Skip to content

chore: user_agent field fix in both the Azure AD authentication detections. Minor spelling mistake fixes. #3811

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
patel-bhavin merged 3 commits into from
Dec 2, 2025
Merged

chore: user_agent field fix in both the Azure AD authentication detections. Minor spelling mistake fixes. #3811

patel-bhavin merged 3 commits into from
Dec 2, 2025
+31 −24

Conversation

@Shotscape
Copy link
Contributor

@Shotscape Shotscape commented Nov 28, 2025

Details:

The CIM compliant user_agent field was not being parsed correctly as the | rename properties.* as * line renames the field before the | rename properties.userAgent as user_agent line is able to rename it.

Updated some minor issues with the risk message and known false positive fields stating that the Azure AD High Number Of Failed Authentications For User search bin's every 5 minutes.

Lastly, fixed the word minutes being present twice in the risk message of the Azure AD High Number Of Failed Authentications From Ip search.

Checklist:

  • Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
  • CI/CD jobs passed ✔️
  • Validated SPL logic.
  • Validated tags, description, and how to implement.
  • Verified references match analytic.
  • Confirm updates to lookups are handled properly.

@nasbench nasbench self-assigned this Nov 28, 2025
@nasbench
Copy link
Contributor

nasbench commented Dec 1, 2025

The TA actually extracts user_agent from SignInLogs so no need for a rename anymore.

EVAL-user_agent = case(operationName IN ("Sign-in activity"),'properties.userAgent', \
                        true(),mvindex('properties.additionalDetails{}.value',mvfind('properties.additionalDetails{}.key',"^User-Agent$")))

You can see that even if a removed the rename the field is populated.

image

nasbench
nasbench approved these changes Dec 1, 2025
View reviewed changes
Copy link
Contributor

@nasbench nasbench left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change LGTM

@nasbench nasbench added the WIP DO NOT MERGE Work in Progress label Dec 1, 2025
@nasbench nasbench added this to the v5.19.0 milestone Dec 1, 2025
@patel-bhavin
Copy link
Contributor

patel-bhavin commented Dec 2, 2025

inspect failures are expected from forks! Thank you for the fixes @Shotscape

@patel-bhavin patel-bhavin merged commit 59c8727 into splunk:develop Dec 2, 2025
3 of 4 checks passed
@patel-bhavin patel-bhavin removed the WIP DO NOT MERGE Work in Progress label Dec 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@patel-bhavin patel-bhavin patel-bhavin approved these changes

@nasbench nasbench nasbench approved these changes

@ljstella ljstella Awaiting requested review from ljstella ljstella is a code owner

Assignees

@nasbench nasbench

Labels

Detections

Projects

None yet

Milestone

v5.19.0

Development

Successfully merging this pull request may close these issues.

3 participants

@Shotscape @nasbench @patel-bhavin