Skip to main content

Azure Active Directory audit events

  • Updated

You might want a list of activities completed and recorded by Azure Active Directory (AD) when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

Azure Active Directory (AD) audit logs provide visibility into changes made by various features within Azure AD. You want a search that will show these changes, such as adding or removing users, apps, groups, roles, and policies. 

NOTE: To optimize the search shown below, you should specify an index and a time range.

  1. Run the following search: 
sourcetype="azure:aad:audit"
|stats values(activityDisplayName) AS Action, values(initiatedBy.user.userPrincipalName) AS UPN, values(targetResources{}.displayName) AS Target, values(targetResources{}.modifiedProperties{}.displayName) AS "Modified Resources", values(targetResources{}.modifiedProperties{}.oldValue) AS "Old Values", values(targetResources{}.modifiedProperties{}.newValue) AS "New Values" BY correlationId

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search

Explanation

sourcetype="azure:aad:audit"

Search only Azure Active Directory data. 

|stats values(activityDisplayName) AS Action, values(initiatedBy.user.userPrincipalName) AS UPN, values(targetResources{}.displayName) AS Target, values(targetResources{}.modifiedProperties{}.displayName) AS "Modified Resources", values(targetResources{}.modifiedProperties{}.oldValue) AS "Old Values", values(targetResources{}.modifiedProperties{}.newValue) AS "New Values" BY correlationId

Return the appropriate field values for each correlation ID. 

 

Result

Sample results for this search are shown in the table below. The values for each field are grouped by the correlationId, which is useful when you are tracking logs that span services. This audit data is useful for compliance reporting because a report such as this can greatly speed the time it takes to give attestation that controls are in place and being tracked. 

correlationId

Action

UPN

Target

Modified Resources

Old Values

New Values

02772c8a-fe90-46be-a70c-0f4baaba63af

Add device

  

fyodor-l

AccountEnabled CloudAccountEnabled CloudCreated CloudDeviceOSType CloudDeviceOSVersion CloudDisplayName DeviceOSType DeviceOSVersion DeviceObjectVersion DevicePhysicalIds DisplayName Included Updated Properties

[] null

"AccountEnabled, CloudAccountEnabled, CloudDeviceOSType, CloudDeviceOSVersion, CloudDisplayName, CloudCreated, DeviceObjectVersion, DeviceOSType, DeviceOSVersion, DevicePhysicalIds, DisplayName" ["10.0.18362.0"] ["Windows"] ["[HWID]:h:6966510874803856","[USER-HWID]:666203b4-6b29-47c7-94c5-9b7176e09cc6:6966510874803856","[GID]:g:6966510874803858","[USER-GID]:666203b4-6b29-47c7-94c5-9b7176e09cc6:6966510874803858"] ["fyodor-l"] [2] [true]

04c2a430-5a65-4f13-b4bb-204c6a8ad1c6

Add member to group

jacobsmythe@jacobsmythe111.onmicrosoft.com

null

Group.DisplayName Group.ObjectID Group.WellKnownObjectName

null

"2a59c99e-51c5-4a72-ad11-ce9d19c5513c" "Frothly" null

05869295-8bd0-4cde-92d2-9eea58d28654

Update service principal

jacobsmythe@jacobsmythe111.onmicrosoft.com

Ry_P5_Splunk_AAFS_AAD

Included Updated Properties TargetId.ServicePrincipalNames

null

"" "b233431b-f085-4298-be08-5b6796a50910"

06c69049-bede-4128-ba0f-043cc001ba5b

Update service principal

jacobsmythe@jacobsmythe111.onmicrosoft.com

Ry_P5_Splunk_AAFS_ResourceGroups

Included Updated Properties TargetId.ServicePrincipalNames

null

"" "40bae523-d8ad-4ca5-bfed-d490bc1f16a7"

24e307-af3f-4649-b000-b040fdf39265

Add app role assignment grant to user Add app role assignment to service principal

jacobsmythe@jacobsmythe111.onmicrosoft.com

Office 365 Management APIs e30f549b-294a-44e1-984d-c4bbb1ddc399 null splunk_o365

ServicePrincipal.AppId ServicePrincipal.DisplayName ServicePrincipal.Name ServicePrincipal.ObjectID TargetId.ServicePrincipalNames User.ObjectID User.PUID User.UPN

null

"10037FFEA0721F18" "16619e0791-870d-4278-bf42-9c0d866135cb" "545cdc90-e36f-41c9-a3df-0558cb8fe2cd" "e30f549b-294a-44e1-984d-c4bbb1ddc399" "https://manage-gcc.office.com;https://manage.protection.apps.mil;https://manage.office.com;https://manage.office365.us;c5393580-f805-4401-95e8-94b7a6ef2fc2" "jacobsmythe@jacobsmythe111.onmicrosoft.com" "splunk_o365"

Related articles

Comments

0 comments

Please sign in to leave a comment.

The information provided in Splunk Lantern is intended for informational and educational purposes only. All information is provided in good faith, however, Splunk disclaims any and all representations and warranties, express and implied, regarding the information provided, including without limitation any warranties and representations regarding the completeness, adequacy or accuracy of the information. You agree to take full responsibility for the results arising from the use of the information provided.