[BUG] sourcetype macro not consistent across Azure AD correlations
atgithub11 opened this issue · 2 comments
For most Azure AD related correlations, azuread macro is used which looks at sourcetype=mscs:azure:eventhub. An example would be https://research.splunk.com/cloud/e62c9c2e-bf51-4719-906c-3074618fcc1c/
But lately I have come across some Azure AD searches using azure_monitor_aad macro instead which checks for sourcetype=azure:monitor:aad
e.g. https://research.splunk.com/cloud/116e11a9-63ea-41eb-a66a-6a13bdc7d2c7/
For all these, explanation under "How To Implement", refer to ingesting Azure AD events via EventHub using https://splunkbase.splunk.com/app/3110. Shouldn't all these searches be using same azuread macro?
Would it be better if these macro's just define the index holding Azure AD data instead of sourcetype?
Hi @atgithub11
Thanks for asking about this. As you noted, those two macros evaluate to different sourcetypes. The fields presented in each sourcetype are different, however, AAD data can be ingested with either of those sourcetypes. Detections written against one won't necessarily work against the other without modifying the field names.
cc: @mvelazc0
Thanks @ljstella
I think we should be good with this one. In v4.19.0, all Azure AD correlations were updated to use sourcetype = azure:monitor:aad