Skip to main content
 
 
 
Splunk Lantern

Azure Active Directory audit events

 

Azure Active Directory (AD) audit logs provide visibility into changes made by various features within Azure AD. You want a search that will show these changes, such as adding or removing users, apps, groups, roles, and policies. 

Data required 

Microsoft: Azure Active Directory audit data

Procedure

  1. Configure the Microsoft Azure Add on for Splunk.
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype="azure:aad:audit"
|stats values(activityDisplayName) AS Action, values(initiatedBy.user.userPrincipalName) AS UPN, values(targetResources{}.displayName) AS Target, values(targetResources{}.modifiedProperties{}.displayName) AS "Modified Resources", values(targetResources{}.modifiedProperties{}.oldValue) AS "Old Values", values(targetResources{}.modifiedProperties{}.newValue) AS "New Values" BY correlationId

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype="azure:aad:audit"

Search only Azure Active Directory data. 

|stats values(activityDisplayName) AS Action, values(initiatedBy.user.userPrincipalName) AS UPN, values(targetResources{}.displayName) AS Target, values(targetResources{}.modifiedProperties{}.displayName) AS "Modified Resources", values(targetResources{}.modifiedProperties{}.oldValue) AS "Old Values", values(targetResources{}.modifiedProperties{}.newValue) AS "New Values" BY correlationId

Return the appropriate field values for each correlation ID. 

Next steps

Sample results for this search are shown in the table below. The values for each field are grouped by the correlationId, which is useful when you are tracking logs that span services. This audit data is useful for compliance reporting because a report such as this can greatly speed the time it takes to give attestation that controls are in place and being tracked. 

correlationId Action UPN Target Modified Resources Old Values New Values

02772c8a-fe90-46be-a70c-0f4baaba63af

Add device

 

fyodor-l

AccountEnabled CloudAccountEnabled CloudCreated CloudDeviceOSType CloudDeviceOSVersion CloudDisplayName DeviceOSType DeviceOSVersion DeviceObjectVersion DevicePhysicalIds DisplayName Included Updated Properties

[] null

"AccountEnabled, CloudAccountEnabled, CloudDeviceOSType, CloudDeviceOSVersion, CloudDisplayName, CloudCreated, DeviceObjectVersion, DeviceOSType, DeviceOSVersion, DevicePhysicalIds, DisplayName" ["10.0.18362.0"] ["Windows"] ["[HWID]:h:6966510874803856","[USER-HWID]:666203b4-6b29-47c7-94c5-9b7176e09cc6:6966510874803856","[GID]:g:6966510874803858","[USER-GID]:666203b4-6b29-47c7-94c5-9b7176e09cc6:6966510874803858"] ["fyodor-l"] [2] [true]

04c2a430-5a65-4f13-b4bb-204c6a8ad1c6

Add member to group

jacobsmythe@jacobsmythe111.onmicrosoft.com

null

Group.DisplayName Group.ObjectID Group.WellKnownObjectName

null

"2a59c99e-51c5-4a72-ad11-ce9d19c5513c" "Frothly" null

05869295-8bd0-4cde-92d2-9eea58d28654

Update service principal

jacobsmythe@jacobsmythe111.onmicrosoft.com

Ry_P5_Splunk_AAFS_AAD

Included Updated Properties TargetId.ServicePrincipalNames

null

"" "b233431b-f085-4298-be08-5b6796a50910"

06c69049-bede-4128-ba0f-043cc001ba5b

Update service principal

jacobsmythe@jacobsmythe111.onmicrosoft.com

Ry_P5_Splunk_AAFS_ResourceGroups

Included Updated Properties TargetId.ServicePrincipalNames

null

"" "40bae523-d8ad-4ca5-bfed-d490bc1f16a7"

24e307-af3f-4649-b000-b040fdf39265

Add app role assignment grant to user Add app role assignment to service principal

jacobsmythe@jacobsmythe111.onmicrosoft.com

Office 365 Management APIs e30f549b-294a-44e1-984d-c4bbb1ddc399 null splunk_o365

ServicePrincipal.AppId ServicePrincipal.DisplayName ServicePrincipal.Name ServicePrincipal.ObjectID TargetId.ServicePrincipalNames User.ObjectID User.PUID User.UPN

null

"10037FFEA0721F18" "16619e0791-870d-4278-bf42-9c0d866135cb" "545cdc90-e36f-41c9-a3df-0558cb8fe2cd" "e30f549b-294a-44e1-984d-c4bbb1ddc399" "https://manage-gcc.office.com;https://manage.protection.apps.mil;https://manage.office.com;https://manage.office365.us;c5393580-f805-4401-95e8-94b7a6ef2fc2" "jacobsmythe@jacobsmythe111.onmicrosoft.com" "splunk_o365"

Finally, you might be interested in other processes associated with the Managing Azure cloud infrastructure and Detecting lateral movement with Active Directory data use cases.