Azure Active Directory audit events
Azure Active Directory (AD) audit logs provide visibility into changes made by various features within Azure AD. You want a search that will show these changes, such as adding or removing users, apps, groups, roles, and policies.
Data required
Microsoft: Azure Active Directory audit data
Procedure
- Configure the Microsoft Azure Add on for Splunk.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype="azure:aad:audit" |stats values(activityDisplayName) AS Action, values(initiatedBy.user.userPrincipalName) AS UPN, values(targetResources{}.displayName) AS Target, values(targetResources{}.modifiedProperties{}.displayName) AS "Modified Resources", values(targetResources{}.modifiedProperties{}.oldValue) AS "Old Values", values(targetResources{}.modifiedProperties{}.newValue) AS "New Values" BY correlationId
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
sourcetype="azure:aad:audit" |
Search only Azure Active Directory data. |
|stats values(activityDisplayName) AS Action, values(initiatedBy.user.userPrincipalName) AS UPN, values(targetResources{}.displayName) AS Target, values(targetResources{}.modifiedProperties{}.displayName) AS "Modified Resources", values(targetResources{}.modifiedProperties{}.oldValue) AS "Old Values", values(targetResources{}.modifiedProperties{}.newValue) AS "New Values" BY correlationId |
Return the appropriate field values for each correlation ID. |
Next steps
Sample results for this search are shown in the table below. The values for each field are grouped by the correlationId, which is useful when you are tracking logs that span services. This audit data is useful for compliance reporting because a report such as this can greatly speed the time it takes to give attestation that controls are in place and being tracked.
correlationId | Action | UPN | Target | Modified Resources | Old Values | New Values |
---|---|---|---|---|---|---|
02772c8a-fe90-46be-a70c-0f4baaba63af |
Add device |
fyodor-l |
AccountEnabled CloudAccountEnabled CloudCreated CloudDeviceOSType CloudDeviceOSVersion CloudDisplayName DeviceOSType DeviceOSVersion DeviceObjectVersion DevicePhysicalIds DisplayName Included Updated Properties |
[] null |
"AccountEnabled, CloudAccountEnabled, CloudDeviceOSType, CloudDeviceOSVersion, CloudDisplayName, CloudCreated, DeviceObjectVersion, DeviceOSType, DeviceOSVersion, DevicePhysicalIds, DisplayName" ["10.0.18362.0"] ["Windows"] ["[HWID]:h:6966510874803856","[USER-HWID]:666203b4-6b29-47c7-94c5-9b7176e09cc6:6966510874803856","[GID]:g:6966510874803858","[USER-GID]:666203b4-6b29-47c7-94c5-9b7176e09cc6:6966510874803858"] ["fyodor-l"] [2] [true] |
|
04c2a430-5a65-4f13-b4bb-204c6a8ad1c6 |
Add member to group |
jacobsmythe@jacobsmythe111.onmicrosoft.com |
null |
Group.DisplayName Group.ObjectID Group.WellKnownObjectName |
null |
"2a59c99e-51c5-4a72-ad11-ce9d19c5513c" "Frothly" null |
05869295-8bd0-4cde-92d2-9eea58d28654 |
Update service principal |
jacobsmythe@jacobsmythe111.onmicrosoft.com |
Ry_P5_Splunk_AAFS_AAD |
Included Updated Properties TargetId.ServicePrincipalNames |
null |
"" "b233431b-f085-4298-be08-5b6796a50910" |
06c69049-bede-4128-ba0f-043cc001ba5b |
Update service principal |
jacobsmythe@jacobsmythe111.onmicrosoft.com |
Ry_P5_Splunk_AAFS_ResourceGroups |
Included Updated Properties TargetId.ServicePrincipalNames |
null |
"" "40bae523-d8ad-4ca5-bfed-d490bc1f16a7" |
24e307-af3f-4649-b000-b040fdf39265 |
Add app role assignment grant to user Add app role assignment to service principal |
jacobsmythe@jacobsmythe111.onmicrosoft.com |
Office 365 Management APIs e30f549b-294a-44e1-984d-c4bbb1ddc399 null splunk_o365 |
ServicePrincipal.AppId ServicePrincipal.DisplayName ServicePrincipal.Name ServicePrincipal.ObjectID TargetId.ServicePrincipalNames User.ObjectID User.PUID User.UPN |
null |
"10037FFEA0721F18" "16619e0791-870d-4278-bf42-9c0d866135cb" "545cdc90-e36f-41c9-a3df-0558cb8fe2cd" "e30f549b-294a-44e1-984d-c4bbb1ddc399" "https://manage-gcc.office.com;https://manage.protection.apps.mil;https://manage.office.com;https://manage.office365.us;c5393580-f805-4401-95e8-94b7a6ef2fc2" "jacobsmythe@jacobsmythe111.onmicrosoft.com" "splunk_o365" |
Finally, you might be interested in other processes associated with the Managing Azure cloud infrastructure and Detecting lateral movement with Active Directory data use cases.