GitHub Repo

Data Source: Azure Audit Create or Update an Azure Automation webhook

Date: 2025-01-23

ID: 575faeb2-09d0-4849-b1f6-eae241f26ff2

Author: Patrick Bareiss, Splunk

Logs an event when a webhook is created or updated in Azure Automation.

Property Value
Source mscs:azure:audit
Sourcetype mscs:azure:audit
Separator operationName.localizedValue
+ Fields 

            1
            _time
          
            3
            authorization.action
          
            5
            authorization.scope
          
            7
            caller
          
            9
            channels
          
            11
            claims.aio
          
            13
            claims.altsecid
          
            15
            claims.appid
          
            17
            claims.appidacr
          
            19
            claims.aud
          
            21
            claims.exp
          
            23
            claims.groups
          
            25
            claims.http://schemas.microsoft.com/claims/authnclassreference
          
            27
            claims.http://schemas.microsoft.com/claims/authnmethodsreferences
          
            29
            claims.http://schemas.microsoft.com/identity/claims/identityprovider
          
            31
            claims.http://schemas.microsoft.com/identity/claims/objectidentifier
          
            33
            claims.http://schemas.microsoft.com/identity/claims/scope
          
            35
            claims.http://schemas.microsoft.com/identity/claims/tenantid
          
            37
            claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
          
            39
            claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
          
            41
            claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          
            43
            claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
          
