Data Source: Azure Audit Create or Update an Azure Automation account

Date: 2024-07-18

ID: 2ab182e7-feda-4249-9418-32710b55a885

Author: Patrick Bareiss, Splunk

Description

Data source object for Azure Audit Create or Update an Azure Automation account

Details

Property	Value
Source	`mscs:azure:audit`
Sourcetype	`mscs:azure:audit`
Separator	operationName.localizedValue

Supported Apps

Splunk Add-on for Microsoft Cloud Services (version 5.4.0)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">authorization.action</span>
  
  <span class="pill kill-chain">authorization.scope</span>
  
  <span class="pill kill-chain">caller</span>
  
  <span class="pill kill-chain">channels</span>
  
  <span class="pill kill-chain">claims.aio</span>
  
  <span class="pill kill-chain">claims.altsecid</span>
  
  <span class="pill kill-chain">claims.appid</span>
  
  <span class="pill kill-chain">claims.appidacr</span>
  
  <span class="pill kill-chain">claims.aud</span>
  
  <span class="pill kill-chain">claims.exp</span>
  
  <span class="pill kill-chain">claims.groups</span>
  
  <span class="pill kill-chain">claims.http://schemas.microsoft.com/claims/authnclassreference</span>
  
  <span class="pill kill-chain">claims.http://schemas.microsoft.com/claims/authnmethodsreferences</span>
  
  <span class="pill kill-chain">claims.http://schemas.microsoft.com/identity/claims/identityprovider</span>
  
  <span class="pill kill-chain">claims.http://schemas.microsoft.com/identity/claims/objectidentifier</span>
  
  <span class="pill kill-chain">claims.http://schemas.microsoft.com/identity/claims/scope</span>
  
  <span class="pill kill-chain">claims.http://schemas.microsoft.com/identity/claims/tenantid</span>
  
  <span class="pill kill-chain">claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress</span>
  
  <span class="pill kill-chain">claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname</span>
  
  <span class="pill kill-chain">claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name</span>
  
  <span class="pill kill-chain">claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier</span>
  
  <span class="pill kill-chain">claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname</span>
  
  <span class="pill kill-chain">claims.iat</span>
  
  <span class="pill kill-chain">claims.ipaddr</span>
  
  <span class="pill kill-chain">claims.iss</span>
  
  <span class="pill kill-chain">claims.name</span>
  
  <span class="pill kill-chain">claims.nbf</span>
  
  <span class="pill kill-chain">claims.puid</span>
  
  <span class="pill kill-chain">claims.rh</span>
  
  <span class="pill kill-chain">claims.uti</span>
  
  <span class="pill kill-chain">claims.ver</span>
  
  <span class="pill kill-chain">claims.wids</span>
  
  <span class="pill kill-chain">claims.xms_tcdt</span>
  
  <span class="pill kill-chain">correlationId</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">eventDataId</span>
  
  <span class="pill kill-chain">eventName.localizedValue</span>
  
  <span class="pill kill-chain">eventName.value</span>
  
  <span class="pill kill-chain">eventSource.localizedValue</span>
  
  <span class="pill kill-chain">eventSource.value</span>
  
  <span class="pill kill-chain">eventTimestamp</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">id</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">level</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">object</span>
  
  <span class="pill kill-chain">object_id</span>
  
  <span class="pill kill-chain">object_path</span>
  
  <span class="pill kill-chain">operationId</span>
  
  <span class="pill kill-chain">operationName.localizedValue</span>
  
  <span class="pill kill-chain">operationName.value</span>
  
  <span class="pill kill-chain">product</span>
  
  <span class="pill kill-chain">properties.entity</span>
  
  <span class="pill kill-chain">properties.eventCategory</span>
  
  <span class="pill kill-chain">properties.hierarchy</span>
  
  <span class="pill kill-chain">properties.message</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">resourceGroupName</span>
  
  <span class="pill kill-chain">resourceProviderName.localizedValue</span>
  
  <span class="pill kill-chain">resourceProviderName.value</span>
  
  <span class="pill kill-chain">resourceUri</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">status</span>
  
  <span class="pill kill-chain">status.localizedValue</span>
  
  <span class="pill kill-chain">status.value</span>
  
  <span class="pill kill-chain">subStatus.value</span>
  
  <span class="pill kill-chain">submissionTimestamp</span>
  
  <span class="pill kill-chain">subscriptionId</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user</span>
  
  <span class="pill kill-chain">user_name</span>
  
  <span class="pill kill-chain">vendor</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
  <span class="pill kill-chain">vendor_res_code</span>
  
</div>

Example Log

1{"authorization": {"action": "Microsoft.Automation/automationAccounts/write", "scope": "/subscriptions/67165197-75ea-4ca3-96a5-3e23868eacd0/resourcegroups/ResourceGroup1/providers/Microsoft.Automation/automationAccounts/TestAutomationAccount"}, "caller": "evilAdmin@contoso.com", "channels": "Operation", "claims": {"aud": "https://management.core.windows.net/", "iss": "https://sts.windows.net/ad251139-d600-4f45-a8ba-9f6ca1e5a93d/", "iat": "1661179930", "nbf": "1661179930", "exp": "1661185179", "http://schemas.microsoft.com/claims/authnclassreference": "1", "aio": "AWQAm/8TAAAATFEszAxfULi02mHZwJPr322a2w4m7xjhs9xgc61bVQITM6lcvJI17c8SKQGIWgIA0FysfS1bmLHdxImNfT26qJ5Sfc5UdTncHkz3UYu+AvgCW1gg1mRxOZEFXYdIlQ/h", "altsecid": "1:live.com:000161008492EF5F", "http://schemas.microsoft.com/claims/authnmethodsreferences": "pwd,mfa", "appid": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appidacr": "2", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "evilAdmin@contoso.com", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "Doe", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "John", "groups": "ecb1fc87-1938-45ff-aaf3-661cee183b11", "http://schemas.microsoft.com/identity/claims/identityprovider": "live.com", "ipaddr": "190.0.0.1", "name": "John Doe", "http://schemas.microsoft.com/identity/claims/objectidentifier": "74b87c49-c202-4101-a8aa-ef18ecc815e8", "puid": "1003200203ECE231", "rh": "0.AX0AORElrQDWRU-oup9soeWpPUZIf3kAutdPukPawfj2MBOaAIM.", "http://schemas.microsoft.com/identity/claims/scope": "user_impersonation", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "VVjyH6MJP7pqXTBGCn4NMckGNjX-aYB_Oh7LcI9kaDw", "http://schemas.microsoft.com/identity/claims/tenantid": "ad251139-d600-4f45-a8ba-9f6ca1e5a93d", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "contoso.com#evilAdmin@contoso.com", "uti": "OyNAqM760kmqzxVr6jwtAA", "ver": "1.0", "wids": "62e90394-69f5-4237-9190-012177145e10", "xms_tcdt": "1654791641"}, "correlationId": "59e3de3b-b8c6-4360-9bc5-f094ebce6422", "description": "", "eventDataId": "b0a0bf02-57e5-4eb3-a36d-f2681d874637", "eventName": {"value": "EndRequest", "localizedValue": "End request"}, "eventSource": {"value": "Administrative", "localizedValue": "Administrative"}, "id": "/subscriptions/67165197-75ea-4ca3-96a5-3e23868eacd0/resourcegroups/ResourceGroup1/providers/Microsoft.Automation/automationAccounts/TestAutomationAccount/events/b0a0bf02-57e5-4eb3-a36d-f2681d874637/ticks/637967777618694806", "level": "Informational", "resourceGroupName": "ResourceGroup1", "resourceProviderName": {"value": "Microsoft.Automation", "localizedValue": "Microsoft.Automation"}, "resourceUri": "/subscriptions/67165197-75ea-4ca3-96a5-3e23868eacd0/resourcegroups/ResourceGroup1/providers/Microsoft.Automation/automationAccounts/TestAutomationAccount", "operationId": "6a420172-1ccd-4144-ac12-3095b4019ed5", "operationName": {"value": "Microsoft.Automation/automationAccounts/write", "localizedValue": "Create or Update an Azure Automation account"}, "properties": {"eventCategory": "Administrative", "entity": "/subscriptions/67165197-75ea-4ca3-96a5-3e23868eacd0/resourcegroups/ResourceGroup1/providers/Microsoft.Automation/automationAccounts/TestAutomationAccount", "message": "Microsoft.Automation/automationAccounts/write", "hierarchy": "67165197-75ea-4ca3-96a5-3e23868eacd0"}, "status": {"value": "Succeeded", "localizedValue": "Succeeded"}, "subStatus": {"value": "", "localizedValue": ""}, "eventTimestamp": "2022-08-22T15:09:21.8694806Z", "submissionTimestamp": "2022-08-22T15:10:51.152208Z", "subscriptionId": "67165197-75ea-4ca3-96a5-3e23868eacd0"}

Source: GitHub | Version: 1