Data Source: Azure Audit Create or Update an Azure Automation Runbook

Date: 2024-07-18

ID: 2bd83221-7a8b-436f-9b2b-efa1d44d009e

Author: Patrick Bareiss, Splunk

Description

Data source object for Azure Audit Create or Update an Azure Automation Runbook

Details

Property	Value
Source	`mscs:azure:audit`
Sourcetype	`mscs:azure:audit`
Separator	operationName.localizedValue

Supported Apps

Splunk Add-on for Microsoft Cloud Services (version 5.4.0)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">authorization.action</span>
  
  <span class="pill kill-chain">authorization.scope</span>
  
  <span class="pill kill-chain">caller</span>
  
  <span class="pill kill-chain">channels</span>
  
  <span class="pill kill-chain">claims.aio</span>
  
  <span class="pill kill-chain">claims.altsecid</span>
  
  <span class="pill kill-chain">claims.appid</span>
  
  <span class="pill kill-chain">claims.appidacr</span>
  
  <span class="pill kill-chain">claims.aud</span>
  
  <span class="pill kill-chain">claims.exp</span>
  
  <span class="pill kill-chain">claims.groups</span>
  
  <span class="pill kill-chain">claims.http://schemas.microsoft.com/claims/authnclassreference</span>
  
  <span class="pill kill-chain">claims.http://schemas.microsoft.com/claims/authnmethodsreferences</span>
  
  <span class="pill kill-chain">claims.http://schemas.microsoft.com/identity/claims/identityprovider</span>
  
  <span class="pill kill-chain">claims.http://schemas.microsoft.com/identity/claims/objectidentifier</span>
  
  <span class="pill kill-chain">claims.http://schemas.microsoft.com/identity/claims/scope</span>
  
  <span class="pill kill-chain">claims.http://schemas.microsoft.com/identity/claims/tenantid</span>
  
  <span class="pill kill-chain">claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress</span>
  
  <span class="pill kill-chain">claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname</span>
  
  <span class="pill kill-chain">claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name</span>
  
  <span class="pill kill-chain">claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier</span>
  
  <span class="pill kill-chain">claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname</span>
  
  <span class="pill kill-chain">claims.iat</span>
  
  <span class="pill kill-chain">claims.ipaddr</span>
  
  <span class="pill kill-chain">claims.iss</span>
  
  <span class="pill kill-chain">claims.name</span>
  
  <span class="pill kill-chain">claims.nbf</span>
  
  <span class="pill kill-chain">claims.puid</span>
  
  <span class="pill kill-chain">claims.rh</span>
  
  <span class="pill kill-chain">claims.uti</span>
  
  <span class="pill kill-chain">claims.ver</span>
  
  <span class="pill kill-chain">claims.wids</span>
  
  <span class="pill kill-chain">claims.xms_tcdt</span>
  
  <span class="pill kill-chain">correlationId</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">eventDataId</span>
  
  <span class="pill kill-chain">eventName.localizedValue</span>
  
  <span class="pill kill-chain">eventName.value</span>
  
  <span class="pill kill-chain">eventSource.localizedValue</span>
  
  <span class="pill kill-chain">eventSource.value</span>
  
  <span class="pill kill-chain">eventTimestamp</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">id</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">level</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">object</span>
  
  <span class="pill kill-chain">object_id</span>
  
  <span class="pill kill-chain">object_path</span>
  
  <span class="pill kill-chain">operationId</span>
  
  <span class="pill kill-chain">operationName.localizedValue</span>
  
  <span class="pill kill-chain">operationName.value</span>
  
  <span class="pill kill-chain">product</span>
  
  <span class="pill kill-chain">properties.entity</span>
  
  <span class="pill kill-chain">properties.eventCategory</span>
  
  <span class="pill kill-chain">properties.hierarchy</span>
  
  <span class="pill kill-chain">properties.message</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">resourceGroupName</span>
  
  <span class="pill kill-chain">resourceProviderName.localizedValue</span>
  
  <span class="pill kill-chain">resourceProviderName.value</span>
  
  <span class="pill kill-chain">resourceUri</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">status</span>
  
  <span class="pill kill-chain">status.localizedValue</span>
  
  <span class="pill kill-chain">status.value</span>
  
  <span class="pill kill-chain">subStatus.value</span>
  
  <span class="pill kill-chain">submissionTimestamp</span>
  
  <span class="pill kill-chain">subscriptionId</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user</span>
  
  <span class="pill kill-chain">user_name</span>
  
  <span class="pill kill-chain">vendor</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
  <span class="pill kill-chain">vendor_res_code</span>
  
</div>

Example Log

1{"authorization": {"action": "Microsoft.Automation/automationAccounts/runbooks/write", "scope": "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourceGroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook"}, "caller": "evilAdmin@contoso.com", "channels": "Operation", "claims": {"aud": "https://management.core.windows.net/", "iss": "https://sts.windows.net/ad251139-d600-4f45-a8ba-9f6ca1e5a93d/", "iat": "1661194261", "nbf": "1661194261", "exp": "1661198249", "http://schemas.microsoft.com/claims/authnclassreference": "1", "aio": "AWQAm/8TAAAA3iMcbqqPPdXPATT7oalIKsh6wEFsyQ+zUVCshaLu77xsLlt067TtI11gy5hAx+z905hrX1VBehDGaedvEg2UF0BSbHVL9bJrry4zk3Xt+HNt5dTXDDgABOFuNB4QJBUW", "altsecid": "1:live.com:000161008492EF5F", "http://schemas.microsoft.com/claims/authnmethodsreferences": "pwd,mfa", "appid": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appidacr": "2", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "evilAdmin@contoso.com", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "Doe", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "John", "groups": "ecb1fc87-1938-45ff-aaf3-661cee183b11", "http://schemas.microsoft.com/identity/claims/identityprovider": "live.com", "ipaddr": "190.0.0.1", "name": "John Doe", "http://schemas.microsoft.com/identity/claims/objectidentifier": "74b87c49-c202-4101-a8aa-ef18ecc815e8", "puid": "1003200203ECE231", "rh": "0.AX0AORElrQDWRU-oup9soeWpPUZIf3kAutdPukPawfj2MBOaAIM.", "http://schemas.microsoft.com/identity/claims/scope": "user_impersonation", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "VVjyH6MJP7pqXTBGCn4NMckGNjX-aYB_Oh7LcI9kaDw", "http://schemas.microsoft.com/identity/claims/tenantid": "ad251139-d600-4f45-a8ba-9f6ca1e5a93d", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "contoso.com#evilAdmin@contoso.com", "uti": "YMAP5fOmMkuuBUgBe-Z5AA", "ver": "1.0", "wids": "62e90394-69f5-4237-9190-012177145e10", "xms_tcdt": "1654791641"}, "correlationId": "49b945c0-966a-48d8-b79b-31f184544594", "description": "", "eventDataId": "303f17eb-10cb-458f-8a80-683f40f123a2", "eventName": {"value": "EndRequest", "localizedValue": "End request"}, "eventSource": {"value": "Administrative", "localizedValue": "Administrative"}, "id": "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourcegroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook/events/303f17eb-10cb-458f-8a80-683f40f123a2/ticks/637967920541346086", "level": "Informational", "resourceGroupName": "resourceGroup1", "resourceProviderName": {"value": "Microsoft.Automation", "localizedValue": "Microsoft.Automation"}, "resourceUri": "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourcegroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook", "operationId": "b6e30ace-986c-4735-980f-926db0b43336", "operationName": {"value": "Microsoft.Automation/automationAccounts/runbooks/write", "localizedValue": "Create or Update an Azure Automation Runbook"}, "properties": {"eventCategory": "Administrative", "entity": "/subscriptions/1aee0e3d-b75b-440a-a927-76f0552a14e6/resourcegroups/resourceGroup1/providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/runbooks/SuspiciousRunbook", "message": "Microsoft.Automation/automationAccounts/runbooks/write", "hierarchy": "1aee0e3d-b75b-440a-a927-76f0552a14e6"}, "status": {"value": "Succeeded", "localizedValue": "Succeeded"}, "subStatus": {"value": "", "localizedValue": ""}, "eventTimestamp": "2022-08-22T19:07:34.1346086Z", "submissionTimestamp": "2022-08-22T19:08:54.1547383Z", "subscriptionId": "1aee0e3d-b75b-440a-a927-76f0552a14e6"}

Source: GitHub | Version: 1