            45
            claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
          
            47
            claims.iat
          
            49
            claims.ipaddr
          
            51
            claims.iss
          
            53
            claims.name
          
            55
            claims.nbf
          
            57
            claims.puid
          
            59
            claims.rh
          
            61
            claims.uti
          
            63
            claims.ver
          
            65
            claims.wids
          
            67
            claims.xms_tcdt
          
            69
            correlationId
          
            71
            date_hour
          
            73
            date_mday
          
            75
            date_minute
          
            77
            date_month
          
            79
            date_second
          
            81
            date_wday
          
            83
            date_year
          
            85
            date_zone
          
            87
            dest
          
            89
            dvc
          
            91
            eventDataId
          
            93
            eventName.localizedValue
          
            95
            eventName.value
          
            97
            eventSource.localizedValue
          
            99
            eventSource.value
          
            101
            eventTimestamp
          
            103
            host
          
            105
            httpRequest.clientIpAddress
          
            107
            httpRequest.clientRequestId
          
            109
            httpRequest.method
          
            111
            id
          
            113
            index
          
            115
            level
          
            117
            linecount
          
            119
            object
          
            121
            object_id
          
            123
            object_path
          
            125
            operationId
          
            127
            operationName.localizedValue
          
            129
            operationName.value
          
            131
            product
          
            133
            properties.entity
          
            135
            properties.eventCategory
          
            137
            properties.hierarchy
          
            139
            properties.message
          
            141
            properties.serviceRequestId
          
            143
            properties.statusCode
          
            145
            punct
          
            147
            resourceGroupName
          
            149
            resourceProviderName.localizedValue
          
            151
            resourceProviderName.value
          
            153
            resourceUri
          
            155
            result
          
            157
            result_id
          
            159
            source
          
            161
            sourcetype
          
            163
            splunk_server
          
            165
            src
          
            167
            status
          
            169
            status.localizedValue
          
            171
            status.value
          
            173
            subStatus.localizedValue
          
            175
            subStatus.value
          
            177
            submissionTimestamp
          
            179
            subscriptionId
          
            181
            timeendpos
          
            183
            timestartpos
          
            185
            user
          
            187
            user_name
          
            189
            vendor
          
            191
            vendor_product
          
            193
            vendor_res_code
          
            195
...
not set
1{"authorization": {"action": "Microsoft.Automation/automationAccounts/webhooks/write", "scope": "/subscriptions/e0c00901-96b2-4151-80f7-746e24c03e98/resourceGroups/resourceGroup1providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/webhooks/MaliciousWebHook"}, "caller": "evilAdmin@contoso.com", "channels": "Operation", "claims": {"aud": "https://management.core.windows.net/", "iss": "https://sts.windows.net/ad251139-d600-4f45-a8ba-9f6ca1e5a93d/", "iat": "1661287859", "nbf": "1661287859", "exp": "1661293423", "http://schemas.microsoft.com/claims/authnclassreference": "1", "aio": "AWQAm/8TAAAAEendcgWjYQFuDhNNhoecwU3dpXjjenSsIvjamk77+TjLK/o1xkFGcFb1A+OVyuY+xefe0X39n8lx1iFWFqGo0GSNNKhm9OQcv/0UyXiaNIbKD7wisgQhAa9DoIyObMpO", "altsecid": "1:contoso.com:000161008492EF5F", "http://schemas.microsoft.com/claims/authnmethodsreferences": "pwd,mfa", "appid": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appidacr": "2", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "evilAdmin@contosol.com", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "Doe", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "John", "groups": "ecb1fc87-1938-45ff-aaf3-661cee183b11", "http://schemas.microsoft.com/identity/claims/identityprovider": "contoso.com", "ipaddr": "190.0.0.1", "name": "John Doe", "http://schemas.microsoft.com/identity/claims/objectidentifier": "74b87c49-c202-4101-a8aa-ef18ecc815e8", "puid": "1003200203ECE231", "rh": "0.AX0AORElrQDWRU-oup9soeWpPUZIf3kAutdPukPawfj2MBOaAIM.", "http://schemas.microsoft.com/identity/claims/scope": "user_impersonation", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "VVjyH6MJP7pqXTBGCn4NMckGNjX-aYB_Oh7LcI9kaDw", "http://schemas.microsoft.com/identity/claims/tenantid": "ad251139-d600-4f45-a8ba-9f6ca1e5a93d", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "contoso.com#evilAdmin@contoso.com", "uti": "epgtY-85CUeb6aJpaE0KAQ", "ver": "1.0", "wids": "62e90394-69f5-4237-9190-012177145e10", "xms_tcdt": "1654791641"}, "correlationId": "74e18a58-ee2e-40de-890d-de0c155f7086", "description": "", "eventDataId": "35b9db88-8041-413e-8dd7-f8dc243eafdd", "eventName": {"value": "EndRequest", "localizedValue": "End request"}, "eventSource": {"value": "Administrative", "localizedValue": "Administrative"}, "httpRequest": {"clientRequestId": "6934b40a-c11f-4379-9ef1-c6fa3cee5015", "clientIpAddress": "190.0.0.1", "method": "PUT"}, "id": "/subscriptions/e0c00901-96b2-4151-80f7-746e24c03e98/resourceGroups/resourceGroup1providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/webhooks/MaliciousWebHook/events/35b9db88-8041-413e-8dd7-f8dc243eafdd/ticks/637968850422707386", "level": "Informational", "resourceGroupName": "eventhub_rg", "resourceProviderName": {"value": "Microsoft.Automation", "localizedValue": "Microsoft.Automation"}, "resourceUri": "/subscriptions/e0c00901-96b2-4151-80f7-746e24c03e98/resourceGroups/resourceGroup1providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/webhooks/MaliciousWebHook", "operationId": "74e18a58-ee2e-40de-890d-de0c155f7086", "operationName": {"value": "Microsoft.Automation/automationAccounts/webhooks/write", "localizedValue": "Create or Update an Azure Automation webhook"}, "properties": {"statusCode": "Created", "serviceRequestId": null, "eventCategory": "Administrative", "entity": "/subscriptions/e0c00901-96b2-4151-80f7-746e24c03e98/resourceGroups/resourceGroup1providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/webhooks/MaliciousWebHook", "message": "Microsoft.Automation/automationAccounts/webhooks/write", "hierarchy": "e0c00901-96b2-4151-80f7-746e24c03e98"}, "status": {"value": "Succeeded", "localizedValue": "Succeeded"}, "subStatus": {"value": "Created", "localizedValue": "Created (HTTP Status Code: 201)"}, "eventTimestamp": "2022-08-23T20:57:22.2707386Z", "submissionTimestamp": "2022-08-23T20:58:54.2071536Z", "subscriptionId": "e0c00901-96b2-4151-80f7-746e24c03e98"}

Source: GitHub | Version: 2