Add attack_data for 3 Entra ID identity attack detections#1187
Open
descambiado wants to merge 1 commit into
Open
Add attack_data for 3 Entra ID identity attack detections#1187descambiado wants to merge 1 commit into
descambiado wants to merge 1 commit into
Conversation
Test data for splunk/security_content PR #4091: - azure_ad_federated_identity_credential_added_to_service_principal (T1098.001) - azure_ad_guest_user_type_changed_to_member (T1098) - azure_ad_temporary_access_pass_created (T1556.006, T1078.004)
6 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Test data requested by @nasbench on splunk/security_content#4091 for the 3 Entra ID identity attack detections:
azure_ad_federated_identity_credential_added_to_service_principal.yml(T1098.001) — federated identity credential added to a service principal, pointing to an external GitHub Actions OIDC issuerazure_ad_guest_user_type_changed_to_member.yml(T1098) — guest account UserType changed to Memberazure_ad_temporary_access_pass_created.yml(T1556.006, T1078.004) — Temporary Access Pass created for a Global Administrator accountEach dataset includes one true-positive event plus one benign noise event (unrelated property change on the same operation) to validate filter specificity. Tenant IDs, usernames, and IPs are synthetic/anonymized, following the existing
azure_ad_enable_and_resetdataset format as a reference.Related
Test plan
azure-audit.log/.ymlpairs match the existing dataset schema forazure:monitor:aadsourcetype