Skip to content

Instantly share code, notes, and snippets.

@ag-michael
Created December 29, 2020 16:14
Show Gist options
  • Save ag-michael/af7bf1ff90c3ff219df59dab0a454f07 to your computer and use it in GitHub Desktop.
Save ag-michael/af7bf1ff90c3ff219df59dab0a454f07 to your computer and use it in GitHub Desktop.
A Splunk query to replicate CISA's Sparrow script's queries: https://raw.githubusercontent.com/NoMoreFood/Sparrow/develop/Sparrow.ps1
sourcetype IN (<replace this with the sourcetype for your aad/o365 audit log data in Splunk. e.g.:"aad,o365">)
(Operation IN ("Set domain authentication*","Set federation settings on domain*")
OR Operation="Update application*"
OR Operation IN ("Update service principal*","Add service principal credentials*")
OR Operation="Add app role assignment*"
OR Operation IN ("Add OAuth2PermissionGrant*","Consent to application*")
OR (Operation IN ("UserLoggedIn*","UserLoginFailed*") ExtendedProperties{}.Value="16457" )
OR (Operation="MailboxLogin*" AND *Powershell* )
OR a0c73c16-a7e3-4564-9a95-2bdf47383716
OR 1b730954-1685-4b74-9bfd-dac224a7b894
OR (Operation IN ("UserLoggedIn*","UserLoginFailed*") AND *WinRM* )
)
| eval SearchName="unknown"
| rename ExtendedProperties{}.Value as ExtendedPropertiesValue
| eval SearchName=if((Operation LIKE "Set domain authentication%" OR Operation LIKE "Set federation settings on domain%"),"DomainData",SearchName)
| eval SearchName=if(Operation LIKE "Update application%","AppData",SearchName)
| eval SearchName=if((Operation LIKE "Update service principal%" OR Operation LIKE "Add service principal credentials%"),"SpData",SearchName)
| eval SearchName=if(Operation LIKE "Add app role assignment%","AppRoleData",SearchName)
| eval SearchName=if((Operation LIKE "Add OAuth2PermissionGrant%" OR Operation LIKE "Consent to application%"),"ConsentData",SearchName)
| eval SearchName=if((Operation LIKE "UserLoggedIn%" OR Operation LIKE "UserLoginFailed%") AND ExtendedPropertiesValue="16457","SAMLData",SearchName)
| eval SearchName=if(Operation LIKE "MailboxLogin%" AND _raw="%Powershell%","PSMailboxData",SearchName)
| eval SearchName=if(_raw LIke "%a0c73c16-a7e3-4564-9a95-2bdf47383716%","PSLoginData1",SearchName)
| eval SearchName=if(_raw LIKE "%1b730954-1685-4b74-9bfd-dac224a7b894%","PSLoginData2",SearchName)
| eval SearchName=if((Operation LIKE "UserLoggedIn%" OR Operation LIKE "UserLoginFailed%") AND _raw LIKE "%WinRM%","PSLoginData3",SearchName)
| fillnull value="unknown" Operation
| fields - _raw
| table _time SearchName user CreationTime Operation ClientIP ActorIpAddress result Target{}.ID ExtendedProperties* Modified*
@ag-michael
Copy link
Author

Be sure to modify the query for sourcetype value.

I am sharing this because creating a service account that will have all the right permissions both for AAD and Exchange Online is not a simple process within many organizations,especially when the same job can be done using Splunk,Sentinel,Elasticsearch or other data stores.

The query only replicates unified audit log queries, if needed I'll try to replicate the "investigation" of specific app's activities as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment