data_sources/azure_active_directory_add_service_principal.yml

name: Azure Active Directory Add service principal
id: fd89d337-e4c0-4162-ad13-bca36f096fe6
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
description: Data source object for Azure Active Directory Add service principal
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
supported_TA:
- name: Splunk Add-on for Microsoft Cloud Services
  url: https://splunkbase.splunk.com/app/3110
  version: 5.4.1
fields:
- _time
- Level
- category
- correlationId
- date_hour
- date_mday
- date_minute
- date_month
- date_second
- date_wday
- date_year
- date_zone
- durationMs
- host
- index
- linecount
- operationName
- operationVersion
- properties.activityDateTime
- properties.activityDisplayName
- properties.additionalDetails{}.key
- properties.additionalDetails{}.value
- properties.category
- properties.correlationId
- properties.id
- properties.initiatedBy.user.displayName
- properties.initiatedBy.user.id
- properties.initiatedBy.user.ipAddress
- properties.initiatedBy.user.userPrincipalName
- properties.loggedByService
- properties.operationType
- properties.result
- properties.resultReason
- properties.targetResources{}.displayName
- properties.targetResources{}.id
- properties.targetResources{}.modifiedProperties{}.displayName
- properties.targetResources{}.modifiedProperties{}.newValue
- properties.targetResources{}.modifiedProperties{}.oldValue
- properties.targetResources{}.type
- properties.userAgent
- punct
- resourceId
- resultSignature
- source
- sourcetype
- splunk_server
- tenantId
- time
- timeendpos
- timestartpos
example_log: '{"time": "2024-02-07T22:31:14.4970418Z", "resourceId": "/tenants/a417c578-c7ee-480d-a225-d48057e74df5/providers/Microsoft.aadiam",
  "operationName": "Add service principal", "operationVersion": "1.0", "category":
  "AuditLogs", "tenantId": "a417c578-c7ee-480d-a225-d48057e74df5", "resultSignature":
  "None", "durationMs": 0, "correlationId": "ea473f15-64b3-435a-a885-6ee3908919e2",
  "Level": 4, "properties": {"id": "Directory_ea473f15-64b3-435a-a885-6ee3908919e2_GSOLK_21152854",
  "category": "ApplicationManagement", "correlationId": "ea473f15-64b3-435a-a885-6ee3908919e2",
  "result": "success", "resultReason": "", "activityDisplayName": "Add service principal",
  "activityDateTime": "2024-02-07T22:31:14.4970418+00:00", "loggedByService": "Core
  Directory", "operationType": "Add", "userAgent": null, "initiatedBy": {"user": {"id":
  "e4c722ac-3b83-478d-8f52-c388885dc30f", "displayName": null, "userPrincipalName":
  "Herman@phantomengineering.onmicrosoft.com", "ipAddress": "", "roles": []}}, "targetResources":
  [{"id": "2dedf863-ac93-4f45-87b3-e32f48145380", "displayName": "Malicious11", "type":
  "ServicePrincipal", "modifiedProperties": [{"displayName": "AccountEnabled", "oldValue":
  "[]", "newValue": "[true]"}, {"displayName": "AppPrincipalId", "oldValue": "[]",
  "newValue": "[\"e06366ca-8489-4748-b6a2-d7e4332f45c1\"]"}, {"displayName": "DisplayName",
  "oldValue": "[]", "newValue": "[\"Malicious11\"]"}, {"displayName": "ServicePrincipalName",
  "oldValue": "[]", "newValue": "[\"e06366ca-8489-4748-b6a2-d7e4332f45c1\"]"}, {"displayName":
  "Credential", "oldValue": "[]", "newValue": "[{\"CredentialType\":2,\"KeyStoreId\":\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\"KeyGroupId\":\"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"}]"},
  {"displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"AccountEnabled,
  AppPrincipalId, DisplayName, ServicePrincipalName, Credential\""}, {"displayName":
  "TargetId.ServicePrincipalNames", "oldValue": null, "newValue": "\"e06366ca-8489-4748-b6a2-d7e4332f45c1\""}],
  "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value":
  "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like
  Gecko) Chrome/121.0.0.0 Safari/537.36"}, {"key": "AppId", "value": "e06366ca-8489-4748-b6a2-d7e4332f45c1"}]}}'