From 7b24f8a54f7e155ca843a25454f8ac78cfd4a381 Mon Sep 17 00:00:00 2001 From: Brian Serocki Date: Wed, 3 Sep 2025 13:17:03 -0500 Subject: [PATCH 1/2] Correct Azure localization issues --- detections/cloud/azure_automation_account_created.yml | 8 ++++---- detections/cloud/azure_automation_runbook_created.yml | 8 ++++---- detections/cloud/azure_runbook_webhook_created.yml | 6 +++--- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/detections/cloud/azure_automation_account_created.yml b/detections/cloud/azure_automation_account_created.yml index d6b2768640..8786e362bf 100644 --- a/detections/cloud/azure_automation_account_created.yml +++ b/detections/cloud/azure_automation_account_created.yml @@ -1,7 +1,7 @@ name: Azure Automation Account Created id: 860902fd-2e76-46b3-b050-ba548dab576c -version: 9 -date: '2025-05-02' +version: 10 +date: '2025-09-03' author: Mauricio Velazco, Splunk status: production type: TTP @@ -15,9 +15,9 @@ description: The following analytic detects the creation of a new Azure Automati on virtual machines, posing a significant security risk. data_source: - Azure Audit Create or Update an Azure Automation account -search: '`azure_audit` operationName.localizedValue="Create or Update an Azure Automation account" status.value=Succeeded +search: '`azure_audit` operationName.value="Microsoft.Automation/automationAccounts/write" status.value=Succeeded | dedup object - | rename claims.ipaddr as src, subscriptionId as vendor_account, operationName.localizedValue as signature + | rename claims.ipaddr as src, subscriptionId as vendor_account, operationName.value as signature | stats count min(_time) as firstTime max(_time) as lastTime by dest user src vendor_account vendor_product object object_path signature | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_automation_account_created_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft diff --git a/detections/cloud/azure_automation_runbook_created.yml b/detections/cloud/azure_automation_runbook_created.yml index adef214395..7b659358bf 100644 --- a/detections/cloud/azure_automation_runbook_created.yml +++ b/detections/cloud/azure_automation_runbook_created.yml @@ -1,7 +1,7 @@ name: Azure Automation Runbook Created id: 178d696d-6dc6-4ee8-9d25-93fee34eaf5b -version: 9 -date: '2025-05-02' +version: 10 +date: '2025-09-03' author: Mauricio Velazco, Splunk status: production type: TTP @@ -15,9 +15,9 @@ description: The following analytic detects the creation of a new Azure Automati environment. data_source: - Azure Audit Create or Update an Azure Automation Runbook -search: '`azure_audit` operationName.localizedValue="Create or Update an Azure Automation Runbook" object!=AzureAutomationTutorial* status.value=Succeeded +search: '`azure_audit` operationName.value="Microsoft.Automation/automationAccounts/runbooks/write" object!=AzureAutomationTutorial* status.value=Succeeded | dedup object - | rename claims.ipaddr as src, subscriptionId as vendor_account, operationName.localizedValue as operationName + | rename claims.ipaddr as src, subscriptionId as vendor_account, operationName.value as operationName | stats count min(_time) as firstTime max(_time) as lastTime by dest user src vendor_account vendor_product object object_path | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` diff --git a/detections/cloud/azure_runbook_webhook_created.yml b/detections/cloud/azure_runbook_webhook_created.yml index d380235860..66dcdf87ad 100644 --- a/detections/cloud/azure_runbook_webhook_created.yml +++ b/detections/cloud/azure_runbook_webhook_created.yml @@ -1,7 +1,7 @@ name: Azure Runbook Webhook Created id: e98944a9-92e4-443c-81b8-a322e33ce75a -version: 10 -date: '2025-05-02' +version: 11 +date: '2025-09-03' author: Mauricio Velazco, Splunk status: production type: TTP @@ -15,7 +15,7 @@ description: The following analytic detects the creation of a new Automation Run control over Azure resources. data_source: - Azure Audit Create or Update an Azure Automation webhook -search: '`azure_audit` operationName.localizedValue="Create or Update an Azure Automation webhook" status.value=Succeeded +search: '`azure_audit` operationName.value="Microsoft.Automation/automationAccounts/webhooks/write" status.value=Succeeded | dedup object | rename claims.ipaddr as src_ip | rename caller as user From 939ee285a3e4568007a16a8d470d2e69df9cb794 Mon Sep 17 00:00:00 2001 From: Brian Serocki Date: Wed, 3 Sep 2025 16:07:29 -0500 Subject: [PATCH 2/2] Correct Azure localization issues --- detections/cloud/azure_automation_account_created.yml | 2 +- detections/cloud/azure_automation_runbook_created.yml | 2 +- detections/cloud/azure_runbook_webhook_created.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/detections/cloud/azure_automation_account_created.yml b/detections/cloud/azure_automation_account_created.yml index 8786e362bf..7e672d98a0 100644 --- a/detections/cloud/azure_automation_account_created.yml +++ b/detections/cloud/azure_automation_account_created.yml @@ -2,7 +2,7 @@ name: Azure Automation Account Created id: 860902fd-2e76-46b3-b050-ba548dab576c version: 10 date: '2025-09-03' -author: Mauricio Velazco, Splunk +author: Mauricio Velazco, Brian Serocki, Splunk status: production type: TTP description: The following analytic detects the creation of a new Azure Automation diff --git a/detections/cloud/azure_automation_runbook_created.yml b/detections/cloud/azure_automation_runbook_created.yml index 7b659358bf..271f62106d 100644 --- a/detections/cloud/azure_automation_runbook_created.yml +++ b/detections/cloud/azure_automation_runbook_created.yml @@ -2,7 +2,7 @@ name: Azure Automation Runbook Created id: 178d696d-6dc6-4ee8-9d25-93fee34eaf5b version: 10 date: '2025-09-03' -author: Mauricio Velazco, Splunk +author: Mauricio Velazco, Brian Serocki, Splunk status: production type: TTP description: The following analytic detects the creation of a new Azure Automation diff --git a/detections/cloud/azure_runbook_webhook_created.yml b/detections/cloud/azure_runbook_webhook_created.yml index 66dcdf87ad..1b8b886dbf 100644 --- a/detections/cloud/azure_runbook_webhook_created.yml +++ b/detections/cloud/azure_runbook_webhook_created.yml @@ -2,7 +2,7 @@ name: Azure Runbook Webhook Created id: e98944a9-92e4-443c-81b8-a322e33ce75a version: 11 date: '2025-09-03' -author: Mauricio Velazco, Splunk +author: Mauricio Velazco, Brian Serocki, Splunk status: production type: TTP description: The following analytic detects the creation of a new Automation Runbook