Skip to main content
Splunk Lantern

Azure Active Directory audit events

You might want a list of activities completed and recorded by Azure Active Directory (AD) when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

Azure Active Directory (AD) audit logs provide visibility into changes made by various features within Azure AD. You want a search that will show these changes, such as adding or removing users, apps, groups, roles, and policies. 

To optimize the search shown below, you should specify an index and a time range.

  1. Run the following search: 
sourcetype="azure:aad:audit"
|stats values(activityDisplayName) AS Action, values(initiatedBy.user.userPrincipalName) AS UPN, values(targetResources{}.displayName) AS Target, values(targetResources{}.modifiedProperties{}.displayName) AS "Modified Resources", values(targetResources{}.modifiedProperties{}.oldValue) AS "Old Values", values(targetResources{}.modifiedProperties{}.newValue) AS "New Values" BY correlationId

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype="azure:aad:audit"

Search only Azure Active Directory data. 

|stats values(activityDisplayName) AS Action, values(initiatedBy.user.userPrincipalName) AS UPN, values(targetResources{}.displayName) AS Target, values(targetResources{}.modifiedProperties{}.displayName) AS "Modified Resources", values(targetResources{}.modifiedProperties{}.oldValue) AS "Old Values", values(targetResources{}.modifiedProperties{}.newValue) AS "New Values" BY correlationId

Return the appropriate field values for each correlation ID. 

Result

Sample results for this search are shown in the table below. The values for each field are grouped by the correlationId, which is useful when you are tracking logs that span services. This audit data is useful for compliance reporting because a report such as this can greatly speed the time it takes to give attestation that controls are in place and being tracked. 

correlationId Action UPN Target Modified Resources Old Values New Values

02772c8a-fe90-46be-a70c-0f4baaba63af

Add device

 

fyodor-l

AccountEnabled CloudAccountEnabled CloudCreated CloudDeviceOSType CloudDeviceOSVersion CloudDisplayName DeviceOSType DeviceOSVersion DeviceObjectVersion DevicePhysicalIds DisplayName Included Updated Properties

[] null

"AccountEnabled, CloudAccountEnabled, CloudDeviceOSType, CloudDeviceOSVersion, CloudDisplayName, CloudCreated, DeviceObjectVersion, DeviceOSType, DeviceOSVersion, DevicePhysicalIds, DisplayName" ["10.0.18362.0"] ["Windows"] ["[HWID]:h:6966510874803856","[USER-HWID]:666203b4-6b29-47c7-94c5-9b7176e09cc6:6966510874803856","[GID]:g:6966510874803858","[USER-GID]:666203b4-6b29-47c7-94c5-9b7176e09cc6:6966510874803858"] ["fyodor-l"] [2] [true]

04c2a430-5a65-4f13-b4bb-204c6a8ad1c6

Add member to group

jacobsmythe@jacobsmythe111.onmicrosoft.com

null

Group.DisplayName Group.ObjectID Group.WellKnownObjectName

null

"2a59c99e-51c5-4a72-ad11-ce9d19c5513c" "Frothly" null

05869295-8bd0-4cde-92d2-9eea58d28654

Update service principal

jacobsmythe@jacobsmythe111.onmicrosoft.com

Ry_P5_Splunk_AAFS_AAD

Included Updated Properties TargetId.ServicePrincipalNames

null

"" "b233431b-f085-4298-be08-5b6796a50910"

06c69049-bede-4128-ba0f-043cc001ba5b

Update service principal

jacobsmythe@jacobsmythe111.onmicrosoft.com

Ry_P5_Splunk_AAFS_ResourceGroups

Included Updated Properties TargetId.ServicePrincipalNames

null

"" "40bae523-d8ad-4ca5-bfed-d490bc1f16a7"

24e307-af3f-4649-b000-b040fdf39265

Add app role assignment grant to user Add app role assignment to service principal

jacobsmythe@jacobsmythe111.onmicrosoft.com

Office 365 Management APIs e30f549b-294a-44e1-984d-c4bbb1ddc399 null splunk_o365

ServicePrincipal.AppId ServicePrincipal.DisplayName ServicePrincipal.Name ServicePrincipal.ObjectID TargetId.ServicePrincipalNames User.ObjectID User.PUID User.UPN

null

"10037FFEA0721F18" "16619e0791-870d-4278-bf42-9c0d866135cb" "545cdc90-e36f-41c9-a3df-0558cb8fe2cd" "e30f549b-294a-44e1-984d-c4bbb1ddc399" "https://manage-gcc.office.com;https://manage.protection.apps.mil;https://manage.office.com;https://manage.office365.us;c5393580-f805-4401-95e8-94b7a6ef2fc2" "jacobsmythe@jacobsmythe111.onmicrosoft.com" "splunk_o365"

  • Was this article helpful?