-
Notifications
You must be signed in to change notification settings - Fork 392
/
Copy pathazure_active_directory_disable_strong_authentication.yml
93 lines (93 loc) · 3.4 KB
/
azure_active_directory_disable_strong_authentication.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
name: Azure Active Directory Disable Strong Authentication
id: 8f31966d-c496-496d-8837-f7fd11f31255
version: 2
date: '2025-01-23'
author: Patrick Bareiss, Splunk
description: Logs an event when strong authentication methods are disabled in Azure
Active Directory.
mitre_components:
- User Account Authentication
- User Account Modification
- Cloud Service Modification
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
separator_value: Disable Strong Authentication
supported_TA:
- name: Splunk Add-on for Microsoft Cloud Services
url: https://splunkbase.splunk.com/app/3110
version: 5.4.3
fields:
- _time
- Level
- category
- correlationId
- date_hour
- date_mday
- date_minute
- date_month
- date_second
- date_wday
- date_year
- date_zone
- durationMs
- host
- index
- linecount
- operationName
- operationVersion
- properties.activityDateTime
- properties.activityDisplayName
- properties.category
- properties.correlationId
- properties.id
- properties.initiatedBy.user.displayName
- properties.initiatedBy.user.id
- properties.initiatedBy.user.ipAddress
- properties.initiatedBy.user.userPrincipalName
- properties.loggedByService
- properties.operationType
- properties.result
- properties.resultReason
- properties.targetResources{}.displayName
- properties.targetResources{}.id
- properties.targetResources{}.modifiedProperties{}.displayName
- properties.targetResources{}.modifiedProperties{}.newValue
- properties.targetResources{}.modifiedProperties{}.oldValue
- properties.targetResources{}.type
- properties.targetResources{}.userPrincipalName
- properties.userAgent
- punct
- resourceId
- resultSignature
- source
- sourcetype
- splunk_server
- tenantId
- time
- timeendpos
- timestartpos
example_log:
'{"time": "2023-07-11T00:01:35.0251899Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam",
"operationName": "Disable Strong Authentication", "operationVersion": "1.0", "category":
"AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature":
"None", "durationMs": 0, "correlationId": "7e3ee05c-ce4f-4ff1-8230-55555c25c97e",
"Level": 4, "properties": {"id": "Directory_7e3ee05c-ce4f-4ff1-8230-55555c25c97e_DADCR_14299826",
"category": "UserManagement", "correlationId": "7e3ee05c-ce4f-4ff1-8230-55555c25c97e",
"result": "success", "resultReason": "", "activityDisplayName": "Disable Strong
Authentication", "activityDateTime": "2023-07-11T00:01:35.0251899+00:00", "loggedByService":
"Core Directory", "operationType": "Update", "userAgent": null, "initiatedBy": {"user":
{"id": "728989f4-eb3d-45c2-8741-2f2af4e485ce", "displayName": null, "userPrincipalName":
"[email protected]", "ipAddress": "", "roles": []}}, "targetResources": [{"id":
"94b969a3-11cb-4075-a1fd-9fee3daf692e", "displayName": null, "type": "User", "userPrincipalName":
"[email protected]", "modifiedProperties": [{"displayName": "StrongAuthenticationRequirement",
"oldValue": "[{\"RelyingParty\":\"*\",\"State\":1,\"RememberDevicesNotIssuedBefore\":\"2023-07-11T00:01:26+00:00\"}]",
"newValue": "[]"}, {"displayName": "Included Updated Properties", "oldValue": null,
"newValue": "\"StrongAuthenticationRequirement\""}], "administrativeUnits": []}],
"additionalDetails": []}}'
output_fields:
- dest
- user
- src
- vendor_account
- vendor_product