Skip to content

Add attack_data for 3 Entra ID identity attack detections#1187

Open
descambiado wants to merge 1 commit into
splunk:masterfrom
descambiado:add-entra-id-identity-attack-data
Open

Add attack_data for 3 Entra ID identity attack detections#1187
descambiado wants to merge 1 commit into
splunk:masterfrom
descambiado:add-entra-id-identity-attack-data

Conversation

@descambiado

Copy link
Copy Markdown

Summary

Test data requested by @nasbench on splunk/security_content#4091 for the 3 Entra ID identity attack detections:

  • azure_ad_federated_identity_credential_added_to_service_principal.yml (T1098.001) — federated identity credential added to a service principal, pointing to an external GitHub Actions OIDC issuer
  • azure_ad_guest_user_type_changed_to_member.yml (T1098) — guest account UserType changed to Member
  • azure_ad_temporary_access_pass_created.yml (T1556.006, T1078.004) — Temporary Access Pass created for a Global Administrator account

Each dataset includes one true-positive event plus one benign noise event (unrelated property change on the same operation) to validate filter specificity. Tenant IDs, usernames, and IPs are synthetic/anonymized, following the existing azure_ad_enable_and_reset dataset format as a reference.

Related

Test plan

  • Confirm azure-audit.log / .yml pairs match the existing dataset schema for azure:monitor:aad sourcetype
  • Confirm each true-positive event fires the corresponding detection in security_content#4091

Test data for splunk/security_content PR #4091:
- azure_ad_federated_identity_credential_added_to_service_principal (T1098.001)
- azure_ad_guest_user_type_changed_to_member (T1098)
- azure_ad_temporary_access_pass_created (T1556.006, T1078.004)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant