Data Source: Azure Audit Create or Update an Azure Automation webhook

Description

Data source object for Azure Audit Create or Update an Azure Automation webhook

Details

Property Value
Source mscs:azure:audit
Sourcetype mscs:azure:audit
Separator operationName.localizedValue

Supported Apps

Event Fields

+ Fields
  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">authorization.action</span>
  
  <span class="pill kill-chain">authorization.scope</span>
  
  <span class="pill kill-chain">caller</span>
  
  <span class="pill kill-chain">channels</span>
  
  <span class="pill kill-chain">claims.aio</span>
  
  <span class="pill kill-chain">claims.altsecid</span>
  
  <span class="pill kill-chain">claims.appid</span>
  
  <span class="pill kill-chain">claims.appidacr</span>
  
  <span class="pill kill-chain">claims.aud</span>
  
  <span class="pill kill-chain">claims.exp</span>
  
  <span class="pill kill-chain">claims.groups</span>
  
  <span class="pill kill-chain">claims.http://schemas.microsoft.com/claims/authnclassreference</span>
  
  <span class="pill kill-chain">claims.http://schemas.microsoft.com/claims/authnmethodsreferences</span>
  
  <span class="pill kill-chain">claims.http://schemas.microsoft.com/identity/claims/identityprovider</span>
  
  <span class="pill kill-chain">claims.http://schemas.microsoft.com/identity/claims/objectidentifier</span>
  
  <span class="pill kill-chain">claims.http://schemas.microsoft.com/identity/claims/scope</span>
  
  <span class="pill kill-chain">claims.http://schemas.microsoft.com/identity/claims/tenantid</span>
  
  <span class="pill kill-chain">claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress</span>
  
  <span class="pill kill-chain">claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname</span>
  
  <span class="pill kill-chain">claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name</span>
  
  <span class="pill kill-chain">claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier</span>
  
  <span class="pill kill-chain">claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname</span>
  
  <span class="pill kill-chain">claims.iat</span>
  
  <span class="pill kill-chain">claims.ipaddr</span>
  
  <span class="pill kill-chain">claims.iss</span>
  
  <span class="pill kill-chain">claims.name</span>
  
  <span class="pill kill-chain">claims.nbf</span>
  
  <span class="pill kill-chain">claims.puid</span>
  
  <span class="pill kill-chain">claims.rh</span>
  
  <span class="pill kill-chain">claims.uti</span>
  
  <span class="pill kill-chain">claims.ver</span>
  
  <span class="pill kill-chain">claims.wids</span>
  
  <span class="pill kill-chain">claims.xms_tcdt</span>
  
  <span class="pill kill-chain">correlationId</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">eventDataId</span>
  
  <span class="pill kill-chain">eventName.localizedValue</span>
  
  <span class="pill kill-chain">eventName.value</span>
  
  <span class="pill kill-chain">eventSource.localizedValue</span>
  
  <span class="pill kill-chain">eventSource.value</span>
  
  <span class="pill kill-chain">eventTimestamp</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">httpRequest.clientIpAddress</span>
  
  <span class="pill kill-chain">httpRequest.clientRequestId</span>
  
  <span class="pill kill-chain">httpRequest.method</span>
  
  <span class="pill kill-chain">id</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">level</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">object</span>
  
  <span class="pill kill-chain">object_id</span>
  
  <span class="pill kill-chain">object_path</span>
  
  <span class="pill kill-chain">operationId</span>
  
  <span class="pill kill-chain">operationName.localizedValue</span>
  
  <span class="pill kill-chain">operationName.value</span>
  
  <span class="pill kill-chain">product</span>
  
  <span class="pill kill-chain">properties.entity</span>
  
  <span class="pill kill-chain">properties.eventCategory</span>
  
  <span class="pill kill-chain">properties.hierarchy</span>
  
  <span class="pill kill-chain">properties.message</span>
  
  <span class="pill kill-chain">properties.serviceRequestId</span>
  
  <span class="pill kill-chain">properties.statusCode</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">resourceGroupName</span>
  
  <span class="pill kill-chain">resourceProviderName.localizedValue</span>
  
  <span class="pill kill-chain">resourceProviderName.value</span>
  
  <span class="pill kill-chain">resourceUri</span>
  
  <span class="pill kill-chain">result</span>
  
  <span class="pill kill-chain">result_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">src</span>
  
  <span class="pill kill-chain">status</span>
  
  <span class="pill kill-chain">status.localizedValue</span>
  
  <span class="pill kill-chain">status.value</span>
  
  <span class="pill kill-chain">subStatus.localizedValue</span>
  
  <span class="pill kill-chain">subStatus.value</span>
  
  <span class="pill kill-chain">submissionTimestamp</span>
  
  <span class="pill kill-chain">subscriptionId</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user</span>
  
  <span class="pill kill-chain">user_name</span>
  
  <span class="pill kill-chain">vendor</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
  <span class="pill kill-chain">vendor_res_code</span>
  
</div>

Example Log

1{"authorization": {"action": "Microsoft.Automation/automationAccounts/webhooks/write", "scope": "/subscriptions/e0c00901-96b2-4151-80f7-746e24c03e98/resourceGroups/resourceGroup1providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/webhooks/MaliciousWebHook"}, "caller": "evilAdmin@contoso.com", "channels": "Operation", "claims": {"aud": "https://management.core.windows.net/", "iss": "https://sts.windows.net/ad251139-d600-4f45-a8ba-9f6ca1e5a93d/", "iat": "1661287859", "nbf": "1661287859", "exp": "1661293423", "http://schemas.microsoft.com/claims/authnclassreference": "1", "aio": "AWQAm/8TAAAAEendcgWjYQFuDhNNhoecwU3dpXjjenSsIvjamk77+TjLK/o1xkFGcFb1A+OVyuY+xefe0X39n8lx1iFWFqGo0GSNNKhm9OQcv/0UyXiaNIbKD7wisgQhAa9DoIyObMpO", "altsecid": "1:contoso.com:000161008492EF5F", "http://schemas.microsoft.com/claims/authnmethodsreferences": "pwd,mfa", "appid": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "appidacr": "2", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "evilAdmin@contosol.com", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname": "Doe", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "John", "groups": "ecb1fc87-1938-45ff-aaf3-661cee183b11", "http://schemas.microsoft.com/identity/claims/identityprovider": "contoso.com", "ipaddr": "190.0.0.1", "name": "John Doe", "http://schemas.microsoft.com/identity/claims/objectidentifier": "74b87c49-c202-4101-a8aa-ef18ecc815e8", "puid": "1003200203ECE231", "rh": "0.AX0AORElrQDWRU-oup9soeWpPUZIf3kAutdPukPawfj2MBOaAIM.", "http://schemas.microsoft.com/identity/claims/scope": "user_impersonation", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "VVjyH6MJP7pqXTBGCn4NMckGNjX-aYB_Oh7LcI9kaDw", "http://schemas.microsoft.com/identity/claims/tenantid": "ad251139-d600-4f45-a8ba-9f6ca1e5a93d", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "contoso.com#evilAdmin@contoso.com", "uti": "epgtY-85CUeb6aJpaE0KAQ", "ver": "1.0", "wids": "62e90394-69f5-4237-9190-012177145e10", "xms_tcdt": "1654791641"}, "correlationId": "74e18a58-ee2e-40de-890d-de0c155f7086", "description": "", "eventDataId": "35b9db88-8041-413e-8dd7-f8dc243eafdd", "eventName": {"value": "EndRequest", "localizedValue": "End request"}, "eventSource": {"value": "Administrative", "localizedValue": "Administrative"}, "httpRequest": {"clientRequestId": "6934b40a-c11f-4379-9ef1-c6fa3cee5015", "clientIpAddress": "190.0.0.1", "method": "PUT"}, "id": "/subscriptions/e0c00901-96b2-4151-80f7-746e24c03e98/resourceGroups/resourceGroup1providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/webhooks/MaliciousWebHook/events/35b9db88-8041-413e-8dd7-f8dc243eafdd/ticks/637968850422707386", "level": "Informational", "resourceGroupName": "eventhub_rg", "resourceProviderName": {"value": "Microsoft.Automation", "localizedValue": "Microsoft.Automation"}, "resourceUri": "/subscriptions/e0c00901-96b2-4151-80f7-746e24c03e98/resourceGroups/resourceGroup1providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/webhooks/MaliciousWebHook", "operationId": "74e18a58-ee2e-40de-890d-de0c155f7086", "operationName": {"value": "Microsoft.Automation/automationAccounts/webhooks/write", "localizedValue": "Create or Update an Azure Automation webhook"}, "properties": {"statusCode": "Created", "serviceRequestId": null, "eventCategory": "Administrative", "entity": "/subscriptions/e0c00901-96b2-4151-80f7-746e24c03e98/resourceGroups/resourceGroup1providers/Microsoft.Automation/automationAccounts/SuspiciousAutomationAccount/webhooks/MaliciousWebHook", "message": "Microsoft.Automation/automationAccounts/webhooks/write", "hierarchy": "e0c00901-96b2-4151-80f7-746e24c03e98"}, "status": {"value": "Succeeded", "localizedValue": "Succeeded"}, "subStatus": {"value": "Created", "localizedValue": "Created (HTTP Status Code: 201)"}, "eventTimestamp": "2022-08-23T20:57:22.2707386Z", "submissionTimestamp": "2022-08-23T20:58:54.2071536Z", "subscriptionId": "e0c00901-96b2-4151-80f7-746e24c03e98"}

Source: GitHub | Version: 1