gsuite:drive:json supported_TA: -- name: Splunk Add-on for Google Workspace - url: https://splunkbase.splunk.com/app/5556 - version: 3.0.2 + - name: Splunk Add-on for Google Workspace + url: https://splunkbase.splunk.com/app/5556 + version: 3.0.3 fields: -- _time -- email -- host -- index -- ip_address -- linecount -- name -- parameters.actor_is_collaborator_account -- parameters.billable -- parameters.doc_id -- parameters.doc_title -- parameters.doc_type -- parameters.is_encrypted -- parameters.new_value{} -- parameters.old_value{} -- parameters.old_visibility -- parameters.originating_app_id -- parameters.owner -- parameters.owner_is_shared_drive -- parameters.owner_is_team_drive -- parameters.primary_event -- parameters.target_user -- parameters.visibility -- parameters.visibility_change -- punct -- source -- sourcetype -- splunk_server -- timestamp -- type -- unique_id -example_log: '{"type": "acl_change", "name": "change_user_access", "parameters": {"primary_event": + - _time + - email + - host + - index + - ip_address + - linecount + - name + - parameters.actor_is_collaborator_account + - parameters.billable + - parameters.doc_id + - parameters.doc_title + - parameters.doc_type + - parameters.is_encrypted + - parameters.new_value{} + - parameters.old_value{} + - parameters.old_visibility + - parameters.originating_app_id + - parameters.owner + - parameters.owner_is_shared_drive + - parameters.owner_is_team_drive + - parameters.primary_event + - parameters.target_user + - parameters.visibility + - parameters.visibility_change + - punct + - source + - sourcetype + - splunk_server + - timestamp + - type + - unique_id +example_log: + '{"type": "acl_change", "name": "change_user_access", "parameters": {"primary_event": true, "billable": true, "visibility_change": "none", "target_user": "alberto@internal_test_email.com", "old_value": ["none"], "new_value": ["can_edit"], "old_visibility": "private", "doc_id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", "doc_type": "spreadsheet", "is_encrypted": diff --git a/data_sources/g_suite_gmail.yml b/data_sources/g_suite_gmail.yml index 7f628c7174..159ec55541 100644 --- a/data_sources/g_suite_gmail.yml +++ b/data_sources/g_suite_gmail.yml @@ -1,87 +1,88 @@ name: G Suite Gmail id: 706c3978-41de-406b-b6e0-75bd01e12a5d version: 1 -date: '2024-07-18' +date: "2024-07-18" author: Patrick Bareiss, Splunk description: Data source object for G Suite Gmail source: http:gsuite sourcetype: gsuite:gmail:bigquery supported_TA: -- name: Splunk Add-on for Google Workspace - url: https://splunkbase.splunk.com/app/5556 - version: 3.0.2 + - name: Splunk Add-on for Google Workspace + url: https://splunkbase.splunk.com/app/5556 + version: 3.0.3 fields: -- _time -- action_type -- attachment{}.file_extension_type -- attachment{}.malware_family -- attachment{}.sha256 -- connection_info.authenticated_domain{}.name -- connection_info.authenticated_domain{}.type -- connection_info.client_host_zone -- connection_info.client_ip -- connection_info.dkim_pass -- connection_info.dmarc_pass -- connection_info.dmarc_published_domain -- connection_info.ip_geo_city -- connection_info.ip_geo_country -- connection_info.is_internal -- connection_info.is_intra_domain -- connection_info.smtp_in_connect_ip -- connection_info.smtp_out_connect_ip -- connection_info.smtp_out_remote_host -- connection_info.smtp_reply_code -- connection_info.smtp_response_reason -- connection_info.smtp_tls_cipher -- connection_info.smtp_tls_state -- connection_info.smtp_tls_version -- connection_info.smtp_user_agent_ip -- connection_info.spf_pass -- connection_info.tls_required_but_unavailable -- description -- destination{}.address -- destination{}.rcpt_response -- destination{}.selector -- destination{}.service -- destination{}.smime_decryption_success -- destination{}.smime_extraction_success -- destination{}.smime_parsing_success -- destination{}.smime_signature_verification_success -- eventtype -- flattened_destinations -- flattened_triggered_rule_info -- host -- index -- is_policy_check_for_sender -- is_spam -- linecount -- message_set{}.type -- num_message_attachments -- payload_size -- punct -- rfc2822_message_id -- smime_content_type -- smime_encrypt_message -- smime_extraction_success -- smime_packaging_success -- smime_sign_message -- smtp_relay_error -- source -- source.address -- source.from_header_address -- source.from_header_displayname -- source.selector -- source.service -- sourcetype -- spam_info -- splunk_server -- structured_policy_log_info -- subject -- tag -- tag::eventtype -- timestamp -- upload_error_category -example_log: '{"action_type": 10, "rfc2822_message_id": "", + - _time + - action_type + - attachment{}.file_extension_type + - attachment{}.malware_family + - attachment{}.sha256 + - connection_info.authenticated_domain{}.name + - connection_info.authenticated_domain{}.type + - connection_info.client_host_zone + - connection_info.client_ip + - connection_info.dkim_pass + - connection_info.dmarc_pass + - connection_info.dmarc_published_domain + - connection_info.ip_geo_city + - connection_info.ip_geo_country + - connection_info.is_internal + - connection_info.is_intra_domain + - connection_info.smtp_in_connect_ip + - connection_info.smtp_out_connect_ip + - connection_info.smtp_out_remote_host + - connection_info.smtp_reply_code + - connection_info.smtp_response_reason + - connection_info.smtp_tls_cipher + - connection_info.smtp_tls_state + - connection_info.smtp_tls_version + - connection_info.smtp_user_agent_ip + - connection_info.spf_pass + - connection_info.tls_required_but_unavailable + - description + - destination{}.address + - destination{}.rcpt_response + - destination{}.selector + - destination{}.service + - destination{}.smime_decryption_success + - destination{}.smime_extraction_success + - destination{}.smime_parsing_success + - destination{}.smime_signature_verification_success + - eventtype + - flattened_destinations + - flattened_triggered_rule_info + - host + - index + - is_policy_check_for_sender + - is_spam + - linecount + - message_set{}.type + - num_message_attachments + - payload_size + - punct + - rfc2822_message_id + - smime_content_type + - smime_encrypt_message + - smime_extraction_success + - smime_packaging_success + - smime_sign_message + - smtp_relay_error + - source + - source.address + - source.from_header_address + - source.from_header_displayname + - source.selector + - source.service + - sourcetype + - spam_info + - splunk_server + - structured_policy_log_info + - subject + - tag + - tag::eventtype + - timestamp + - upload_error_category +example_log: + '{"action_type": 10, "rfc2822_message_id": "", "subject": "New Order DHL0000001 - Dummy email for Detection Development", "payload_size": 6733, "source": {"address": "john@external_test_email.com", "service": "gmail-for-work", "selector": "policy", "from_header_address": "john@external_test_email.com", "from_header_displayname": diff --git a/data_sources/google_workspace.yml b/data_sources/google_workspace.yml index dfd7476a0b..1e651b883e 100644 --- a/data_sources/google_workspace.yml +++ b/data_sources/google_workspace.yml @@ -1,101 +1,101 @@ name: Google Workspace id: f1a044e3-113a-4e4d-84f2-b153ade83087 version: 1 -date: '2025-02-21' +date: "2025-02-21" author: Bhavin Patel, Splunk description: Data source object for Google Workspace source: google_workspace sourcetype: gws:reports:login supported_TA: -- name: Splunk Add-on for Google Workspace - url: https://splunkbase.splunk.com/app/5556 - version: 3.0.2 + - name: Splunk Add-on for Google Workspace + url: https://splunkbase.splunk.com/app/5556 + version: 3.0.3 fields: -- action -- actor.callerType -- actor.email -- actor.profileId -- app -- change_type -- command -- date_hour -- date_mday -- date_minute -- date_month -- date_second -- date_wday -- date_year -- date_zone -- dest -- dest_name -- dest_url -- dvc -- email -- etag -- event.name -- event.parameters{}.name -- event.parameters{}.value -- event.type -- eventtype -- filter_action -- host -- id.applicationName -- id.customerId -- id.time -- id.uniqueQualifier -- index -- internal_message_id -- ipAddress -- kind -- linecount -- message_id -- object -- object_attrs -- object_category -- object_id -- object_path -- owner -- owner_email -- protocol -- punct -- result -- result_id -- signature_extra -- source -- sourcetype -- splunk_server -- splunk_server_group -- src -- src_user -- src_user_id -- src_user_name -- src_user_type -- status -- tag -- tag::action -- tag::app -- tag::eventtype -- tag::object_category -- tenant_id -- timeendpos -- timestartpos -- user -- user_email -- user_email_extracted -- user_id -- user_name -- user_type -- vendor_account -- vendor_product -- _bkt -- _cd -- _eventtype_color -- _indextime -- _raw -- _serial -- _si -- _sourcetype -- _subsecond -- _time + - action + - actor.callerType + - actor.email + - actor.profileId + - app + - change_type + - command + - date_hour + - date_mday + - date_minute + - date_month + - date_second + - date_wday + - date_year + - date_zone + - dest + - dest_name + - dest_url + - dvc + - email + - etag + - event.name + - event.parameters{}.name + - event.parameters{}.value + - event.type + - eventtype + - filter_action + - host + - id.applicationName + - id.customerId + - id.time + - id.uniqueQualifier + - index + - internal_message_id + - ipAddress + - kind + - linecount + - message_id + - object + - object_attrs + - object_category + - object_id + - object_path + - owner + - owner_email + - protocol + - punct + - result + - result_id + - signature_extra + - source + - sourcetype + - splunk_server + - splunk_server_group + - src + - src_user + - src_user_id + - src_user_name + - src_user_type + - status + - tag + - tag::action + - tag::app + - tag::eventtype + - tag::object_category + - tenant_id + - timeendpos + - timestartpos + - user + - user_email + - user_email_extracted + - user_id + - user_name + - user_type + - vendor_account + - vendor_product + - _bkt + - _cd + - _eventtype_color + - _indextime + - _raw + - _serial + - _si + - _sourcetype + - _subsecond + - _time example_log: |- - "kind": "admin#reports#activity", "id": {"time": "2022-10-12T18:00:23.093Z", "uniqueQualifier": "-7844406841853338111", "applicationName": "admin", "customerId": "C046r85ir"}, "etag": "\"JCPRxFaiNR1s5TJ6ecIH8OpGdY4efiOYXbIB65itOzY/afZBU3WDeiuPqFyleWyTnwyU3fE\"", "actor": {"callerType": "USER", "email": "evil_admin@splunkresearch.com", "profileId": "100059258581444193973"}, "ipAddress": "22.33.111.55", "event": {"type": "USER_SETTINGS", "name": "UNENROLL_USER_FROM_STRONG_AUTH", "parameters": [{"name": "USER_EMAIL", "value": "victim_user@splunkresearch.com"}]}} \ No newline at end of file + "kind": "admin#reports#activity", "id": {"time": "2022-10-12T18:00:23.093Z", "uniqueQualifier": "-7844406841853338111", "applicationName": "admin", "customerId": "C046r85ir"}, "etag": "\"JCPRxFaiNR1s5TJ6ecIH8OpGdY4efiOYXbIB65itOzY/afZBU3WDeiuPqFyleWyTnwyU3fE\"", "actor": {"callerType": "USER", "email": "evil_admin@splunkresearch.com", "profileId": "100059258581444193973"}, "ipAddress": "22.33.111.55", "event": {"type": "USER_SETTINGS", "name": "UNENROLL_USER_FROM_STRONG_AUTH", "parameters": [{"name": "USER_EMAIL", "value": "victim_user@splunkresearch.com"}]}} diff --git a/data_sources/google_workspace_login_failure.yml b/data_sources/google_workspace_login_failure.yml index 11f79d2ad5..aeebca2cd8 100644 --- a/data_sources/google_workspace_login_failure.yml +++ b/data_sources/google_workspace_login_failure.yml @@ -1,53 +1,54 @@ name: Google Workspace login_failure id: cabec7cf-4008-4899-b47e-39c34a9a1255 version: 1 -date: '2024-07-18' +date: "2024-07-18" author: Patrick Bareiss, Splunk description: Data source object for Google Workspace login_failure source: gws:reports:admin sourcetype: gws:reports:admin separator: event.name supported_TA: -- name: Splunk Add-on for Google Workspace - url: https://splunkbase.splunk.com/app/5556 - version: 3.0.2 + - name: Splunk Add-on for Google Workspace + url: https://splunkbase.splunk.com/app/5556 + version: 3.0.3 fields: -- _time -- actor.email -- actor.profileId -- date_hour -- date_mday -- date_minute -- date_month -- date_second -- date_wday -- date_year -- date_zone -- etag -- event.name -- event.parameters{}.multiValue{} -- event.parameters{}.name -- event.parameters{}.value -- event.type -- eventtype -- host -- id.applicationName -- id.customerId -- id.time -- id.uniqueQualifier -- index -- ipAddress -- kind -- linecount -- punct -- source -- sourcetype -- splunk_server -- tag -- tag::eventtype -- timeendpos -- timestartpos -example_log: '{"kind": "admin#reports#activity", "id": {"time": "2022-10-12T01:05:35.119Z", + - _time + - actor.email + - actor.profileId + - date_hour + - date_mday + - date_minute + - date_month + - date_second + - date_wday + - date_year + - date_zone + - etag + - event.name + - event.parameters{}.multiValue{} + - event.parameters{}.name + - event.parameters{}.value + - event.type + - eventtype + - host + - id.applicationName + - id.customerId + - id.time + - id.uniqueQualifier + - index + - ipAddress + - kind + - linecount + - punct + - source + - sourcetype + - splunk_server + - tag + - tag::eventtype + - timeendpos + - timestartpos +example_log: + '{"kind": "admin#reports#activity", "id": {"time": "2022-10-12T01:05:35.119Z", "uniqueQualifier": "720229394436", "applicationName": "login", "customerId": "C046r85ir"}, "etag": "\"JCPRxFaiNR1s5TJ6ecIH8OpGdY4efiOYXbIB65itOzY/_lixtTooT11WXorGf6w6ElN0m0g\"", "actor": {"email": "user29@daftpunk.com", "profileId": "114679690119024644513"}, diff --git a/data_sources/google_workspace_login_success.yml b/data_sources/google_workspace_login_success.yml index 4a2bd0308c..2352174a50 100644 --- a/data_sources/google_workspace_login_success.yml +++ b/data_sources/google_workspace_login_success.yml @@ -1,51 +1,52 @@ name: Google Workspace login_success id: bffe8013-9cdf-4fe6-9c1b-6784391a4951 version: 1 -date: '2024-07-18' +date: "2024-07-18" author: Patrick Bareiss, Splunk description: Data source object for Google Workspace login_success source: gws:reports:admin sourcetype: gws:reports:admin separator: event.name supported_TA: -- name: Splunk Add-on for Google Workspace - url: https://splunkbase.splunk.com/app/5556 - version: 3.0.2 + - name: Splunk Add-on for Google Workspace + url: https://splunkbase.splunk.com/app/5556 + version: 3.0.3 fields: -- _time -- actor.email -- actor.profileId -- date_hour -- date_mday -- date_minute -- date_month -- date_second -- date_wday -- date_year -- date_zone -- etag -- event.name -- event.parameters{}.boolValue -- event.parameters{}.multiValue{} -- event.parameters{}.name -- event.parameters{}.value -- event.type -- host -- id.applicationName -- id.customerId -- id.time -- id.uniqueQualifier -- index -- ipAddress -- kind -- linecount -- punct -- source -- sourcetype -- splunk_server -- timeendpos -- timestartpos -example_log: '{"kind": "admin#reports#activity", "id": {"time": "2022-10-13T20:57:35.833Z", + - _time + - actor.email + - actor.profileId + - date_hour + - date_mday + - date_minute + - date_month + - date_second + - date_wday + - date_year + - date_zone + - etag + - event.name + - event.parameters{}.boolValue + - event.parameters{}.multiValue{} + - event.parameters{}.name + - event.parameters{}.value + - event.type + - host + - id.applicationName + - id.customerId + - id.time + - id.uniqueQualifier + - index + - ipAddress + - kind + - linecount + - punct + - source + - sourcetype + - splunk_server + - timeendpos + - timestartpos +example_log: + '{"kind": "admin#reports#activity", "id": {"time": "2022-10-13T20:57:35.833Z", "uniqueQualifier": "437744618349", "applicationName": "login", "customerId": "C046r85ir"}, "etag": "\"JCPRxFaiNR1s5TJ6ecIH8OpGdY4efiOYXbIB65itOzY/OgAbD-Tz8hSD1vUJWw7NLiJ5SF4\"", "actor": {"email": "user1@splunkresearch.com", "profileId": "112184723778873345717"}, diff --git a/data_sources/o365.yml b/data_sources/o365.yml index 8102ea7c9f..b06665d82c 100644 --- a/data_sources/o365.yml +++ b/data_sources/o365.yml @@ -1,13 +1,13 @@ name: O365 id: b32de97d-0074-4cca-853c-db22c392b6c0 version: 1 -date: '2024-07-18' +date: "2024-07-18" author: Patrick Bareiss, Splunk description: Data source object for O365. source: o365 sourcetype: o365:management:activity separator: Operation supported_TA: -- name: Splunk Add-on for Microsoft Office 365 - url: https://splunkbase.splunk.com/app/4055 - version: 4.7.0 + - name: Splunk Add-on for Microsoft Office 365 + url: https://splunkbase.splunk.com/app/4055 + version: 4.8.0 diff --git a/data_sources/o365_add_app_role_assignment_grant_to_user_.yml b/data_sources/o365_add_app_role_assignment_grant_to_user_.yml index 89ececa0d0..09275b6a53 100644 --- a/data_sources/o365_add_app_role_assignment_grant_to_user_.yml +++ b/data_sources/o365_add_app_role_assignment_grant_to_user_.yml @@ -1,87 +1,88 @@ name: O365 Add app role assignment grant to user. id: ce1d7849-a1d2-47fd-b6eb-d7ef854a860c version: 1 -date: '2024-07-18' +date: "2024-07-18" author: Patrick Bareiss, Splunk description: Data source object for O365 Add app role assignment grant to user. source: o365 sourcetype: o365:management:activity separator: Operation supported_TA: -- name: Splunk Add-on for Microsoft Office 365 - url: https://splunkbase.splunk.com/app/4055 - version: 4.7.0 + - name: Splunk Add-on for Microsoft Office 365 + url: https://splunkbase.splunk.com/app/4055 + version: 4.8.0 fields: -- _time -- ActorContextId -- ActorIpAddress -- Actor{}.ID -- Actor{}.Type -- AzureActiveDirectoryEventType -- ClientIP -- CreationTime -- ExtendedProperties{}.Name -- ExtendedProperties{}.Value -- Id -- InterSystemsId -- IntraSystemId -- ModifiedProperties{}.Name -- ModifiedProperties{}.NewValue -- ModifiedProperties{}.OldValue -- ObjectId -- Operation -- OrganizationId -- RecordType -- ResultStatus -- SupportTicketId -- TargetContextId -- Target{}.ID -- Target{}.Type -- UserId -- UserKey -- UserType -- Version -- Workload -- additionalDetails -- app -- authentication_service -- command -- date_hour -- date_mday -- date_minute -- date_month -- date_second -- date_wday -- date_year -- date_zone -- dest -- dest_name -- dvc -- event_type -- extendedAuditEventCategory -- extended_properties -- host -- index -- linecount -- object -- punct -- record_type -- signature -- source -- sourcetype -- splunk_server -- src -- src_ip -- src_user -- status -- timeendpos -- timestartpos -- user -- user_id -- user_type -- vendor_account -- vendor_product -example_log: '{"Actor": [{"ID": "rodsoto@rodsoto.onmicrosoft.com", "Type": 5}, {"ID": + - _time + - ActorContextId + - ActorIpAddress + - Actor{}.ID + - Actor{}.Type + - AzureActiveDirectoryEventType + - ClientIP + - CreationTime + - ExtendedProperties{}.Name + - ExtendedProperties{}.Value + - Id + - InterSystemsId + - IntraSystemId + - ModifiedProperties{}.Name + - ModifiedProperties{}.NewValue + - ModifiedProperties{}.OldValue + - ObjectId + - Operation + - OrganizationId + - RecordType + - ResultStatus + - SupportTicketId + - TargetContextId + - Target{}.ID + - Target{}.Type + - UserId + - UserKey + - UserType + - Version + - Workload + - additionalDetails + - app + - authentication_service + - command + - date_hour + - date_mday + - date_minute + - date_month + - date_second + - date_wday + - date_year + - date_zone + - dest + - dest_name + - dvc + - event_type + - extendedAuditEventCategory + - extended_properties + - host + - index + - linecount + - object + - punct + - record_type + - signature + - source + - sourcetype + - splunk_server + - src + - src_ip + - src_user + - status + - timeendpos + - timestartpos + - user + - user_id + - user_type + - vendor_account + - vendor_product +example_log: + '{"Actor": [{"ID": "rodsoto@rodsoto.onmicrosoft.com", "Type": 5}, {"ID": "10037FFEA938FB92", "Type": 3}, {"ID": "74658136-14ec-4630-ad9b-26e160ff0fc6", "Type": 2}, {"ID": "User_bfb8c366-0406-41a5-b3e3-328f4a3b4484", "Type": 2}, {"ID": "bfb8c366-0406-41a5-b3e3-328f4a3b4484", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08", diff --git a/data_sources/o365_add_app_role_assignment_to_service_principal_.yml b/data_sources/o365_add_app_role_assignment_to_service_principal_.yml index 365604ba84..15e777bb8f 100644 --- a/data_sources/o365_add_app_role_assignment_to_service_principal_.yml +++ b/data_sources/o365_add_app_role_assignment_to_service_principal_.yml @@ -1,86 +1,87 @@ name: O365 Add app role assignment to service principal. id: 785ba57a-ba7b-474e-97c8-9474e6e00b3a version: 1 -date: '2024-07-18' +date: "2024-07-18" author: Patrick Bareiss, Splunk description: Data source object for O365 Add app role assignment to service principal. source: o365 sourcetype: o365:management:activity separator: Operation supported_TA: -- name: Splunk Add-on for Microsoft Office 365 - url: https://splunkbase.splunk.com/app/4055 - version: 4.7.0 + - name: Splunk Add-on for Microsoft Office 365 + url: https://splunkbase.splunk.com/app/4055 + version: 4.8.0 fields: -- _time -- ActorContextId -- Actor{}.ID -- Actor{}.Type -- AzureActiveDirectoryEventType -- CreationTime -- ExtendedProperties{}.Name -- ExtendedProperties{}.Value -- Id -- InterSystemsId -- IntraSystemId -- ModifiedProperties{}.Name -- ModifiedProperties{}.NewValue -- ModifiedProperties{}.OldValue -- ObjectId -- Operation -- OrganizationId -- RecordType -- ResultStatus -- SupportTicketId -- TargetContextId -- Target{}.ID -- Target{}.Type -- UserId -- UserKey -- UserType -- Version -- Workload -- additionalDetails -- app -- authentication_service -- command -- date_hour -- date_mday -- date_minute -- date_month -- date_second -- date_wday -- date_year -- date_zone -- dest -- dest_name -- dvc -- event_type -- eventtype -- extendedAuditEventCategory -- host -- index -- linecount -- object -- punct -- record_type -- signature -- source -- sourcetype -- splunk_server -- status -- tag -- tag::eventtype -- timeendpos -- timestartpos -- user -- user_agent -- user_agent_change -- user_id -- user_type -- vendor_account -- vendor_product -example_log: '{"CreationTime": "2024-02-08T21:49:53", "Id": "a6bee61d-8b3f-42e1-b4fa-778fb05c43ac", + - _time + - ActorContextId + - Actor{}.ID + - Actor{}.Type + - AzureActiveDirectoryEventType + - CreationTime + - ExtendedProperties{}.Name + - ExtendedProperties{}.Value + - Id + - InterSystemsId + - IntraSystemId + - ModifiedProperties{}.Name + - ModifiedProperties{}.NewValue + - ModifiedProperties{}.OldValue + - ObjectId + - Operation + - OrganizationId + - RecordType + - ResultStatus + - SupportTicketId + - TargetContextId + - Target{}.ID + - Target{}.Type + - UserId + - UserKey + - UserType + - Version + - Workload + - additionalDetails + - app + - authentication_service + - command + - date_hour + - date_mday + - date_minute + - date_month + - date_second + - date_wday + - date_year + - date_zone + - dest + - dest_name + - dvc + - event_type + - eventtype + - extendedAuditEventCategory + - host + - index + - linecount + - object + - punct + - record_type + - signature + - source + - sourcetype + - splunk_server + - status + - tag + - tag::eventtype + - timeendpos + - timestartpos + - user + - user_agent + - user_agent_change + - user_id + - user_type + - vendor_account + - vendor_product +example_log: + '{"CreationTime": "2024-02-08T21:49:53", "Id": "a6bee61d-8b3f-42e1-b4fa-778fb05c43ac", "Operation": "Add app role assignment to service principal.", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 8, "ResultStatus": "Success", "UserKey": "Not Available", "UserType": 4, "Version": 1, "Workload": "AzureActiveDirectory", diff --git a/data_sources/o365_add_mailboxpermission.yml b/data_sources/o365_add_mailboxpermission.yml index c4869abc7a..20b3dad00a 100644 --- a/data_sources/o365_add_mailboxpermission.yml +++ b/data_sources/o365_add_mailboxpermission.yml @@ -1,78 +1,79 @@ name: O365 Add-MailboxPermission id: 9c0babdb-bb15-449e-abba-0a9cdb3fc061 version: 1 -date: '2024-07-18' +date: "2024-07-18" author: Patrick Bareiss, Splunk description: Data source object for O365 Add-MailboxPermission source: o365 sourcetype: o365:management:activity separator: Operation supported_TA: -- name: Splunk Add-on for Microsoft Office 365 - url: https://splunkbase.splunk.com/app/4055 - version: 4.7.0 + - name: Splunk Add-on for Microsoft Office 365 + url: https://splunkbase.splunk.com/app/4055 + version: 4.8.0 fields: -- _time -- AccessRights -- AppId -- ClientAppId -- ClientIP -- CreationTime -- ExternalAccess -- Id -- Identity -- InheritanceType -- ObjectId -- Operation -- OrganizationId -- OrganizationName -- OriginatingServer -- Parameters{}.Name -- Parameters{}.Value -- RecordType -- ResultStatus -- SessionId -- User -- UserId -- UserKey -- UserType -- Version -- Workload -- app -- authentication_service -- command -- date_hour -- date_mday -- date_minute -- date_month -- date_second -- date_wday -- date_year -- date_zone -- dest -- dest_name -- dvc -- host -- index -- linecount -- object -- punct -- record_type -- signature -- source -- sourcetype -- splunk_server -- src -- src_ip -- status -- timeendpos -- timestartpos -- user -- user_id -- user_type -- vendor_account -- vendor_product -example_log: '{"AppId": "", "ClientAppId": "", "ClientIP": "18.159.234.121:30395", + - _time + - AccessRights + - AppId + - ClientAppId + - ClientIP + - CreationTime + - ExternalAccess + - Id + - Identity + - InheritanceType + - ObjectId + - Operation + - OrganizationId + - OrganizationName + - OriginatingServer + - Parameters{}.Name + - Parameters{}.Value + - RecordType + - ResultStatus + - SessionId + - User + - UserId + - UserKey + - UserType + - Version + - Workload + - app + - authentication_service + - command + - date_hour + - date_mday + - date_minute + - date_month + - date_second + - date_wday + - date_year + - date_zone + - dest + - dest_name + - dvc + - host + - index + - linecount + - object + - punct + - record_type + - signature + - source + - sourcetype + - splunk_server + - src + - src_ip + - status + - timeendpos + - timestartpos + - user + - user_id + - user_type + - vendor_account + - vendor_product +example_log: + '{"AppId": "", "ClientAppId": "", "ClientIP": "18.159.234.121:30395", "CreationTime": "2020-12-15T10:18:53", "ExternalAccess": false, "Id": "bb6e31a3-e98f-493d-bbff-08d8a0e2d2b0", "ObjectId": "jhernan", "Operation": "Add-MailboxPermission", "OrganizationId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08", "OrganizationName": "rodsoto.onmicrosoft.com", "OriginatingServer": "PH0PR14MB4341 diff --git a/data_sources/o365_add_member_to_role_.yml b/data_sources/o365_add_member_to_role_.yml index c2403e0b25..c5062b29cf 100644 --- a/data_sources/o365_add_member_to_role_.yml +++ b/data_sources/o365_add_member_to_role_.yml @@ -1,89 +1,90 @@ name: O365 Add member to role. id: 8b949f7c-4b5d-404f-9694-d7403c4ec096 version: 1 -date: '2024-07-18' +date: "2024-07-18" author: Patrick Bareiss, Splunk description: Data source object for O365 Add member to role. source: o365 sourcetype: o365:management:activity separator: Operation supported_TA: -- name: Splunk Add-on for Microsoft Office 365 - url: https://splunkbase.splunk.com/app/4055 - version: 4.7.0 + - name: Splunk Add-on for Microsoft Office 365 + url: https://splunkbase.splunk.com/app/4055 + version: 4.8.0 fields: -- _time -- ActorContextId -- Actor{}.ID -- Actor{}.Type -- AzureActiveDirectoryEventType -- CreationTime -- ExtendedProperties{}.Name -- ExtendedProperties{}.Value -- Id -- InterSystemsId -- IntraSystemId -- ModifiedProperties{}.Name -- ModifiedProperties{}.NewValue -- ModifiedProperties{}.OldValue -- ObjectId -- Operation -- OrganizationId -- RecordType -- ResultStatus -- SupportTicketId -- TargetContextId -- Target{}.ID -- Target{}.Type -- UserId -- UserKey -- UserType -- Version -- Workload -- action -- additionalDetails -- app -- authentication_service -- change_type -- command -- dataset_name -- date_hour -- date_mday -- date_minute -- date_month -- date_second -- date_wday -- date_year -- date_zone -- dest -- dest_name -- dvc -- event_type -- eventtype -- extendedAuditEventCategory -- host -- index -- linecount -- object -- object_attrs -- object_category -- punct -- record_type -- signature -- source -- sourcetype -- splunk_server -- status -- tag -- tag::eventtype -- timeendpos -- timestartpos -- user -- user_id -- user_type -- vendor_account -- vendor_product -example_log: '{"CreationTime": "2023-10-20T16:50:46", "Id": "30a8b107-b190-406c-9b80-c3f5c3a29129", + - _time + - ActorContextId + - Actor{}.ID + - Actor{}.Type + - AzureActiveDirectoryEventType + - CreationTime + - ExtendedProperties{}.Name + - ExtendedProperties{}.Value + - Id + - InterSystemsId + - IntraSystemId + - ModifiedProperties{}.Name + - ModifiedProperties{}.NewValue + - ModifiedProperties{}.OldValue + - ObjectId + - Operation + - OrganizationId + - RecordType + - ResultStatus + - SupportTicketId + - TargetContextId + - Target{}.ID + - Target{}.Type + - UserId + - UserKey + - UserType + - Version + - Workload + - action + - additionalDetails + - app + - authentication_service + - change_type + - command + - dataset_name + - date_hour + - date_mday + - date_minute + - date_month + - date_second + - date_wday + - date_year + - date_zone + - dest + - dest_name + - dvc + - event_type + - eventtype + - extendedAuditEventCategory + - host + - index + - linecount + - object + - object_attrs + - object_category + - punct + - record_type + - signature + - source + - sourcetype + - splunk_server + - status + - tag + - tag::eventtype + - timeendpos + - timestartpos + - user + - user_id + - user_type + - vendor_account + - vendor_product +example_log: + '{"CreationTime": "2023-10-20T16:50:46", "Id": "30a8b107-b190-406c-9b80-c3f5c3a29129", "Operation": "Add member to role.", "OrganizationId": "d8211c86-3244-409b-8c4f-ae27ed34b4a5", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "lowpriv@splunkresearch.onmicrosoft.com", diff --git a/data_sources/o365_add_owner_to_application_.yml b/data_sources/o365_add_owner_to_application_.yml index fdeccc791b..ace4a4d498 100644 --- a/data_sources/o365_add_owner_to_application_.yml +++ b/data_sources/o365_add_owner_to_application_.yml @@ -1,91 +1,92 @@ name: O365 Add owner to application. id: da012cbf-af6e-40ee-a1ba-32a5f8da8f8a version: 1 -date: '2024-07-18' +date: "2024-07-18" author: Patrick Bareiss, Splunk description: Data source object for O365 Add owner to application. source: o365 sourcetype: o365:management:activity separator: Operation supported_TA: -- name: Splunk Add-on for Microsoft Office 365 - url: https://splunkbase.splunk.com/app/4055 - version: 4.7.0 + - name: Splunk Add-on for Microsoft Office 365 + url: https://splunkbase.splunk.com/app/4055 + version: 4.8.0 fields: -- _time -- ActorContextId -- Actor{}.ID -- Actor{}.Type -- AzureActiveDirectoryEventType -- CreationTime -- ExtendedProperties{}.Name -- ExtendedProperties{}.Value -- Id -- InterSystemsId -- IntraSystemId -- ModifiedProperties{}.Name -- ModifiedProperties{}.NewValue -- ModifiedProperties{}.OldValue -- ObjectId -- Operation -- OrganizationId -- RecordType -- ResultStatus -- SupportTicketId -- TargetContextId -- Target{}.ID -- Target{}.Type -- UserId -- UserKey -- UserType -- Version -- Workload -- action -- additionalDetails -- app -- authentication_service -- change_type -- command -- dataset_name -- date_hour -- date_mday -- date_minute -- date_month -- date_second -- date_wday -- date_year -- date_zone -- dest -- dest_name -- dvc -- event_type -- eventtype -- extendedAuditEventCategory -- host -- index -- linecount -- object -- object_attrs -- object_category -- punct -- record_type -- signature -- source -- sourcetype -- splunk_server -- status -- tag -- tag::eventtype -- timeendpos -- timestartpos -- user -- user_agent -- user_agent_change -- user_id -- user_type -- vendor_account -- vendor_product -example_log: '{"CreationTime": "2023-09-07T13:42:04", "Id": "6e2c723b-8f6e-47f4-8c60-fa23ef3fccee", + - _time + - ActorContextId + - Actor{}.ID + - Actor{}.Type + - AzureActiveDirectoryEventType + - CreationTime + - ExtendedProperties{}.Name + - ExtendedProperties{}.Value + - Id + - InterSystemsId + - IntraSystemId + - ModifiedProperties{}.Name + - ModifiedProperties{}.NewValue + - ModifiedProperties{}.OldValue + - ObjectId + - Operation + - OrganizationId + - RecordType + - ResultStatus + - SupportTicketId + - TargetContextId + - Target{}.ID + - Target{}.Type + - UserId + - UserKey + - UserType + - Version + - Workload + - action + - additionalDetails + - app + - authentication_service + - change_type + - command + - dataset_name + - date_hour + - date_mday + - date_minute + - date_month + - date_second + - date_wday + - date_year + - date_zone + - dest + - dest_name + - dvc + - event_type + - eventtype + - extendedAuditEventCategory + - host + - index + - linecount + - object + - object_attrs + - object_category + - punct + - record_type + - signature + - source + - sourcetype + - splunk_server + - status + - tag + - tag::eventtype + - timeendpos + - timestartpos + - user + - user_agent + - user_agent_change + - user_id + - user_type + - vendor_account + - vendor_product +example_log: + '{"CreationTime": "2023-09-07T13:42:04", "Id": "6e2c723b-8f6e-47f4-8c60-fa23ef3fccee", "Operation": "Add owner to application.", "OrganizationId": "48203edf-5d2c-45f2-8123-a368cc8b0e51", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@contoso.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "user2@contoso.onmicrosoft.com", diff --git a/data_sources/o365_add_service_principal_.yml b/data_sources/o365_add_service_principal_.yml index ae338dcc71..15de07e91e 100644 --- a/data_sources/o365_add_service_principal_.yml +++ b/data_sources/o365_add_service_principal_.yml @@ -1,91 +1,92 @@ name: O365 Add service principal. id: 9c1ef9f5-bc30-4a47-a1bd-cb34484ee778 version: 1 -date: '2024-07-18' +date: "2024-07-18" author: Patrick Bareiss, Splunk description: Data source object for O365 Add service principal. source: o365 sourcetype: o365:management:activity separator: Operation supported_TA: -- name: Splunk Add-on for Microsoft Office 365 - url: https://splunkbase.splunk.com/app/4055 - version: 4.7.0 + - name: Splunk Add-on for Microsoft Office 365 + url: https://splunkbase.splunk.com/app/4055 + version: 4.8.0 fields: -- _time -- ActorContextId -- Actor{}.ID -- Actor{}.Type -- AzureActiveDirectoryEventType -- CreationTime -- ExtendedProperties{}.Name -- ExtendedProperties{}.Value -- Id -- InterSystemsId -- IntraSystemId -- ModifiedProperties{}.Name -- ModifiedProperties{}.NewValue -- ModifiedProperties{}.OldValue -- ObjectId -- Operation -- OrganizationId -- RecordType -- ResultStatus -- SupportTicketId -- TargetContextId -- Target{}.ID -- Target{}.Type -- UserId -- UserKey -- UserType -- Version -- Workload -- action -- additionalDetails -- app -- authentication_service -- change_type -- command -- dataset_name -- date_hour -- date_mday -- date_minute -- date_month -- date_second -- date_wday -- date_year -- date_zone -- dest -- dest_name -- dvc -- event_type -- eventtype -- extendedAuditEventCategory -- host -- index -- linecount -- object_attrs -- object_category -- punct -- record_type -- signature -- source -- sourcetype -- splunk_server -- src_user -- status -- tag -- tag::eventtype -- timeendpos -- timestartpos -- user -- user_agent -- user_agent_change -- user_id -- user_type -- vendor_account -- vendor_product -example_log: '{"CreationTime": "2024-02-07T22:31:14", "Id": "f624ed92-b4a2-4d42-aa8b-20a261d06b7f", + - _time + - ActorContextId + - Actor{}.ID + - Actor{}.Type + - AzureActiveDirectoryEventType + - CreationTime + - ExtendedProperties{}.Name + - ExtendedProperties{}.Value + - Id + - InterSystemsId + - IntraSystemId + - ModifiedProperties{}.Name + - ModifiedProperties{}.NewValue + - ModifiedProperties{}.OldValue + - ObjectId + - Operation + - OrganizationId + - RecordType + - ResultStatus + - SupportTicketId + - TargetContextId + - Target{}.ID + - Target{}.Type + - UserId + - UserKey + - UserType + - Version + - Workload + - action + - additionalDetails + - app + - authentication_service + - change_type + - command + - dataset_name + - date_hour + - date_mday + - date_minute + - date_month + - date_second + - date_wday + - date_year + - date_zone + - dest + - dest_name + - dvc + - event_type + - eventtype + - extendedAuditEventCategory + - host + - index + - linecount + - object_attrs + - object_category + - punct + - record_type + - signature + - source + - sourcetype + - splunk_server + - src_user + - status + - tag + - tag::eventtype + - timeendpos + - timestartpos + - user + - user_agent + - user_agent_change + - user_id + - user_type + - vendor_account + - vendor_product +example_log: + '{"CreationTime": "2024-02-07T22:31:14", "Id": "f624ed92-b4a2-4d42-aa8b-20a261d06b7f", "Operation": "Add service principal.", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "e06366ca-8489-4748-b6a2-d7e4332f45c1", diff --git a/data_sources/o365_change_user_license_.yml b/data_sources/o365_change_user_license_.yml index 17222c9261..64819e33f5 100644 --- a/data_sources/o365_change_user_license_.yml +++ b/data_sources/o365_change_user_license_.yml @@ -1,87 +1,88 @@ name: O365 Change user license. id: 1029a20d-3d0d-4fb9-b5e2-22ac5380b20a version: 1 -date: '2024-07-18' +date: "2024-07-18" author: Patrick Bareiss, Splunk description: Data source object for O365 Change user license. source: o365 sourcetype: o365:management:activity separator: Operation supported_TA: -- name: Splunk Add-on for Microsoft Office 365 - url: https://splunkbase.splunk.com/app/4055 - version: 4.7.0 + - name: Splunk Add-on for Microsoft Office 365 + url: https://splunkbase.splunk.com/app/4055 + version: 4.8.0 fields: -- _time -- ActorContextId -- Actor{}.ID -- Actor{}.Type -- AzureActiveDirectoryEventType -- CreationTime -- ExtendedProperties{}.Name -- ExtendedProperties{}.Value -- Id -- InterSystemsId -- IntraSystemId -- ObjectId -- Operation -- OrganizationId -- RecordType -- ResultStatus -- SupportTicketId -- TargetContextId -- Target{}.ID -- Target{}.Type -- UserId -- UserKey -- UserType -- Version -- Workload -- action -- additionalDetails -- app -- authentication_service -- change_type -- command -- dataset_name -- date_hour -- date_mday -- date_minute -- date_month -- date_second -- date_wday -- date_year -- date_zone -- dest -- dest_name -- dvc -- event_type -- eventtype -- extendedAuditEventCategory -- host -- index -- linecount -- object -- object_attrs -- object_category -- punct -- record_type -- signature -- source -- sourcetype -- splunk_server -- src_user -- status -- tag -- tag::eventtype -- timeendpos -- timestartpos -- user -- user_id -- user_type -- vendor_account -- vendor_product -example_log: '{"CreationTime": "2023-09-11T15:55:46", "Id": "1e39f32d-081d-4494-994a-533b57f91df7", + - _time + - ActorContextId + - Actor{}.ID + - Actor{}.Type + - AzureActiveDirectoryEventType + - CreationTime + - ExtendedProperties{}.Name + - ExtendedProperties{}.Value + - Id + - InterSystemsId + - IntraSystemId + - ObjectId + - Operation + - OrganizationId + - RecordType + - ResultStatus + - SupportTicketId + - TargetContextId + - Target{}.ID + - Target{}.Type + - UserId + - UserKey + - UserType + - Version + - Workload + - action + - additionalDetails + - app + - authentication_service + - change_type + - command + - dataset_name + - date_hour + - date_mday + - date_minute + - date_month + - date_second + - date_wday + - date_year + - date_zone + - dest + - dest_name + - dvc + - event_type + - eventtype + - extendedAuditEventCategory + - host + - index + - linecount + - object + - object_attrs + - object_category + - punct + - record_type + - signature + - source + - sourcetype + - splunk_server + - src_user + - status + - tag + - tag::eventtype + - timeendpos + - timestartpos + - user + - user_id + - user_type + - vendor_account + - vendor_product +example_log: + '{"CreationTime": "2023-09-11T15:55:46", "Id": "1e39f32d-081d-4494-994a-533b57f91df7", "Operation": "Change user license.", "OrganizationId": "bbad9541-eb53-4533-bcef-2b76182c3b75", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "victimUser@splunkresearch.onmicrosoft.com", diff --git a/data_sources/o365_consent_to_application_.yml b/data_sources/o365_consent_to_application_.yml index 4b96c68d96..c26fb96c4f 100644 --- a/data_sources/o365_consent_to_application_.yml +++ b/data_sources/o365_consent_to_application_.yml @@ -1,83 +1,84 @@ name: O365 Consent to application. id: 0a15a464-ef51-4614-9a07-a216eb9817db version: 1 -date: '2024-07-18' +date: "2024-07-18" author: Patrick Bareiss, Splunk description: Data source object for O365 Consent to application. source: o365 sourcetype: o365:management:activity separator: Operation supported_TA: -- name: Splunk Add-on for Microsoft Office 365 - url: https://splunkbase.splunk.com/app/4055 - version: 4.7.0 + - name: Splunk Add-on for Microsoft Office 365 + url: https://splunkbase.splunk.com/app/4055 + version: 4.8.0 fields: -- _time -- ActorContextId -- Actor{}.ID -- Actor{}.Type -- AzureActiveDirectoryEventType -- CreationTime -- ExtendedProperties{}.Name -- ExtendedProperties{}.Value -- Id -- InterSystemsId -- IntraSystemId -- ModifiedProperties{}.Name -- ModifiedProperties{}.NewValue -- ModifiedProperties{}.OldValue -- ObjectId -- Operation -- OrganizationId -- RecordType -- ResultStatus -- SupportTicketId -- TargetContextId -- Target{}.ID -- Target{}.Type -- UserId -- UserKey -- UserType -- Version -- Workload -- additionalDetails -- app -- authentication_service -- command -- date_hour -- date_mday -- date_minute -- date_month -- date_second -- date_wday -- date_year -- date_zone -- dest -- dest_name -- dvc -- event_type -- extendedAuditEventCategory -- host -- index -- linecount -- object -- punct -- record_type -- signature -- source -- sourcetype -- splunk_server -- status -- timeendpos -- timestartpos -- user -- user_agent -- user_agent_change -- user_id -- user_type -- vendor_account -- vendor_product -example_log: '{"CreationTime": "2023-09-05T21:05:31", "Id": "5822e126-1fbc-4269-9ad6-4c1879cdbcf3", + - _time + - ActorContextId + - Actor{}.ID + - Actor{}.Type + - AzureActiveDirectoryEventType + - CreationTime + - ExtendedProperties{}.Name + - ExtendedProperties{}.Value + - Id + - InterSystemsId + - IntraSystemId + - ModifiedProperties{}.Name + - ModifiedProperties{}.NewValue + - ModifiedProperties{}.OldValue + - ObjectId + - Operation + - OrganizationId + - RecordType + - ResultStatus + - SupportTicketId + - TargetContextId + - Target{}.ID + - Target{}.Type + - UserId + - UserKey + - UserType + - Version + - Workload + - additionalDetails + - app + - authentication_service + - command + - date_hour + - date_mday + - date_minute + - date_month + - date_second + - date_wday + - date_year + - date_zone + - dest + - dest_name + - dvc + - event_type + - extendedAuditEventCategory + - host + - index + - linecount + - object + - punct + - record_type + - signature + - source + - sourcetype + - splunk_server + - status + - timeendpos + - timestartpos + - user + - user_agent + - user_agent_change + - user_id + - user_type + - vendor_account + - vendor_product +example_log: + '{"CreationTime": "2023-09-05T21:05:31", "Id": "5822e126-1fbc-4269-9ad6-4c1879cdbcf3", "Operation": "Consent to application.", "OrganizationId": "9c00a473-1b2c-4bc2-9215-84df3f57aee5", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@contoso.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "95106c0e-3519-450e-8e38-7f326d873454", diff --git a/data_sources/o365_disable_strong_authentication_.yml b/data_sources/o365_disable_strong_authentication_.yml index 53f37fa0ab..fa1833e33f 100644 --- a/data_sources/o365_disable_strong_authentication_.yml +++ b/data_sources/o365_disable_strong_authentication_.yml @@ -1,84 +1,85 @@ name: O365 Disable Strong Authentication. id: 235381c4-382a-4183-b818-a51c3ce12187 version: 1 -date: '2024-07-18' +date: "2024-07-18" author: Patrick Bareiss, Splunk description: Data source object for O365 Disable Strong Authentication. source: o365 sourcetype: o365:management:activity separator: Operation supported_TA: -- name: Splunk Add-on for Microsoft Office 365 - url: https://splunkbase.splunk.com/app/4055 - version: 4.7.0 + - name: Splunk Add-on for Microsoft Office 365 + url: https://splunkbase.splunk.com/app/4055 + version: 4.8.0 fields: -- _time -- ActorContextId -- ActorIpAddress -- Actor{}.ID -- Actor{}.Type -- AzureActiveDirectoryEventType -- ClientIP -- CreationTime -- ExtendedProperties{}.Name -- ExtendedProperties{}.Value -- Id -- InterSystemsId -- IntraSystemId -- ModifiedProperties{}.Name -- ModifiedProperties{}.NewValue -- ModifiedProperties{}.OldValue -- ObjectId -- Operation -- OrganizationId -- RecordType -- ResultStatus -- SupportTicketId -- TargetContextId -- Target{}.ID -- Target{}.Type -- UserId -- UserKey -- UserType -- Version -- Workload -- additionalDetails -- app -- authentication_service -- command -- date_hour -- date_mday -- date_minute -- date_month -- date_second -- date_wday -- date_year -- date_zone -- dest -- dest_name -- dvc -- event_type -- extendedAuditEventCategory -- extended_properties -- host -- index -- linecount -- object -- punct -- record_type -- signature -- source -- sourcetype -- splunk_server -- status -- timeendpos -- timestartpos -- user -- user_id -- user_type -- vendor_account -- vendor_product -example_log: '{"Actor": [{"ID": "rodsoto@rodsoto.onmicrosoft.com", "Type": 5}, {"ID": + - _time + - ActorContextId + - ActorIpAddress + - Actor{}.ID + - Actor{}.Type + - AzureActiveDirectoryEventType + - ClientIP + - CreationTime + - ExtendedProperties{}.Name + - ExtendedProperties{}.Value + - Id + - InterSystemsId + - IntraSystemId + - ModifiedProperties{}.Name + - ModifiedProperties{}.NewValue + - ModifiedProperties{}.OldValue + - ObjectId + - Operation + - OrganizationId + - RecordType + - ResultStatus + - SupportTicketId + - TargetContextId + - Target{}.ID + - Target{}.Type + - UserId + - UserKey + - UserType + - Version + - Workload + - additionalDetails + - app + - authentication_service + - command + - date_hour + - date_mday + - date_minute + - date_month + - date_second + - date_wday + - date_year + - date_zone + - dest + - dest_name + - dvc + - event_type + - extendedAuditEventCategory + - extended_properties + - host + - index + - linecount + - object + - punct + - record_type + - signature + - source + - sourcetype + - splunk_server + - status + - timeendpos + - timestartpos + - user + - user_id + - user_type + - vendor_account + - vendor_product +example_log: + '{"Actor": [{"ID": "rodsoto@rodsoto.onmicrosoft.com", "Type": 5}, {"ID": "10037FFEA938FB92", "Type": 3}, {"ID": "User_bfb8c366-0406-41a5-b3e3-328f4a3b4484", "Type": 2}, {"ID": "bfb8c366-0406-41a5-b3e3-328f4a3b4484", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08", "ActorIpAddress": diff --git a/data_sources/o365_mailitemsaccessed.yml b/data_sources/o365_mailitemsaccessed.yml index d2bad265dc..6abca5126f 100644 --- a/data_sources/o365_mailitemsaccessed.yml +++ b/data_sources/o365_mailitemsaccessed.yml @@ -1,80 +1,81 @@ name: O365 MailItemsAccessed id: 3d5188eb-341a-4b46-9caa-aade4047d027 version: 1 -date: '2024-07-18' +date: "2024-07-18" author: Patrick Bareiss, Splunk description: Data source object for O365 MailItemsAccessed source: o365 sourcetype: o365:management:activity separator: Operation supported_TA: -- name: Splunk Add-on for Microsoft Office 365 - url: https://splunkbase.splunk.com/app/4055 - version: 4.7.0 + - name: Splunk Add-on for Microsoft Office 365 + url: https://splunkbase.splunk.com/app/4055 + version: 4.8.0 fields: -- _time -- AppId -- ClientAppId -- ClientIPAddress -- ClientInfoString -- CreationTime -- ExternalAccess -- Folders{}.FolderItems{}.InternetMessageId -- Folders{}.FolderItems{}.SizeInBytes -- Folders{}.Id -- Folders{}.Path -- Id -- InternalLogonType -- IsThrottled -- LogonType -- LogonUserSid -- MailAccessType -- MailboxGuid -- MailboxOwnerSid -- MailboxOwnerUPN -- Operation -- OperationCount -- OperationProperties{}.Name -- OperationProperties{}.Value -- OrganizationId -- OrganizationName -- OriginatingServer -- RecordType -- ResultStatus -- UserId -- UserKey -- UserType -- Version -- Workload -- app -- authentication_service -- command -- date_hour -- date_mday -- date_minute -- date_month -- date_second -- date_wday -- date_year -- date_zone -- dvc -- host -- index -- linecount -- punct -- signature -- source -- sourcetype -- splunk_server -- status -- timeendpos -- timestartpos -- user -- user_id -- user_type -- vendor_account -- vendor_product -example_log: '{"CreationTime": "2024-02-01T16:07:34", "Id": "9cef02e9-4bfa-4c73-be7d-9dad68b9cea8", + - _time + - AppId + - ClientAppId + - ClientIPAddress + - ClientInfoString + - CreationTime + - ExternalAccess + - Folders{}.FolderItems{}.InternetMessageId + - Folders{}.FolderItems{}.SizeInBytes + - Folders{}.Id + - Folders{}.Path + - Id + - InternalLogonType + - IsThrottled + - LogonType + - LogonUserSid + - MailAccessType + - MailboxGuid + - MailboxOwnerSid + - MailboxOwnerUPN + - Operation + - OperationCount + - OperationProperties{}.Name + - OperationProperties{}.Value + - OrganizationId + - OrganizationName + - OriginatingServer + - RecordType + - ResultStatus + - UserId + - UserKey + - UserType + - Version + - Workload + - app + - authentication_service + - command + - date_hour + - date_mday + - date_minute + - date_month + - date_second + - date_wday + - date_year + - date_zone + - dvc + - host + - index + - linecount + - punct + - signature + - source + - sourcetype + - splunk_server + - status + - timeendpos + - timestartpos + - user + - user_id + - user_type + - vendor_account + - vendor_product +example_log: + '{"CreationTime": "2024-02-01T16:07:34", "Id": "9cef02e9-4bfa-4c73-be7d-9dad68b9cea8", "Operation": "MailItemsAccessed", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 50, "ResultStatus": "Succeeded", "UserKey": "100320030DF47B14", "UserType": 0, "Version": 1, "Workload": "Exchange", "UserId": "user15@splunkresearch.onmicrosoft.com", diff --git a/data_sources/o365_modifyfolderpermissions.yml b/data_sources/o365_modifyfolderpermissions.yml index bf6d9f1855..6d6fde04f6 100644 --- a/data_sources/o365_modifyfolderpermissions.yml +++ b/data_sources/o365_modifyfolderpermissions.yml @@ -1,98 +1,99 @@ name: O365 ModifyFolderPermissions id: 0a8c1080-68c2-46d7-8324-2e7d97bb6e2f version: 1 -date: '2024-07-18' +date: "2024-07-18" author: Patrick Bareiss, Splunk description: Data source object for O365 ModifyFolderPermissions source: o365 sourcetype: o365:management:activity separator: Operation supported_TA: -- name: Splunk Add-on for Microsoft Office 365 - url: https://splunkbase.splunk.com/app/4055 - version: 4.7.0 + - name: Splunk Add-on for Microsoft Office 365 + url: https://splunkbase.splunk.com/app/4055 + version: 4.8.0 fields: -- _time -- AppId -- ClientIP -- ClientIPAddress -- ClientInfoString -- CreationTime -- ExternalAccess -- Id -- InternalLogonType -- Item.Id -- Item.ParentFolder.Id -- Item.ParentFolder.MemberRights -- Item.ParentFolder.MemberSid -- Item.ParentFolder.MemberUpn -- Item.ParentFolder.Name -- Item.ParentFolder.Path -- LogonType -- LogonUserSid -- MailboxGuid -- MailboxOwnerSid -- MailboxOwnerUPN -- Operation -- OrganizationId -- OrganizationName -- OriginatingServer -- RecordType -- ResultStatus -- SessionId -- UserId -- UserKey -- UserType -- Version -- Workload -- action -- app -- authentication_service -- change_type -- client_info_str -- command -- dataset_name -- date_hour -- date_mday -- date_minute -- date_month -- date_second -- date_wday -- date_year -- date_zone -- dest -- dest_name -- dvc -- eventtype -- host -- index -- linecount -- object -- object_attrs -- object_category -- object_id -- punct -- record_type -- result -- signature -- source -- sourcetype -- splunk_server -- src -- src_ip -- status -- tag -- tag::eventtype -- tenant_id -- timeendpos -- timestartpos -- user -- user_agent -- user_id -- user_type -- vendor_account -- vendor_product -example_log: '{"CreationTime": "2023-09-07T18:19:07", "Id": "ff065c17-e638-4013-20ab-08dbafceeca1", + - _time + - AppId + - ClientIP + - ClientIPAddress + - ClientInfoString + - CreationTime + - ExternalAccess + - Id + - InternalLogonType + - Item.Id + - Item.ParentFolder.Id + - Item.ParentFolder.MemberRights + - Item.ParentFolder.MemberSid + - Item.ParentFolder.MemberUpn + - Item.ParentFolder.Name + - Item.ParentFolder.Path + - LogonType + - LogonUserSid + - MailboxGuid + - MailboxOwnerSid + - MailboxOwnerUPN + - Operation + - OrganizationId + - OrganizationName + - OriginatingServer + - RecordType + - ResultStatus + - SessionId + - UserId + - UserKey + - UserType + - Version + - Workload + - action + - app + - authentication_service + - change_type + - client_info_str + - command + - dataset_name + - date_hour + - date_mday + - date_minute + - date_month + - date_second + - date_wday + - date_year + - date_zone + - dest + - dest_name + - dvc + - eventtype + - host + - index + - linecount + - object + - object_attrs + - object_category + - object_id + - punct + - record_type + - result + - signature + - source + - sourcetype + - splunk_server + - src + - src_ip + - status + - tag + - tag::eventtype + - tenant_id + - timeendpos + - timestartpos + - user + - user_agent + - user_id + - user_type + - vendor_account + - vendor_product +example_log: + '{"CreationTime": "2023-09-07T18:19:07", "Id": "ff065c17-e638-4013-20ab-08dbafceeca1", "Operation": "ModifyFolderPermissions", "OrganizationId": "e17879dd-24ec-44a6-be92-9dcbf6969220", "RecordType": 2, "ResultStatus": "Succeeded", "UserKey": "10032002CC029AE9", "UserType": 0, "Version": 1, "Workload": "Exchange", "ClientIP": "22.23.21.25", "UserId": "user1@contoso.onmicrosoft.com", diff --git a/data_sources/o365_set_company_information_.yml b/data_sources/o365_set_company_information_.yml index d40cca2fcb..27041a659a 100644 --- a/data_sources/o365_set_company_information_.yml +++ b/data_sources/o365_set_company_information_.yml @@ -1,92 +1,93 @@ name: O365 Set Company Information. id: 06c6d576-f032-41e3-b15d-80a434ce13d8 version: 1 -date: '2024-07-18' +date: "2024-07-18" author: Patrick Bareiss, Splunk description: Data source object for O365 Set Company Information. source: o365 sourcetype: o365:management:activity separator: Operation supported_TA: -- name: Splunk Add-on for Microsoft Office 365 - url: https://splunkbase.splunk.com/app/4055 - version: 4.7.0 + - name: Splunk Add-on for Microsoft Office 365 + url: https://splunkbase.splunk.com/app/4055 + version: 4.8.0 fields: -- _time -- ActorContextId -- ActorIpAddress -- Actor{}.ID -- Actor{}.Type -- AzureActiveDirectoryEventType -- ClientIP -- CreationTime -- ExtendedProperties{}.Name -- ExtendedProperties{}.Value -- Id -- InterSystemsId -- IntraSystemId -- ModifiedProperties{}.Name -- ModifiedProperties{}.NewValue -- ModifiedProperties{}.OldValue -- ObjectId -- Operation -- OrganizationId -- RecordType -- ResultStatus -- SupportTicketId -- TargetContextId -- Target{}.ID -- Target{}.Type -- UserId -- UserKey -- UserType -- Version -- Workload -- action -- additionalDetails -- app -- authentication_service -- change_type -- command -- dataset_name -- date_hour -- date_mday -- date_minute -- date_month -- date_second -- date_wday -- date_year -- date_zone -- dest -- dest_name -- dvc -- event_type -- eventtype -- extendedAuditEventCategory -- extended_properties -- host -- index -- linecount -- object -- object_attrs -- object_category -- punct -- record_type -- signature -- source -- sourcetype -- splunk_server -- status -- tag -- tag::eventtype -- timeendpos -- timestartpos -- user -- user_id -- user_type -- vendor_account -- vendor_product -example_log: '{"Actor": [{"ID": "bpatel@rodsoto.onmicrosoft.com", "Type": 5}, {"ID": + - _time + - ActorContextId + - ActorIpAddress + - Actor{}.ID + - Actor{}.Type + - AzureActiveDirectoryEventType + - ClientIP + - CreationTime + - ExtendedProperties{}.Name + - ExtendedProperties{}.Value + - Id + - InterSystemsId + - IntraSystemId + - ModifiedProperties{}.Name + - ModifiedProperties{}.NewValue + - ModifiedProperties{}.OldValue + - ObjectId + - Operation + - OrganizationId + - RecordType + - ResultStatus + - SupportTicketId + - TargetContextId + - Target{}.ID + - Target{}.Type + - UserId + - UserKey + - UserType + - Version + - Workload + - action + - additionalDetails + - app + - authentication_service + - change_type + - command + - dataset_name + - date_hour + - date_mday + - date_minute + - date_month + - date_second + - date_wday + - date_year + - date_zone + - dest + - dest_name + - dvc + - event_type + - eventtype + - extendedAuditEventCategory + - extended_properties + - host + - index + - linecount + - object + - object_attrs + - object_category + - punct + - record_type + - signature + - source + - sourcetype + - splunk_server + - status + - tag + - tag::eventtype + - timeendpos + - timestartpos + - user + - user_id + - user_type + - vendor_account + - vendor_product +example_log: + '{"Actor": [{"ID": "bpatel@rodsoto.onmicrosoft.com", "Type": 5}, {"ID": "100320010208B5DC", "Type": 3}, {"ID": "User_425b75db-38be-4c7b-a474-5f0709247370", "Type": 2}, {"ID": "425b75db-38be-4c7b-a474-5f0709247370", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08", "ActorIpAddress": diff --git a/data_sources/o365_set_mailbox.yml b/data_sources/o365_set_mailbox.yml index 30ebad4b33..6a8b3379e3 100644 --- a/data_sources/o365_set_mailbox.yml +++ b/data_sources/o365_set_mailbox.yml @@ -1,88 +1,89 @@ name: O365 Set-Mailbox id: db798c5c-928c-4972-bb42-e5f90e35865f version: 1 -date: '2024-07-18' +date: "2024-07-18" author: Patrick Bareiss, Splunk description: Data source object for O365 Set-Mailbox source: o365 sourcetype: o365:management:activity separator: Operation supported_TA: -- name: Splunk Add-on for Microsoft Office 365 - url: https://splunkbase.splunk.com/app/4055 - version: 4.7.0 + - name: Splunk Add-on for Microsoft Office 365 + url: https://splunkbase.splunk.com/app/4055 + version: 4.8.0 fields: -- _time -- AppId -- ClientAppId -- ClientIP -- CreationTime -- ExternalAccess -- Id -- Identity -- ObjectId -- Operation -- OrganizationId -- OrganizationName -- OriginatingServer -- Parameters{}.Name -- Parameters{}.Value -- Params -- RecordType -- ResultStatus -- SessionId -- UserId -- UserKey -- UserType -- Version -- Workload -- action -- app -- authentication_service -- change_type -- command -- dataset_name -- date_hour -- date_mday -- date_minute -- date_month -- date_second -- date_wday -- date_year -- date_zone -- dest -- dest_name -- dvc -- eventtype -- host -- index -- linecount -- object -- object_attrs -- object_category -- object_id -- punct -- record_type -- result -- signature -- source -- sourcetype -- splunk_server -- src -- src_ip -- src_user -- src_user_type -- status -- tag -- tag::eventtype -- tenant_id -- timeendpos -- timestartpos -- user -- user_id -- vendor_account -- vendor_product -example_log: '{"AppId": "", "ClientAppId": "", "ClientIP": "18.192.200.190:52816", + - _time + - AppId + - ClientAppId + - ClientIP + - CreationTime + - ExternalAccess + - Id + - Identity + - ObjectId + - Operation + - OrganizationId + - OrganizationName + - OriginatingServer + - Parameters{}.Name + - Parameters{}.Value + - Params + - RecordType + - ResultStatus + - SessionId + - UserId + - UserKey + - UserType + - Version + - Workload + - action + - app + - authentication_service + - change_type + - command + - dataset_name + - date_hour + - date_mday + - date_minute + - date_month + - date_second + - date_wday + - date_year + - date_zone + - dest + - dest_name + - dvc + - eventtype + - host + - index + - linecount + - object + - object_attrs + - object_category + - object_id + - punct + - record_type + - result + - signature + - source + - sourcetype + - splunk_server + - src + - src_ip + - src_user + - src_user_type + - status + - tag + - tag::eventtype + - tenant_id + - timeendpos + - timestartpos + - user + - user_id + - vendor_account + - vendor_product +example_log: + '{"AppId": "", "ClientAppId": "", "ClientIP": "18.192.200.190:52816", "CreationTime": "2020-12-16T12:32:28", "ExternalAccess": false, "Id": "a6a52406-0912-448d-36eb-08d8a1bea6be", "ObjectId": "bpatel", "Operation": "Set-Mailbox", "OrganizationId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08", "OrganizationName": "rodsoto.onmicrosoft.com", "OriginatingServer": "PH0PR14MB4341 diff --git a/data_sources/o365_update_application_.yml b/data_sources/o365_update_application_.yml index f78faf1948..1e19e27c68 100644 --- a/data_sources/o365_update_application_.yml +++ b/data_sources/o365_update_application_.yml @@ -1,91 +1,92 @@ name: O365 Update application. id: 62159133-911b-4c63-9e30-a6a8c89195ca version: 1 -date: '2024-07-18' +date: "2024-07-18" author: Patrick Bareiss, Splunk description: Data source object for O365 Update application. source: o365 sourcetype: o365:management:activity separator: Operation supported_TA: -- name: Splunk Add-on for Microsoft Office 365 - url: https://splunkbase.splunk.com/app/4055 - version: 4.7.0 + - name: Splunk Add-on for Microsoft Office 365 + url: https://splunkbase.splunk.com/app/4055 + version: 4.8.0 fields: -- _time -- ActorContextId -- Actor{}.ID -- Actor{}.Type -- AzureActiveDirectoryEventType -- CreationTime -- ExtendedProperties{}.Name -- ExtendedProperties{}.Value -- Id -- InterSystemsId -- IntraSystemId -- ModifiedProperties{}.Name -- ModifiedProperties{}.NewValue -- ModifiedProperties{}.OldValue -- ObjectId -- Operation -- OrganizationId -- RecordType -- ResultStatus -- SupportTicketId -- TargetContextId -- Target{}.ID -- Target{}.Type -- UserId -- UserKey -- UserType -- Version -- Workload -- action -- additionalDetails -- app -- authentication_service -- change_type -- command -- dataset_name -- date_hour -- date_mday -- date_minute -- date_month -- date_second -- date_wday -- date_year -- date_zone -- dest -- dest_name -- dvc -- event_type -- eventtype -- extendedAuditEventCategory -- host -- index -- linecount -- object -- object_attrs -- object_category -- punct -- record_type -- signature -- source -- sourcetype -- splunk_server -- status -- tag -- tag::eventtype -- timeendpos -- timestartpos -- user -- user_agent -- user_agent_change -- user_id -- user_type -- vendor_account -- vendor_product -example_log: '{"CreationTime": "2023-09-01T17:16:20", "Id": "c428c85c-4fa0-4e97-9033-6a76d9dee45d", + - _time + - ActorContextId + - Actor{}.ID + - Actor{}.Type + - AzureActiveDirectoryEventType + - CreationTime + - ExtendedProperties{}.Name + - ExtendedProperties{}.Value + - Id + - InterSystemsId + - IntraSystemId + - ModifiedProperties{}.Name + - ModifiedProperties{}.NewValue + - ModifiedProperties{}.OldValue + - ObjectId + - Operation + - OrganizationId + - RecordType + - ResultStatus + - SupportTicketId + - TargetContextId + - Target{}.ID + - Target{}.Type + - UserId + - UserKey + - UserType + - Version + - Workload + - action + - additionalDetails + - app + - authentication_service + - change_type + - command + - dataset_name + - date_hour + - date_mday + - date_minute + - date_month + - date_second + - date_wday + - date_year + - date_zone + - dest + - dest_name + - dvc + - event_type + - eventtype + - extendedAuditEventCategory + - host + - index + - linecount + - object + - object_attrs + - object_category + - punct + - record_type + - signature + - source + - sourcetype + - splunk_server + - status + - tag + - tag::eventtype + - timeendpos + - timestartpos + - user + - user_agent + - user_agent_change + - user_id + - user_type + - vendor_account + - vendor_product +example_log: + '{"CreationTime": "2023-09-01T17:16:20", "Id": "c428c85c-4fa0-4e97-9033-6a76d9dee45d", "Operation": "Update application.", "OrganizationId": "58aee3b9-7433-46a0-b54e-2429487992a0", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@contoso.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "Application_a2d68f8b-ab9f-47ac-934f-b966c3ac134f", diff --git a/data_sources/o365_update_authorization_policy_.yml b/data_sources/o365_update_authorization_policy_.yml index b53bce2417..7e6c7a1a5b 100644 --- a/data_sources/o365_update_authorization_policy_.yml +++ b/data_sources/o365_update_authorization_policy_.yml @@ -1,83 +1,84 @@ name: O365 Update authorization policy. id: d40e6a20-4d64-404c-8351-2caae8228d34 version: 1 -date: '2024-07-18' +date: "2024-07-18" author: Patrick Bareiss, Splunk description: Data source object for O365 Update authorization policy. source: o365 sourcetype: o365:management:activity separator: Operation supported_TA: -- name: Splunk Add-on for Microsoft Office 365 - url: https://splunkbase.splunk.com/app/4055 - version: 4.7.0 + - name: Splunk Add-on for Microsoft Office 365 + url: https://splunkbase.splunk.com/app/4055 + version: 4.8.0 fields: -- _time -- ActorContextId -- Actor{}.ID -- Actor{}.Type -- AzureActiveDirectoryEventType -- CreationTime -- ExtendedProperties{}.Name -- ExtendedProperties{}.Value -- Id -- InterSystemsId -- IntraSystemId -- ModifiedProperties{}.Name -- ModifiedProperties{}.NewValue -- ModifiedProperties{}.OldValue -- ObjectId -- Operation -- OrganizationId -- RecordType -- ResultStatus -- SupportTicketId -- TargetContextId -- Target{}.ID -- Target{}.Type -- UserId -- UserKey -- UserType -- Version -- Workload -- additionalDetails -- app -- authentication_service -- command -- date_hour -- date_mday -- date_minute -- date_month -- date_second -- date_wday -- date_year -- date_zone -- dest -- dest_name -- dvc -- event_type -- extendedAuditEventCategory -- host -- index -- linecount -- object -- punct -- record_type -- signature -- source -- sourcetype -- splunk_server -- status -- timeendpos -- timestartpos -- user -- user_agent -- user_agent_change -- user_id -- user_type -- vendor_account -- vendor_product -example_log: '{"CreationTime": "2023-10-26T19:22:20", "Id": "83774e72-313f-4d1f-8609-7d0c7bb3b4ff", + - _time + - ActorContextId + - Actor{}.ID + - Actor{}.Type + - AzureActiveDirectoryEventType + - CreationTime + - ExtendedProperties{}.Name + - ExtendedProperties{}.Value + - Id + - InterSystemsId + - IntraSystemId + - ModifiedProperties{}.Name + - ModifiedProperties{}.NewValue + - ModifiedProperties{}.OldValue + - ObjectId + - Operation + - OrganizationId + - RecordType + - ResultStatus + - SupportTicketId + - TargetContextId + - Target{}.ID + - Target{}.Type + - UserId + - UserKey + - UserType + - Version + - Workload + - additionalDetails + - app + - authentication_service + - command + - date_hour + - date_mday + - date_minute + - date_month + - date_second + - date_wday + - date_year + - date_zone + - dest + - dest_name + - dvc + - event_type + - extendedAuditEventCategory + - host + - index + - linecount + - object + - punct + - record_type + - signature + - source + - sourcetype + - splunk_server + - status + - timeendpos + - timestartpos + - user + - user_agent + - user_agent_change + - user_id + - user_type + - vendor_account + - vendor_product +example_log: + '{"CreationTime": "2023-10-26T19:22:20", "Id": "83774e72-313f-4d1f-8609-7d0c7bb3b4ff", "Operation": "Update authorization policy.", "OrganizationId": "a417c578-c7ee-480d-a225-d48057e74df5", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "AuthorizationPolicy_24484114-1daa-4700-aaf7-44ee5cbe5678", diff --git a/data_sources/o365_update_user_.yml b/data_sources/o365_update_user_.yml index 5497544e68..dd714c9be5 100644 --- a/data_sources/o365_update_user_.yml +++ b/data_sources/o365_update_user_.yml @@ -1,90 +1,91 @@ name: O365 Update user. id: a05fd01e-34d9-4233-9089-11272416b531 version: 1 -date: '2024-07-18' +date: "2024-07-18" author: Patrick Bareiss, Splunk description: Data source object for O365 Update user. source: o365 sourcetype: o365:management:activity separator: Operation supported_TA: -- name: Splunk Add-on for Microsoft Office 365 - url: https://splunkbase.splunk.com/app/4055 - version: 4.7.0 + - name: Splunk Add-on for Microsoft Office 365 + url: https://splunkbase.splunk.com/app/4055 + version: 4.8.0 