Our Services

Deployment

Migration

Training

Our Expertise

Chronicle SIEM

Chronicle SOAR

Use Case Development

Detection and Response & More

AZURE_AD_AUDIT

Summary

This page highlights changes and fixes made by Citreno to the default AZURE_AD_AUDIT parser. AZURE_AD_AUDIT covers a variety of events ranging from user management to device management. 

Citreno Fixes

Updating target.user.userid to reflect UserPrincipalName as opposed to a guid
Updating principal.user.userid to reflect the initiatedBy.user.userPrincipalName as opposed to the GUID in user ID
Changed event type to reflect USER_CHANGE_PASSWORD in cases where the operationName matches /change|changed|reset/ nocase and  /password|credential/ nocase
Updated parsing to GENERIC_EVENT for Intune Device added and Device no longer compliant, Device no longer managed, Unregister device events in order to facilitate parsing of these events
For add user event added target.application value to pass validation
Fixed parsing of userid for event types of ["Synchronization rule action","Import"] in order to make it consistent with the rest of the userids being full emails. 
Adding group details in target.group.group_display name if users are added to groups
Adding parsing of userids if the target resource type is user, as this was not parsing consistently. 
Adding parsing for AppRole.Value
Fixed issue where in Consent to application and Add delegated permission grant events the userid was falsely mapped to the app id instead of the initiating user’s id.  
Additional Fields were mapped in a non user-friendly manner such as: additional.fields["targetResources.modifiedProperties.displayname 1"]"ConsentContext.IsAppOnly", this provides a poor experience when filtering as you have to match it with a different field. We added additional fields additional.fields["ConsentContext.IsAppOnly"] = False. Optionally the customer can remove the additional fields set by the default parser if they chose to customize the parser.
Added specialized parsing for app permissions under target.asset.attribute.permissions

 

Source field

Default Chronicle Mapping

Citreno Mapping

initiatedBy.user.id

target.user.user_id

target.user.product_object_id

Group.DisplayName

n/a

target.group.group_display_name

Group.ObjectID

na.

target.group.product_object_id

Approle.Value

n/a

src.labels[“AppRole.Value”]

ConsentAction.Permissions

additional.fields

Special parsing of scopes under target.asset.attribute.permissions

Notable Parser Behavior

While documenting the default parser is not feasible as they often contain tens of thousands of lines of code and are available to customers in parser management, in this section we review notable behaviors. 

  • In events such as Update conditional access policy onmicrosoft.com emails may be used. The default parser improperly sets userid to this email impeding enrichment. Discussion is advised to determine user id methodology. Additionally target.user.user_display_name is set to the policy name"Bad Actors". These are parsing settings that cannot be overcome through parser extension and will require a customization of the parser. 
  • Target.user.title is improperly set to values such as GroupDisplayName, however fixing that behavior will require overriding the default parser.