Skip to content

Add attack_data for 3 Entra ID identity attack detections#1187

Merged
patel-bhavin merged 1 commit into
splunk:masterfrom
descambiado:add-entra-id-identity-attack-data
Jul 6, 2026
Merged

Add attack_data for 3 Entra ID identity attack detections#1187
patel-bhavin merged 1 commit into
splunk:masterfrom
descambiado:add-entra-id-identity-attack-data

Conversation

@descambiado

Copy link
Copy Markdown
Contributor

Summary

Test data requested by @nasbench on splunk/security_content#4091 for the 3 Entra ID identity attack detections:

  • azure_ad_federated_identity_credential_added_to_service_principal.yml (T1098.001) — federated identity credential added to a service principal, pointing to an external GitHub Actions OIDC issuer
  • azure_ad_guest_user_type_changed_to_member.yml (T1098) — guest account UserType changed to Member
  • azure_ad_temporary_access_pass_created.yml (T1556.006, T1078.004) — Temporary Access Pass created for a Global Administrator account

Each dataset includes one true-positive event plus one benign noise event (unrelated property change on the same operation) to validate filter specificity. Tenant IDs, usernames, and IPs are synthetic/anonymized, following the existing azure_ad_enable_and_reset dataset format as a reference.

Related

Test plan

  • Confirm azure-audit.log / .yml pairs match the existing dataset schema for azure:monitor:aad sourcetype
  • Confirm each true-positive event fires the corresponding detection in security_content#4091

Test data for splunk/security_content PR #4091:
- azure_ad_federated_identity_credential_added_to_service_principal (T1098.001)
- azure_ad_guest_user_type_changed_to_member (T1098)
- azure_ad_temporary_access_pass_created (T1556.006, T1078.004)
@patel-bhavin

Copy link
Copy Markdown
Collaborator

@P4T12ICK - any clue why is this CI failing?

@nasbench

nasbench commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

@P4T12ICK - any clue why is this CI failing?

The CI fails for forks because they do not have permissions in their token to post a comment. You can see the validation passed.

 body: [Object: null prototype] {
      body: '✅ **Attack Data Validation Passed**\n' +
        '\n' +
        'All YAML files in this PR have been successfully validated against the schema.\n' +
        '\n' +
        'Ready for review and merge! 🚀'
    },

@patel-bhavin

patel-bhavin commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator

@nasbench , @P4T12ICK - The script is failing cuz the tokens are not available for forks(as you pointed out) . we will update this CI workflow at a later point after investigation. That said, the files in the PR are valid and will be merging this PR

@patel-bhavin patel-bhavin merged commit d68aef4 into splunk:master Jul 6, 2026
1 check failed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants