Skip to main content
 
 
 
Splunk Lantern

Understanding high value fields in Microsoft Active Directory audit data

 

Azure Active Directory audit data provides information on the operations of your Active Directory resources. These audit logs capture CRUD (Create-Read-Update-Delete) type actions against Azure AD resources such as user accounts, security groups, and devices. These logs are separate to Azure Audit Logs, which focus specifically on auditing Azure from a management control plane perspective. 

This data source provides insight into Active Directory changes, including new and old values. It is crucial for monitoring changes to Azure Active Directory. Critical security use cases can be delivered with this data. The following table describes high-value fields.

Field Name Field Type Description Example

activityDate

string

Timestamp of activity

2020-07-16T07:22:48.4694093Z

activityDateTime

string

Timestamp of activity

2020-07-16T07:22:48.4694093Z

activityDisplayName

string

What action the user is performing

Update application – Certificates and secrets management

additionalDetails{}.key

string

Key value for the following field

User-Agent

additionalDetails{}.value

string

User agent for the users device

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

category

string

Azure category

ApplicationManagement

correlationId

string

Unique Azure correlation ID

6ef39773-eb79-4258-8ad0-c07fe5816715

initiatedBy.user.displayName

string

Display Name (if configured) of the user that initiated the activity

null

initiatedBy.user.id

string

User ID of the user that initiated the activity

545cdc90-e36f-41c9-a3df-0558cb8fe2cd

initiatedBy.user.ipAddress

string

IP Address (if known) of the device that initiated the activity

null

initiatedBy.user.userPrincipalName

string

Which user initiated the activity

jacobsmythe@jacobsmythe111.onmicrosoft.com

loggedByService

string

Which Azure service logged the activity

Core Directory

operationType

string

What type of operation was performed

Update

result

string

Status of the activity

success

targetResources{}.displayName

string

What resource was modified

Ry_P5_Splunk_AAFS_AAD

targetResources{}.id

string

ID of the resource

68fb76ac-2e44-4b65-a133-f7d40aa5c8f1