fields: -- _time -- ActorContextId -- Actor{}.ID -- Actor{}.Type -- AzureActiveDirectoryEventType -- CreationTime -- ExtendedProperties{}.Name -- ExtendedProperties{}.Value -- Id -- InterSystemsId -- IntraSystemId -- ModifiedProperties{}.Name -- ModifiedProperties{}.NewValue -- ModifiedProperties{}.OldValue -- ObjectId -- Operation -- OrganizationId -- RecordType -- ResultStatus -- SupportTicketId -- TargetContextId -- Target{}.ID -- Target{}.Type -- UserId -- UserKey -- UserType -- Version -- Workload -- action -- additionalDetails -- app -- authentication_service -- change_type -- command -- dataset_name -- date_hour -- date_mday -- date_minute -- date_month -- date_second -- date_wday -- date_year -- date_zone -- dest -- dest_name -- dvc -- event_type -- eventtype -- extendedAuditEventCategory -- host -- index -- linecount -- object -- object_attrs -- object_category -- punct -- record_type -- signature -- source -- sourcetype -- splunk_server -- src_user -- status -- tag -- tag::eventtype -- timeendpos -- timestartpos -- user -- user_id -- user_type -- vendor_account -- vendor_product -example_log: '{"CreationTime": "2023-10-20T19:32:59", "Id": "d06df1c6-b3f2-4595-90b9-99b8f91811c3", + - _time + - ActorContextId + - Actor{}.ID + - Actor{}.Type + - AzureActiveDirectoryEventType + - CreationTime + - ExtendedProperties{}.Name + - ExtendedProperties{}.Value + - Id + - InterSystemsId + - IntraSystemId + - ModifiedProperties{}.Name + - ModifiedProperties{}.NewValue + - ModifiedProperties{}.OldValue + - ObjectId + - Operation + - OrganizationId + - RecordType + - ResultStatus + - SupportTicketId + - TargetContextId + - Target{}.ID + - Target{}.Type + - UserId + - UserKey + - UserType + - Version + - Workload + - action + - additionalDetails + - app + - authentication_service + - change_type + - command + - dataset_name + - date_hour + - date_mday + - date_minute + - date_month + - date_second + - date_wday + - date_year + - date_zone + - dest + - dest_name + - dvc + - event_type + - eventtype + - extendedAuditEventCategory + - host + - index + - linecount + - object + - object_attrs + - object_category + - punct + - record_type + - signature + - source + - sourcetype + - splunk_server + - src_user + - status + - tag + - tag::eventtype + - timeendpos + - timestartpos + - user + - user_id + - user_type + - vendor_account + - vendor_product +example_log: + '{"CreationTime": "2023-10-20T19:32:59", "Id": "d06df1c6-b3f2-4595-90b9-99b8f91811c3", "Operation": "Update user.", "OrganizationId": "99825d50-9544-4061-8e46-68923805cbf2", "RecordType": 8, "ResultStatus": "Success", "UserKey": "10032002CC029AE9@splunkresearch1.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "victim@splunkresearch1.onmicrosoft.com", diff --git a/data_sources/o365_userloggedin.yml b/data_sources/o365_userloggedin.yml index 540450b496..299a4a06d6 100644 --- a/data_sources/o365_userloggedin.yml +++ b/data_sources/o365_userloggedin.yml @@ -1,90 +1,91 @@ name: O365 UserLoggedIn id: ed29c8c4-4053-419c-b133-16abf2a1c4c9 version: 1 -date: '2024-07-18' +date: "2024-07-18" author: Patrick Bareiss, Splunk description: Data source object for O365 UserLoggedIn source: o365 sourcetype: o365:management:activity separator: Operation supported_TA: -- name: Splunk Add-on for Microsoft Office 365 - url: https://splunkbase.splunk.com/app/4055 - version: 4.7.0 + - name: Splunk Add-on for Microsoft Office 365 + url: https://splunkbase.splunk.com/app/4055 + version: 4.8.0 fields: -- _time -- ActorContextId -- ActorIpAddress -- Actor{}.ID -- Actor{}.Type -- ApplicationId -- AzureActiveDirectoryEventType -- BrowserType -- ClientIP -- CreationTime -- DeviceProperties{}.Name -- DeviceProperties{}.Value -- ErrorNumber -- ExtendedProperties{}.Name -- ExtendedProperties{}.Value -- Id -- InterSystemsId -- IntraSystemId -- OS -- ObjectId -- Operation -- OrganizationId -- RecordType -- RequestType -- ResultStatus -- ResultStatusDetail -- SessionId -- SupportTicketId -- TargetContextId -- Target{}.ID -- Target{}.Type -- UserAgent -- UserId -- UserKey -- UserType -- Version -- Workload -- app -- authentication_service -- command -- date_hour -- date_mday -- date_minute -- date_month -- date_second -- date_wday -- date_year -- date_zone -- dest -- dest_name -- dvc -- event_type -- host -- index -- linecount -- object -- punct -- record_type -- signature -- source -- sourcetype -- splunk_server -- src -- src_ip -- status -- timeendpos -- timestartpos -- user -- user_agent -- user_type -- vendor_account -- vendor_product -example_log: '{"CreationTime": "2023-12-04T20:42:05", "Id": "52d72a62-132b-487b-bb7f-c4c119f90700", + - _time + - ActorContextId + - ActorIpAddress + - Actor{}.ID + - Actor{}.Type + - ApplicationId + - AzureActiveDirectoryEventType + - BrowserType + - ClientIP + - CreationTime + - DeviceProperties{}.Name + - DeviceProperties{}.Value + - ErrorNumber + - ExtendedProperties{}.Name + - ExtendedProperties{}.Value + - Id + - InterSystemsId + - IntraSystemId + - OS + - ObjectId + - Operation + - OrganizationId + - RecordType + - RequestType + - ResultStatus + - ResultStatusDetail + - SessionId + - SupportTicketId + - TargetContextId + - Target{}.ID + - Target{}.Type + - UserAgent + - UserId + - UserKey + - UserType + - Version + - Workload + - app + - authentication_service + - command + - date_hour + - date_mday + - date_minute + - date_month + - date_second + - date_wday + - date_year + - date_zone + - dest + - dest_name + - dvc + - event_type + - host + - index + - linecount + - object + - punct + - record_type + - signature + - source + - sourcetype + - splunk_server + - src + - src_ip + - status + - timeendpos + - timestartpos + - user + - user_agent + - user_type + - vendor_account + - vendor_product +example_log: + '{"CreationTime": "2023-12-04T20:42:05", "Id": "52d72a62-132b-487b-bb7f-c4c119f90700", "Operation": "UserLoggedIn", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 15, "ResultStatus": "Success", "UserKey": "2d2f9e2c-8350-4d98-852e-3f06daaf7185", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ClientIP": "54.68.231.63", diff --git a/data_sources/o365_userloginfailed.yml b/data_sources/o365_userloginfailed.yml index b03d5032ae..f35e8c695e 100644 --- a/data_sources/o365_userloginfailed.yml +++ b/data_sources/o365_userloginfailed.yml @@ -1,99 +1,100 @@ name: O365 UserLoginFailed id: 6099b33d-d581-43ed-8401-911862590361 version: 1 -date: '2024-07-18' +date: "2024-07-18" author: Patrick Bareiss, Splunk description: Data source object for O365 UserLoginFailed source: o365 sourcetype: o365:management:activity separator: Operation supported_TA: -- name: Splunk Add-on for Microsoft Office 365 - url: https://splunkbase.splunk.com/app/4055 - version: 4.7.0 + - name: Splunk Add-on for Microsoft Office 365 + url: https://splunkbase.splunk.com/app/4055 + version: 4.8.0 fields: -- _time -- ActorContextId -- ActorIpAddress -- Actor{}.ID -- Actor{}.Type -- ApplicationId -- AzureActiveDirectoryEventType -- BrowserType -- ClientIP -- CreationTime -- DeviceProperties{}.Name -- DeviceProperties{}.Value -- ErrorNumber -- ExtendedProperties{}.Name -- ExtendedProperties{}.Value -- Id -- InterSystemsId -- IntraSystemId -- IsCompliantAndManaged -- LogonError -- OS -- ObjectId -- Operation -- OrganizationId -- RecordType -- RequestType -- ResultStatus -- ResultStatusDetail -- SupportTicketId -- TargetContextId -- Target{}.ID -- Target{}.Type -- UserAgent -- UserAuthenticationMethod -- UserId -- UserKey -- UserType -- Version -- Workload -- action -- app -- authentication_method -- authentication_service -- command -- dataset_name -- date_hour -- date_mday -- date_minute -- date_month -- date_second -- date_wday -- date_year -- date_zone -- dest -- dest_name -- dvc -- event_type -- eventtype -- host -- index -- linecount -- object -- punct -- reason -- record_type -- result -- signature -- source -- sourcetype -- splunk_server -- src -- src_ip -- status -- tag -- tag::action -- tag::eventtype -- user -- user_agent -- user_type -- vendor_account -- vendor_product -example_log: '{"CreationTime": "2023-10-10T17:08:65", "Id": "4593aac8-855f-4341-9d2a-4289146eb800", + - _time + - ActorContextId + - ActorIpAddress + - Actor{}.ID + - Actor{}.Type + - ApplicationId + - AzureActiveDirectoryEventType + - BrowserType + - ClientIP + - CreationTime + - DeviceProperties{}.Name + - DeviceProperties{}.Value + - ErrorNumber + - ExtendedProperties{}.Name + - ExtendedProperties{}.Value + - Id + - InterSystemsId + - IntraSystemId + - IsCompliantAndManaged + - LogonError + - OS + - ObjectId + - Operation + - OrganizationId + - RecordType + - RequestType + - ResultStatus + - ResultStatusDetail + - SupportTicketId + - TargetContextId + - Target{}.ID + - Target{}.Type + - UserAgent + - UserAuthenticationMethod + - UserId + - UserKey + - UserType + - Version + - Workload + - action + - app + - authentication_method + - authentication_service + - command + - dataset_name + - date_hour + - date_mday + - date_minute + - date_month + - date_second + - date_wday + - date_year + - date_zone + - dest + - dest_name + - dvc + - event_type + - eventtype + - host + - index + - linecount + - object + - punct + - reason + - record_type + - result + - signature + - source + - sourcetype + - splunk_server + - src + - src_ip + - status + - tag + - tag::action + - tag::eventtype + - user + - user_agent + - user_type + - vendor_account + - vendor_product +example_log: + '{"CreationTime": "2023-10-10T17:08:65", "Id": "4593aac8-855f-4341-9d2a-4289146eb800", "Operation": "UserLoginFailed", "OrganizationId": "d541aae6-6b73-4a7c-aaf0-a4de30c872bc", "RecordType": 15, "ResultStatus": "Failed", "UserKey": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ClientIP": "52.3.21.4",