Understanding high value fields in Microsoft Active Directory audit data
Azure Active Directory audit data provides information on the operations of your Active Directory resources. These audit logs capture CRUD (Create-Read-Update-Delete) type actions against Azure AD resources such as user accounts, security groups, and devices. These logs are separate to Azure Audit Logs, which focus specifically on auditing Azure from a management control plane perspective.
This data source provides insight into Active Directory changes, including new and old values. It is crucial for monitoring changes to Azure Active Directory. Critical security use cases can be delivered with this data. The following table describes high-value fields.
Field Name | Field Type | Description | Example |
---|---|---|---|
activityDate |
string |
Timestamp of activity |
2020-07-16T07:22:48.4694093Z |
activityDateTime |
string |
Timestamp of activity |
2020-07-16T07:22:48.4694093Z |
activityDisplayName |
string |
What action the user is performing |
Update application – Certificates and secrets management |
additionalDetails{}.key |
string |
Key value for the following field |
User-Agent |
additionalDetails{}.value |
string |
User agent for the users device |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 |
category |
string |
Azure category |
ApplicationManagement |
correlationId |
string |
Unique Azure correlation ID |
6ef39773-eb79-4258-8ad0-c07fe5816715 |
initiatedBy.user.displayName |
string |
Display Name (if configured) of the user that initiated the activity |
null |
initiatedBy.user.id |
string |
User ID of the user that initiated the activity |
545cdc90-e36f-41c9-a3df-0558cb8fe2cd |
initiatedBy.user.ipAddress |
string |
IP Address (if known) of the device that initiated the activity |
null |
initiatedBy.user.userPrincipalName |
string |
Which user initiated the activity |
|
loggedByService |
string |
Which Azure service logged the activity |
Core Directory |
operationType |
string |
What type of operation was performed |
Update |
result |
string |
Status of the activity |
success |
targetResources{}.displayName |
string |
What resource was modified |
Ry_P5_Splunk_AAFS_AAD |
targetResources{}.id |
string |
ID of the resource |
68fb76ac-2e44-4b65-a133-f7d40aa5c8f1 |