Data Source: O365 Add service principal.

Date: 2024-07-18

ID: 9c1ef9f5-bc30-4a47-a1bd-cb34484ee778

Author: Patrick Bareiss, Splunk

Description

Data source object for O365 Add service principal.

Details

Property	Value
Source	`o365`
Sourcetype	`o365:management:activity`
Separator	Operation

Supported Apps

Splunk Add-on for Microsoft Office 365 (version 4.5.1)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">ActorContextId</span>
  
  <span class="pill kill-chain">Actor{}.ID</span>
  
  <span class="pill kill-chain">Actor{}.Type</span>
  
  <span class="pill kill-chain">AzureActiveDirectoryEventType</span>
  
  <span class="pill kill-chain">CreationTime</span>
  
  <span class="pill kill-chain">ExtendedProperties{}.Name</span>
  
  <span class="pill kill-chain">ExtendedProperties{}.Value</span>
  
  <span class="pill kill-chain">Id</span>
  
  <span class="pill kill-chain">InterSystemsId</span>
  
  <span class="pill kill-chain">IntraSystemId</span>
  
  <span class="pill kill-chain">ModifiedProperties{}.Name</span>
  
  <span class="pill kill-chain">ModifiedProperties{}.NewValue</span>
  
  <span class="pill kill-chain">ModifiedProperties{}.OldValue</span>
  
  <span class="pill kill-chain">ObjectId</span>
  
  <span class="pill kill-chain">Operation</span>
  
  <span class="pill kill-chain">OrganizationId</span>
  
  <span class="pill kill-chain">RecordType</span>
  
  <span class="pill kill-chain">ResultStatus</span>
  
  <span class="pill kill-chain">SupportTicketId</span>
  
  <span class="pill kill-chain">TargetContextId</span>
  
  <span class="pill kill-chain">Target{}.ID</span>
  
  <span class="pill kill-chain">Target{}.Type</span>
  
  <span class="pill kill-chain">UserId</span>
  
  <span class="pill kill-chain">UserKey</span>
  
  <span class="pill kill-chain">UserType</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">Workload</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">additionalDetails</span>
  
  <span class="pill kill-chain">app</span>
  
  <span class="pill kill-chain">authentication_service</span>
  
  <span class="pill kill-chain">change_type</span>
  
  <span class="pill kill-chain">command</span>
  
  <span class="pill kill-chain">dataset_name</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dest_name</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">event_type</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">extendedAuditEventCategory</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">object_attrs</span>
  
  <span class="pill kill-chain">object_category</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">record_type</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">src_user</span>
  
  <span class="pill kill-chain">status</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user</span>
  
  <span class="pill kill-chain">user_agent</span>
  
  <span class="pill kill-chain">user_agent_change</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">user_type</span>
  
  <span class="pill kill-chain">vendor_account</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1{"CreationTime": "2024-02-07T22:31:14", "Id": "f624ed92-b4a2-4d42-aa8b-20a261d06b7f", "Operation": "Add service principal.", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "e06366ca-8489-4748-b6a2-d7e4332f45c1", "UserId": "user30@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\",\"AppId\":\"e06366ca-8489-4748-b6a2-d7e4332f45c1\"}"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}], "ModifiedProperties": [{"Name": "AccountEnabled", "NewValue": "[\r\n  true\r\n]", "OldValue": "[]"}, {"Name": "AppPrincipalId", "NewValue": "[\r\n  \"e06366ca-8489-4748-b6a2-d7e4332f45c1\"\r\n]", "OldValue": "[]"}, {"Name": "DisplayName", "NewValue": "[\r\n  \"Malicious11\"\r\n]", "OldValue": "[]"}, {"Name": "ServicePrincipalName", "NewValue": "[\r\n  \"e06366ca-8489-4748-b6a2-d7e4332f45c1\"\r\n]", "OldValue": "[]"}, {"Name": "Credential", "NewValue": "[\r\n  {\r\n    \"CredentialType\": 2,\r\n    \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n    \"KeyGroupId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"\r\n  }\r\n]", "OldValue": "[]"}, {"Name": "Included Updated Properties", "NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential", "OldValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "NewValue": "e06366ca-8489-4748-b6a2-d7e4332f45c1", "OldValue": ""}], "Actor": [{"ID": "user30@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "InterSystemsId": "ea473f15-64b3-435a-a885-6ee3908919e2", "IntraSystemId": "00000000-0000-0000-0000-000000000000", "SupportTicketId": "", "Target": [{"ID": "ServicePrincipal_2dedf863-ac93-4f45-87b3-e32f48145380", "Type": 2}, {"ID": "2dedf863-ac93-4f45-87b3-e32f48145380", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}, {"ID": "Malicious11", "Type": 1}, {"ID": "e06366ca-8489-4748-b6a2-d7e4332f45c1", "Type": 2}, {"ID": "e06366ca-8489-4748-b6a2-d7e4332f45c1", "Type": 4}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4"}

Source: GitHub | Version: 1