Skip to content

Commit 6c19578

Browse files
committed
Add attack_data for 3 Entra ID identity attack detections
Test data for splunk/security_content PR #4091: - azure_ad_federated_identity_credential_added_to_service_principal (T1098.001) - azure_ad_guest_user_type_changed_to_member (T1098) - azure_ad_temporary_access_pass_created (T1556.006, T1078.004)
1 parent 4820cca commit 6c19578

6 files changed

Lines changed: 61 additions & 0 deletions

File tree

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
version https://git-lfs.github.com/spec/v1
2+
oid sha256:68a71da7b6ee2370fd29439c2590620061973f11f2938261b98e489017653425
3+
size 2998
Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
author: descambiado
2+
id: e3a7f1c2-9b4d-4e6a-8c1f-2d5a9b7e4c31
3+
date: '2026-06-10'
4+
description: Added a federated identity credential to an Entra ID service principal,
5+
pointing the trust to an external GitHub Actions OIDC issuer/repo not controlled
6+
by the tenant. Includes one benign Update service principal event (DisplayName
7+
change) with no FederatedIdentityCredentials property, to validate filter specificity.
8+
Tenant specific details have been replaced in the dataset including tenant id,
9+
user names, ips, etc.
10+
environment: attack_range
11+
directory: azure_ad_federated_identity_credential
12+
mitre_technique:
13+
- T1098.001
14+
datasets:
15+
- name: azure-audit
16+
path: /datasets/attack_techniques/T1098.001/azure_ad_federated_identity_credential/azure-audit.log
17+
sourcetype: azure:monitor:aad
18+
source: azure
Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
version https://git-lfs.github.com/spec/v1
2+
oid sha256:a0e255c18f218b5ea3cd21393d0240c50c2e7662738055f107aa56968b3f5054
3+
size 2872
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
author: descambiado
2+
id: 4b8d2f6a-1c9e-4a3b-9d7f-6e2a4c8b1f95
3+
date: '2026-06-11'
4+
description: Changed the UserType property of an Entra ID guest account from Guest
5+
to Member, removing the tenant-resource restrictions guest accounts normally carry.
6+
Includes one benign Update user event (MobilePhone change) with no UserType property,
7+
to validate filter specificity. Tenant specific details have been replaced in
8+
the dataset including tenant id, user names, ips, etc.
9+
environment: attack_range
10+
directory: azure_ad_guest_user_type_changed_to_member
11+
mitre_technique:
12+
- T1098
13+
datasets:
14+
- name: azure-audit
15+
path: /datasets/attack_techniques/T1098/azure_ad_guest_user_type_changed_to_member/azure-audit.log
16+
sourcetype: azure:monitor:aad
17+
source: azure
Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
version https://git-lfs.github.com/spec/v1
2+
oid sha256:95c51d3d30174a423c2e9522af278d565cbf882f1dc0b0cbf7e5e7a5aec4593d
3+
size 1394
Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
author: descambiado
2+
id: 7f1a9c3e-5b2d-4f8a-b6e1-3c9d5a7f2b48
3+
date: '2026-06-12'
4+
description: Created a Temporary Access Pass for a Global Administrator account
5+
outside of business hours, granting an MFA/FIDO2-bypassing authentication path
6+
into the account. Tenant specific details have been replaced in the dataset including
7+
tenant id, user names, ips, etc.
8+
environment: attack_range
9+
directory: azure_ad_temporary_access_pass
10+
mitre_technique:
11+
- T1556.006
12+
- T1078.004
13+
datasets:
14+
- name: azure-audit
15+
path: /datasets/attack_techniques/T1556.006/azure_ad_temporary_access_pass/azure-audit.log
16+
sourcetype: azure:monitor:aad
17+
source: azure

0 commit comments

Comments
 (0)