ag-michael/Sparrow.spl

## Sparrow.spl
sourcetype IN (<replace this with the sourcetype for your aad/o365 audit log data in Splunk. e.g.:"aad,o365">)
(Operation IN ("Set domain authentication*","Set federation settings on domain*")
OR Operation="Update application*"
OR Operation IN ("Update service principal*","Add service principal credentials*")
OR Operation="Add app role assignment*"
OR Operation IN ("Add OAuth2PermissionGrant*","Consent to application*")

OR (Operation IN ("UserLoggedIn*","UserLoginFailed*") ExtendedProperties{}.Value="16457" )
OR (Operation="MailboxLogin*" AND *Powershell* )
OR a0c73c16-a7e3-4564-9a95-2bdf47383716
OR 1b730954-1685-4b74-9bfd-dac224a7b894
OR (Operation IN ("UserLoggedIn*","UserLoginFailed*") AND *WinRM* )

)
| eval SearchName="unknown"
| rename ExtendedProperties{}.Value as ExtendedPropertiesValue
| eval SearchName=if((Operation LIKE "Set domain authentication%" OR Operation LIKE "Set federation settings on domain%"),"DomainData",SearchName)
| eval SearchName=if(Operation LIKE "Update application%","AppData",SearchName)
| eval SearchName=if((Operation LIKE "Update service principal%" OR Operation LIKE "Add service principal credentials%"),"SpData",SearchName)
| eval SearchName=if(Operation LIKE "Add app role assignment%","AppRoleData",SearchName)
| eval SearchName=if((Operation LIKE "Add OAuth2PermissionGrant%" OR Operation LIKE "Consent to application%"),"ConsentData",SearchName)
| eval SearchName=if((Operation LIKE "UserLoggedIn%" OR Operation LIKE "UserLoginFailed%") AND ExtendedPropertiesValue="16457","SAMLData",SearchName)
| eval SearchName=if(Operation LIKE "MailboxLogin%" AND _raw="%Powershell%","PSMailboxData",SearchName)
| eval SearchName=if(_raw LIke "%a0c73c16-a7e3-4564-9a95-2bdf47383716%","PSLoginData1",SearchName)
| eval SearchName=if(_raw LIKE "%1b730954-1685-4b74-9bfd-dac224a7b894%","PSLoginData2",SearchName)
| eval SearchName=if((Operation LIKE "UserLoggedIn%" OR Operation LIKE "UserLoginFailed%") AND _raw LIKE "%WinRM%","PSLoginData3",SearchName)
| fillnull value="unknown" Operation
| fields - _raw
| table _time SearchName user CreationTime Operation ClientIP ActorIpAddress result Target{}.ID ExtendedProperties* Modified*
	sourcetype IN (<replace this with the sourcetype for your aad/o365 audit log data in Splunk. e.g.:"aad,o365">)
	(Operation IN ("Set domain authentication","Set federation settings on domain")
	OR Operation="Update application*"
	OR Operation IN ("Update service principal","Add service principal credentials")
	OR Operation="Add app role assignment*"
	OR Operation IN ("Add OAuth2PermissionGrant","Consent to application")

	OR (Operation IN ("UserLoggedIn","UserLoginFailed") ExtendedProperties{}.Value="16457" )
	OR (Operation="MailboxLogin" AND Powershell* )
	OR a0c73c16-a7e3-4564-9a95-2bdf47383716
	OR 1b730954-1685-4b74-9bfd-dac224a7b894
	OR (Operation IN ("UserLoggedIn","UserLoginFailed") AND WinRM )

	)
	\| eval SearchName="unknown"
	\| rename ExtendedProperties{}.Value as ExtendedPropertiesValue
	\| eval SearchName=if((Operation LIKE "Set domain authentication%" OR Operation LIKE "Set federation settings on domain%"),"DomainData",SearchName)
	\| eval SearchName=if(Operation LIKE "Update application%","AppData",SearchName)
	\| eval SearchName=if((Operation LIKE "Update service principal%" OR Operation LIKE "Add service principal credentials%"),"SpData",SearchName)
	\| eval SearchName=if(Operation LIKE "Add app role assignment%","AppRoleData",SearchName)
	\| eval SearchName=if((Operation LIKE "Add OAuth2PermissionGrant%" OR Operation LIKE "Consent to application%"),"ConsentData",SearchName)
	\| eval SearchName=if((Operation LIKE "UserLoggedIn%" OR Operation LIKE "UserLoginFailed%") AND ExtendedPropertiesValue="16457","SAMLData",SearchName)
	\| eval SearchName=if(Operation LIKE "MailboxLogin%" AND _raw="%Powershell%","PSMailboxData",SearchName)
	\| eval SearchName=if(_raw LIke "%a0c73c16-a7e3-4564-9a95-2bdf47383716%","PSLoginData1",SearchName)
	\| eval SearchName=if(_raw LIKE "%1b730954-1685-4b74-9bfd-dac224a7b894%","PSLoginData2",SearchName)
	\| eval SearchName=if((Operation LIKE "UserLoggedIn%" OR Operation LIKE "UserLoginFailed%") AND _raw LIKE "%WinRM%","PSLoginData3",SearchName)
	\| fillnull value="unknown" Operation
	\| fields - _raw
	\| table _time SearchName user CreationTime Operation ClientIP ActorIpAddress result Target{}.ID ExtendedProperties* Modified*