Data Source: O365 Add app role assignment grant to user.

Date: 2024-07-18

ID: ce1d7849-a1d2-47fd-b6eb-d7ef854a860c

Author: Patrick Bareiss, Splunk

Description

Data source object for O365 Add app role assignment grant to user.

Details

Property	Value
Source	`o365`
Sourcetype	`o365:management:activity`
Separator	Operation

Supported Apps

Splunk Add-on for Microsoft Office 365 (version 4.5.1)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">ActorContextId</span>
  
  <span class="pill kill-chain">ActorIpAddress</span>
  
  <span class="pill kill-chain">Actor{}.ID</span>
  
  <span class="pill kill-chain">Actor{}.Type</span>
  
  <span class="pill kill-chain">AzureActiveDirectoryEventType</span>
  
  <span class="pill kill-chain">ClientIP</span>
  
  <span class="pill kill-chain">CreationTime</span>
  
  <span class="pill kill-chain">ExtendedProperties{}.Name</span>
  
  <span class="pill kill-chain">ExtendedProperties{}.Value</span>
  
  <span class="pill kill-chain">Id</span>
  
  <span class="pill kill-chain">InterSystemsId</span>
  
  <span class="pill kill-chain">IntraSystemId</span>
  
  <span class="pill kill-chain">ModifiedProperties{}.Name</span>
  
  <span class="pill kill-chain">ModifiedProperties{}.NewValue</span>
  
  <span class="pill kill-chain">ModifiedProperties{}.OldValue</span>
  
  <span class="pill kill-chain">ObjectId</span>
  
  <span class="pill kill-chain">Operation</span>
  
  <span class="pill kill-chain">OrganizationId</span>
  
  <span class="pill kill-chain">RecordType</span>
  
  <span class="pill kill-chain">ResultStatus</span>
  
  <span class="pill kill-chain">SupportTicketId</span>
  
  <span class="pill kill-chain">TargetContextId</span>
  
  <span class="pill kill-chain">Target{}.ID</span>
  
  <span class="pill kill-chain">Target{}.Type</span>
  
  <span class="pill kill-chain">UserId</span>
  
  <span class="pill kill-chain">UserKey</span>
  
  <span class="pill kill-chain">UserType</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">Workload</span>
  
  <span class="pill kill-chain">additionalDetails</span>
  
  <span class="pill kill-chain">app</span>
  
  <span class="pill kill-chain">authentication_service</span>
  
  <span class="pill kill-chain">command</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dest_name</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">event_type</span>
  
  <span class="pill kill-chain">extendedAuditEventCategory</span>
  
  <span class="pill kill-chain">extended_properties</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">object</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">record_type</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">src</span>
  
  <span class="pill kill-chain">src_ip</span>
  
  <span class="pill kill-chain">src_user</span>
  
  <span class="pill kill-chain">status</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">user_type</span>
  
  <span class="pill kill-chain">vendor_account</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1{"Actor": [{"ID": "rodsoto@rodsoto.onmicrosoft.com", "Type": 5}, {"ID": "10037FFEA938FB92", "Type": 3}, {"ID": "74658136-14ec-4630-ad9b-26e160ff0fc6", "Type": 2}, {"ID": "User_bfb8c366-0406-41a5-b3e3-328f4a3b4484", "Type": 2}, {"ID": "bfb8c366-0406-41a5-b3e3-328f4a3b4484", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08", "ActorIpAddress": "40.124.84.4", "AzureActiveDirectoryEventType": 1, "ClientIP": "40.124.84.4", "CreationTime": "2021-01-19T22:21:39", "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{}"}, {"Name": "extendedAuditEventCategory", "Value": "User"}], "Id": "8b9e5417-c310-4382-89da-c0f25c5c0576", "InterSystemsId": "85c80877-c529-4487-8f44-48760767cc6c", "IntraSystemId": "6fc81447-9c94-4734-8bd7-307bb699c04e", "ModifiedProperties": [{"Name": "AppRole.Id", "NewValue": "97edced9-9f34-4eef-9b49-84a5ebcd5167", "OldValue": ""}, {"Name": "AppRole.Value", "NewValue": "arn:aws:iam::111111111111:role/rodonmicrotestrole,arn:aws:iam::111111111111:saml-provider/rodsotoonmicrosoft", "OldValue": ""}, {"Name": "AppRole.DisplayName", "NewValue": "rodonmicrotestrole,rodsotoonmicrosoft", "OldValue": ""}, {"Name": "User.ObjectID", "NewValue": "7646f1a9-620c-4630-b5e4-b02838be5562", "OldValue": ""}, {"Name": "User.UPN", "NewValue": "vagrant@rodsoto.onmicrosoft.com", "OldValue": ""}, {"Name": "User.PUID", "NewValue": "100320010972E450", "OldValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "NewValue": "https://signin.aws.amazon.com/saml;3e71560f-3e31-45ab-b439-46328fe55b88", "OldValue": ""}], "ObjectId": "https://signin.aws.amazon.com/saml;3e71560f-3e31-45ab-b439-46328fe55b88", "Operation": "Add app role assignment grant to user.", "OrganizationId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08", "RecordType": 8, "ResultStatus": "Success", "SupportTicketId": "", "Target": [{"ID": "ServicePrincipal_9fd10db9-dfe2-4d74-a724-c837eb8764d9", "Type": 2}, {"ID": "9fd10db9-dfe2-4d74-a724-c837eb8764d9", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}, {"ID": "Amazon Web Services (AWS)", "Type": 1}, {"ID": "3e71560f-3e31-45ab-b439-46328fe55b88", "Type": 2}, {"ID": "https://signin.aws.amazon.com/saml;3e71560f-3e31-45ab-b439-46328fe55b88", "Type": 4}], "TargetContextId": "0e8108b1-18e9-41a4-961b-dfcddf92ef08", "UserId": "rodsoto@rodsoto.onmicrosoft.com", "UserKey": "10037FFEA938FB92@rodsoto.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory"}

Source: GitHub | Version: 1