From 17238736174606f21cfc81500b78856de8fba24d Mon Sep 17 00:00:00 2001 From: DavidHernan3 Date: Wed, 20 May 2026 18:06:39 +0200 Subject: [PATCH 1/7] Add detection: Azure AD Temporary Access Pass created Detects TAP creation for Azure AD users via AuditLogs. TAPs bypass all authentication requirements including MFA and FIDO2. Covers T1556.006 and T1078.004. --- ...azure_ad_temporary_access_pass_created.yml | 73 +++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 detections/cloud/azure_ad_temporary_access_pass_created.yml diff --git a/detections/cloud/azure_ad_temporary_access_pass_created.yml b/detections/cloud/azure_ad_temporary_access_pass_created.yml new file mode 100644 index 0000000000..bdd39288ee --- /dev/null +++ b/detections/cloud/azure_ad_temporary_access_pass_created.yml @@ -0,0 +1,73 @@ +name: Azure AD Temporary Access Pass Created +id: f820b423-7299-4bb6-9bf3-860bd475cddb +version: 1 +date: '2026-05-20' +author: descambiado +status: production +type: TTP +description: The following analytic detects the creation of a Temporary Access Pass (TAP) for an Azure AD user. It leverages Azure Active Directory AuditLogs to identify the "Create Temporary Access Pass method for user" operation. TAPs are time-limited passcodes that bypass all authentication requirements including MFA and FIDO2 - an attacker who creates a TAP for a compromised account can sign in from any location without any additional factor. If confirmed malicious, this activity provides an attacker with an unchallenged authentication path into the affected account. +data_source: + - Azure Active Directory Create Temporary Access Pass method for user +search: |- + `azure_monitor_aad` category=AuditLogs operationName="Create Temporary Access Pass method for user" + | rename properties.* as * + | rename initiatedBy.user.userPrincipalName as initiatedBy + | rename initiatedBy.app.displayName as initiatedByApp + | eval actor = coalesce(initiatedBy, initiatedByApp) + | rename targetResources{}.userPrincipalName as targetUser + | rename userAgent as user_agent + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime + BY dest user src + vendor_account vendor_product user_agent + actor targetUser signature + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `azure_ad_temporary_access_pass_created_filter` +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. +known_false_positives: IT administrators legitimately create TAPs for users who are locked out or onboarding a new passwordless authentication method. The key differentiators are the actor and timing - a helpdesk account creating a TAP for a user who just reported a lockout is expected; an unfamiliar actor creating a TAP outside business hours or for a high-privilege account warrants investigation. +references: + - https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-temporary-access-pass + - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods + - https://attack.mitre.org/techniques/T1556/006/ + - https://attack.mitre.org/techniques/T1078/004/ +drilldown_searches: + - name: View the detection results for - "$targetUser$" + search: '%original_detection_search% | search targetUser = "$targetUser$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$targetUser$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$targetUser$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: 7d + latest_offset: "0" +rba: + message: A Temporary Access Pass was created for user $targetUser$ by $actor$ + risk_objects: + - field: targetUser + type: user + score: 70 + - field: actor + type: user + score: 50 + threat_objects: + - field: src + type: ip_address +tags: + analytic_story: + - Azure Active Directory Persistence + - Azure Active Directory Account Takeover + asset_type: Azure Active Directory + mitre_attack_id: + - T1556.006 + - T1078.004 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: identity +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/azure_ad_temporary_access_pass/azure-audit.log + source: Azure AD + sourcetype: azure:monitor:aad From 510413f553b8ce8ee5c756843b2c03be85b0aadf Mon Sep 17 00:00:00 2001 From: DavidHernan3 Date: Wed, 20 May 2026 18:06:39 +0200 Subject: [PATCH 2/7] Add detection: Azure AD guest user type changed to member Detects UserType property changes from Guest to Member in Azure AD via Update user AuditLogs. Uses mvfind/mvindex to filter modifiedProperties. Covers T1098. --- ...e_ad_guest_user_type_changed_to_member.yml | 73 +++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 detections/cloud/azure_ad_guest_user_type_changed_to_member.yml diff --git a/detections/cloud/azure_ad_guest_user_type_changed_to_member.yml b/detections/cloud/azure_ad_guest_user_type_changed_to_member.yml new file mode 100644 index 0000000000..7a215a6fa0 --- /dev/null +++ b/detections/cloud/azure_ad_guest_user_type_changed_to_member.yml @@ -0,0 +1,73 @@ +name: Azure AD Guest User Type Changed To Member +id: 487e9b86-49dc-48a9-bbb3-747df56b4db0 +version: 1 +date: '2026-05-20' +author: descambiado +status: production +type: TTP +description: The following analytic detects when an Azure AD guest user account has its UserType property changed from Guest to Member. It leverages Azure Active Directory AuditLogs for the "Update user" operation and filters on the UserType modifiedProperty. Guest accounts carry inherent restrictions on tenant resource access; elevating to Member removes those restrictions. If confirmed malicious, this activity indicates an attacker is expanding the capabilities of a compromised or attacker-controlled guest account to gain broader access to tenant resources. +data_source: + - Azure Active Directory Update user +search: |- + `azure_monitor_aad` category=AuditLogs operationName="Update user" + | rename properties.* as * + | rename initiatedBy.user.userPrincipalName as initiatedBy + | rename initiatedBy.app.displayName as initiatedByApp + | eval actor = coalesce(initiatedBy, initiatedByApp) + | rename targetResources{}.userPrincipalName as targetUser + | rename userAgent as user_agent + | eval index_number = if(mvfind('targetResources{}.modifiedProperties{}.displayName', "UserType") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', "UserType"), -1) + | search index_number >= 0 + | eval newUserType = mvindex('targetResources{}.modifiedProperties{}.newValue', index_number) + | search newUserType="*Member*" + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime + BY dest user src + vendor_account vendor_product user_agent + actor targetUser newUserType signature + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `azure_ad_guest_user_type_changed_to_member_filter` +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. +known_false_positives: Legitimate conversion of a guest account to a member account can occur when a contractor becomes a full-time employee or when an organization consolidates external identities. Validate the actor, target user, and whether a change management record exists for the conversion. +references: + - https://learn.microsoft.com/en-us/entra/fundamentals/users-default-permissions + - https://learn.microsoft.com/en-us/entra/identity/users/users-restrict-guest-permissions + - https://attack.mitre.org/techniques/T1098/ +drilldown_searches: + - name: View the detection results for - "$targetUser$" + search: '%original_detection_search% | search targetUser = "$targetUser$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$targetUser$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$targetUser$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: 7d + latest_offset: "0" +rba: + message: Guest account $targetUser$ was promoted to Member by $actor$ + risk_objects: + - field: targetUser + type: user + score: 50 + - field: actor + type: user + score: 50 + threat_objects: [] +tags: + analytic_story: + - Azure Active Directory Persistence + - Azure Active Directory Privilege Escalation + asset_type: Azure Active Directory + mitre_attack_id: + - T1098 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: identity +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/azure_ad_guest_user_type_changed_to_member/azure-audit.log + source: Azure AD + sourcetype: azure:monitor:aad From edeb98830dcb09de4bfe47a30a90f4982d3e111a Mon Sep 17 00:00:00 2001 From: DavidHernan3 Date: Wed, 20 May 2026 18:06:40 +0200 Subject: [PATCH 3/7] Add detection: Azure AD federated identity credential added to SP Detects federated credential additions to service principals via Update service principal AuditLogs. Workload identity federation enables secretless external OIDC authentication as the SP. Covers T1098.001. --- ...erated_identity_credential_added_to_sp.yml | 73 +++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 detections/cloud/azure_ad_federated_identity_credential_added_to_sp.yml diff --git a/detections/cloud/azure_ad_federated_identity_credential_added_to_sp.yml b/detections/cloud/azure_ad_federated_identity_credential_added_to_sp.yml new file mode 100644 index 0000000000..ec0f201a87 --- /dev/null +++ b/detections/cloud/azure_ad_federated_identity_credential_added_to_sp.yml @@ -0,0 +1,73 @@ +name: Azure AD Federated Identity Credential Added To Service Principal +id: bfa745d4-4e43-4ff1-ad15-2f663fdf5cbf +version: 1 +date: '2026-05-20' +author: descambiado +status: production +type: TTP +description: The following analytic detects additions of federated identity credentials to Entra ID service principals. It leverages Azure Active Directory AuditLogs for the "Update service principal" operation and filters on the FederatedIdentityCredentials modifiedProperty. Workload identity federation allows external OIDC workloads such as GitHub Actions or Kubernetes to authenticate as the SP without a secret. If an attacker adds a federated credential pointing to a controlled OIDC issuer, they gain a persistent secretless authentication path into the SP that survives credential rotations and is not visible in standard secrets monitoring. +data_source: + - Azure Active Directory Update service principal +search: |- + `azure_monitor_aad` category=AuditLogs operationName="Update service principal" + | rename properties.* as * + | rename initiatedBy.user.userPrincipalName as initiatedBy + | rename initiatedBy.app.displayName as initiatedByApp + | eval actor = coalesce(initiatedBy, initiatedByApp) + | rename targetResources{}.displayName as targetSpName + | rename userAgent as user_agent + | eval index_number = if(mvfind('targetResources{}.modifiedProperties{}.displayName', "FederatedIdentityCredentials") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', "FederatedIdentityCredentials"), -1) + | search index_number >= 0 + | eval newCreds = mvindex('targetResources{}.modifiedProperties{}.newValue', index_number) + | eval oldCreds = mvindex('targetResources{}.modifiedProperties{}.oldValue', index_number) + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime + BY dest user src + vendor_account vendor_product user_agent + actor targetSpName newCreds oldCreds signature + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `azure_ad_federated_identity_credential_added_to_sp_filter` +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. +known_false_positives: Platform engineers legitimately configure federated credentials when setting up GitHub Actions OIDC federation, Kubernetes Workload Identity, or other secretless CI/CD patterns. Validate the actor, the target SP, and whether the issuer in newCreds corresponds to a known trusted OIDC provider. Unknown issuers or overly permissive subject claims in the newCreds JSON warrant immediate investigation. +references: + - https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation + - https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation-create-trust + - https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect + - https://attack.mitre.org/techniques/T1098/001/ +drilldown_searches: + - name: View the detection results for - "$targetSpName$" + search: '%original_detection_search% | search targetSpName = "$targetSpName$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$actor$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$actor$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: 7d + latest_offset: "0" +rba: + message: A federated identity credential was added to service principal $targetSpName$ by $actor$ + risk_objects: + - field: actor + type: user + score: 50 + threat_objects: + - field: src + type: ip_address +tags: + analytic_story: + - Azure Active Directory Persistence + - NOBELIUM Group + asset_type: Azure Active Directory + mitre_attack_id: + - T1098.001 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: identity +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.001/azure_ad_federated_identity_credential/azure-audit.log + source: Azure AD + sourcetype: azure:monitor:aad From 1ca3d626774f38443719e7dc99b90b08319e6e33 Mon Sep 17 00:00:00 2001 From: DavidHernan3 Date: Fri, 22 May 2026 02:01:20 +0200 Subject: [PATCH 4/7] fix: resolve appinspect failures in Entra ID detections azure_ad_federated_identity_credential_added_to_sp: filter macro renamed from azure_ad_federated_identity_credential_added_to_sp_filter to azure_ad_federated_identity_credential_added_to_service_principal_filter to match the detection name field as required by appinspect. azure_ad_temporary_access_pass_created: data_source updated from the non-existent "Create Temporary Access Pass method for user" catalog entry to the valid "Azure Active Directory Update user" entry. --- .../azure_ad_federated_identity_credential_added_to_sp.yml | 2 +- detections/cloud/azure_ad_temporary_access_pass_created.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/cloud/azure_ad_federated_identity_credential_added_to_sp.yml b/detections/cloud/azure_ad_federated_identity_credential_added_to_sp.yml index ec0f201a87..0bf98f1298 100644 --- a/detections/cloud/azure_ad_federated_identity_credential_added_to_sp.yml +++ b/detections/cloud/azure_ad_federated_identity_credential_added_to_sp.yml @@ -27,7 +27,7 @@ search: |- actor targetSpName newCreds oldCreds signature | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `azure_ad_federated_identity_credential_added_to_sp_filter` + | `azure_ad_federated_identity_credential_added_to_service_principal_filter` how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. known_false_positives: Platform engineers legitimately configure federated credentials when setting up GitHub Actions OIDC federation, Kubernetes Workload Identity, or other secretless CI/CD patterns. Validate the actor, the target SP, and whether the issuer in newCreds corresponds to a known trusted OIDC provider. Unknown issuers or overly permissive subject claims in the newCreds JSON warrant immediate investigation. references: diff --git a/detections/cloud/azure_ad_temporary_access_pass_created.yml b/detections/cloud/azure_ad_temporary_access_pass_created.yml index bdd39288ee..03da93758e 100644 --- a/detections/cloud/azure_ad_temporary_access_pass_created.yml +++ b/detections/cloud/azure_ad_temporary_access_pass_created.yml @@ -7,7 +7,7 @@ status: production type: TTP description: The following analytic detects the creation of a Temporary Access Pass (TAP) for an Azure AD user. It leverages Azure Active Directory AuditLogs to identify the "Create Temporary Access Pass method for user" operation. TAPs are time-limited passcodes that bypass all authentication requirements including MFA and FIDO2 - an attacker who creates a TAP for a compromised account can sign in from any location without any additional factor. If confirmed malicious, this activity provides an attacker with an unchallenged authentication path into the affected account. data_source: - - Azure Active Directory Create Temporary Access Pass method for user + - Azure Active Directory Update user search: |- `azure_monitor_aad` category=AuditLogs operationName="Create Temporary Access Pass method for user" | rename properties.* as * From 627f996173aa8d58c94e7839c7c4e2e39d1a489a Mon Sep 17 00:00:00 2001 From: Descambiado Date: Sat, 13 Jun 2026 14:01:51 +0200 Subject: [PATCH 5/7] fix: update TAP detection to Splunk v6.0 schema format --- ...azure_ad_temporary_access_pass_created.yml | 50 ++++++++++--------- 1 file changed, 26 insertions(+), 24 deletions(-) diff --git a/detections/cloud/azure_ad_temporary_access_pass_created.yml b/detections/cloud/azure_ad_temporary_access_pass_created.yml index 03da93758e..4e1970a771 100644 --- a/detections/cloud/azure_ad_temporary_access_pass_created.yml +++ b/detections/cloud/azure_ad_temporary_access_pass_created.yml @@ -1,7 +1,8 @@ name: Azure AD Temporary Access Pass Created id: f820b423-7299-4bb6-9bf3-860bd475cddb version: 1 -date: '2026-05-20' +creation_date: '2026-05-20' +modification_date: '2026-06-13' author: descambiado status: production type: TTP @@ -25,7 +26,7 @@ search: |- | `security_content_ctime(lastTime)` | `azure_ad_temporary_access_pass_created_filter` how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category. -known_false_positives: IT administrators legitimately create TAPs for users who are locked out or onboarding a new passwordless authentication method. The key differentiators are the actor and timing - a helpdesk account creating a TAP for a user who just reported a lockout is expected; an unfamiliar actor creating a TAP outside business hours or for a high-privilege account warrants investigation. +known_false_positives: IT administrators legitimately create TAPs for users who are locked out or onboarding a new passwordless authentication method. The key differentiators are the actor and timing -- a helpdesk account creating a TAP for a user who just reported a lockout is expected; an unfamiliar actor creating a TAP outside business hours or for a high-privilege account warrants investigation. references: - https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-temporary-access-pass - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods @@ -40,34 +41,35 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$targetUser$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: 7d latest_offset: "0" -rba: - message: A Temporary Access Pass was created for user $targetUser$ by $actor$ - risk_objects: +finding: + title: Temporary Access Pass created for $targetUser$ by $actor$ + entity: + field: actor + type: user + score: 50 +intermediate_findings: + entities: - field: targetUser type: user score: 70 - - field: actor - type: user - score: 50 - threat_objects: - - field: src - type: ip_address -tags: - analytic_story: - - Azure Active Directory Persistence - - Azure Active Directory Account Takeover - asset_type: Azure Active Directory - mitre_attack_id: - - T1556.006 - - T1078.004 - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - security_domain: identity + message: A Temporary Access Pass was created for user $targetUser$ by $actor$ +analytic_story: + - Azure Active Directory Persistence + - Azure Active Directory Account Takeover +asset_type: Azure Active Directory +mitre_attack_id: + - T1556.006 + - T1078.004 +product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud +category: cloud +security_domain: identity tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1556.006/azure_ad_temporary_access_pass/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad + test_type: unit From feb58ef4077052db3f5be8bbb89886254ef00ca1 Mon Sep 17 00:00:00 2001 From: Descambiado Date: Sat, 13 Jun 2026 14:01:55 +0200 Subject: [PATCH 6/7] fix: update federated credential detection to Splunk v6.0 schema format --- ...erated_identity_credential_added_to_sp.yml | 43 +++++++++++-------- 1 file changed, 24 insertions(+), 19 deletions(-) diff --git a/detections/cloud/azure_ad_federated_identity_credential_added_to_sp.yml b/detections/cloud/azure_ad_federated_identity_credential_added_to_sp.yml index 0bf98f1298..fbc1e31fc6 100644 --- a/detections/cloud/azure_ad_federated_identity_credential_added_to_sp.yml +++ b/detections/cloud/azure_ad_federated_identity_credential_added_to_sp.yml @@ -1,7 +1,8 @@ name: Azure AD Federated Identity Credential Added To Service Principal id: bfa745d4-4e43-4ff1-ad15-2f663fdf5cbf version: 1 -date: '2026-05-20' +creation_date: '2026-05-20' +modification_date: '2026-06-13' author: descambiado status: production type: TTP @@ -44,30 +45,34 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$actor$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: 7d latest_offset: "0" -rba: - message: A federated identity credential was added to service principal $targetSpName$ by $actor$ - risk_objects: +finding: + title: Federated identity credential added to service principal $targetSpName$ by $actor$ + entity: + field: actor + type: user + score: 50 +intermediate_findings: + entities: - field: actor type: user score: 50 - threat_objects: - - field: src - type: ip_address -tags: - analytic_story: - - Azure Active Directory Persistence - - NOBELIUM Group - asset_type: Azure Active Directory - mitre_attack_id: - - T1098.001 - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - security_domain: identity + message: A federated identity credential was added to service principal $targetSpName$ by $actor$ +analytic_story: + - Azure Active Directory Persistence + - NOBELIUM Group +asset_type: Azure Active Directory +mitre_attack_id: + - T1098.001 +product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud +category: cloud +security_domain: identity tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.001/azure_ad_federated_identity_credential/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad + test_type: unit From 244989ef78790c99fbfe6ad409ab0dc3c0031174 Mon Sep 17 00:00:00 2001 From: Descambiado Date: Sat, 13 Jun 2026 14:01:59 +0200 Subject: [PATCH 7/7] fix: update guest-to-member detection to Splunk v6.0 schema format --- ...e_ad_guest_user_type_changed_to_member.yml | 44 ++++++++++--------- 1 file changed, 24 insertions(+), 20 deletions(-) diff --git a/detections/cloud/azure_ad_guest_user_type_changed_to_member.yml b/detections/cloud/azure_ad_guest_user_type_changed_to_member.yml index 7a215a6fa0..c7b646bd07 100644 --- a/detections/cloud/azure_ad_guest_user_type_changed_to_member.yml +++ b/detections/cloud/azure_ad_guest_user_type_changed_to_member.yml @@ -1,7 +1,8 @@ name: Azure AD Guest User Type Changed To Member id: 487e9b86-49dc-48a9-bbb3-747df56b4db0 version: 1 -date: '2026-05-20' +creation_date: '2026-05-20' +modification_date: '2026-06-13' author: descambiado status: production type: TTP @@ -43,31 +44,34 @@ drilldown_searches: search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$targetUser$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: 7d latest_offset: "0" -rba: - message: Guest account $targetUser$ was promoted to Member by $actor$ - risk_objects: +finding: + title: Guest account $targetUser$ promoted to Member by $actor$ + entity: + field: actor + type: user + score: 50 +intermediate_findings: + entities: - field: targetUser type: user score: 50 - - field: actor - type: user - score: 50 - threat_objects: [] -tags: - analytic_story: - - Azure Active Directory Persistence - - Azure Active Directory Privilege Escalation - asset_type: Azure Active Directory - mitre_attack_id: - - T1098 - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - security_domain: identity + message: Guest account $targetUser$ was promoted to Member by $actor$ +analytic_story: + - Azure Active Directory Persistence + - Azure Active Directory Privilege Escalation +asset_type: Azure Active Directory +mitre_attack_id: + - T1098 +product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud +category: cloud +security_domain: identity tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/azure_ad_guest_user_type_changed_to_member/azure-audit.log source: Azure AD sourcetype: azure:monitor:aad + test_type: unit