You might want a list of activities completed and recorded by Azure Active Directory (AD) when doing the following:
Prerequisites
In order to execute this procedure in your environment, the following data, services, or apps are required:
Example
Azure Active Directory (AD) audit logs provide visibility into changes made by various features within Azure AD. You want a search that will show these changes, such as adding or removing users, apps, groups, roles, and policies.
NOTE: To optimize the search shown below, you should specify an index and a time range.
- Run the following search:
sourcetype="azure:aad:audit"
|stats values(activityDisplayName) AS Action, values(initiatedBy.user.userPrincipalName) AS UPN, values(targetResources{}.displayName) AS Target, values(targetResources{}.modifiedProperties{}.displayName) AS "Modified Resources", values(targetResources{}.modifiedProperties{}.oldValue) AS "Old Values", values(targetResources{}.modifiedProperties{}.newValue) AS "New Values" BY correlationId
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search |
Explanation |
sourcetype="azure:aad:audit" |
Search only Azure Active Directory data. |
|stats values(activityDisplayName) AS Action, values(initiatedBy.user.userPrincipalName) AS UPN, values(targetResources{}.displayName) AS Target, values(targetResources{}.modifiedProperties{}.displayName) AS "Modified Resources", values(targetResources{}.modifiedProperties{}.oldValue) AS "Old Values", values(targetResources{}.modifiedProperties{}.newValue) AS "New Values" BY correlationId |
Return the appropriate field values for each correlation ID. |
Result
Sample results for this search are shown in the table below. The values for each field are grouped by the correlationId, which is useful when you are tracking logs that span services. This audit data is useful for compliance reporting because a report such as this can greatly speed the time it takes to give attestation that controls are in place and being tracked.
correlationId |
Action |
UPN |
Target |
Modified Resources |
Old Values |
New Values |
02772c8a-fe90-46be-a70c-0f4baaba63af |
Add device |
fyodor-l |
AccountEnabled CloudAccountEnabled CloudCreated CloudDeviceOSType CloudDeviceOSVersion CloudDisplayName DeviceOSType DeviceOSVersion DeviceObjectVersion DevicePhysicalIds DisplayName Included Updated Properties |
[] null |
"AccountEnabled, CloudAccountEnabled, CloudDeviceOSType, CloudDeviceOSVersion, CloudDisplayName, CloudCreated, DeviceObjectVersion, DeviceOSType, DeviceOSVersion, DevicePhysicalIds, DisplayName" ["10.0.18362.0"] ["Windows"] ["[HWID]:h:6966510874803856","[USER-HWID]:666203b4-6b29-47c7-94c5-9b7176e09cc6:6966510874803856","[GID]:g:6966510874803858","[USER-GID]:666203b4-6b29-47c7-94c5-9b7176e09cc6:6966510874803858"] ["fyodor-l"] [2] [true] |
|
04c2a430-5a65-4f13-b4bb-204c6a8ad1c6 |
Add member to group |
jacobsmythe@jacobsmythe111.onmicrosoft.com |
null |
Group.DisplayName Group.ObjectID Group.WellKnownObjectName |
null |
"2a59c99e-51c5-4a72-ad11-ce9d19c5513c" "Frothly" null |
05869295-8bd0-4cde-92d2-9eea58d28654 |
Update service principal |
jacobsmythe@jacobsmythe111.onmicrosoft.com |
Ry_P5_Splunk_AAFS_AAD |
Included Updated Properties TargetId.ServicePrincipalNames |
null |
"" "b233431b-f085-4298-be08-5b6796a50910" |
06c69049-bede-4128-ba0f-043cc001ba5b |
Update service principal |
jacobsmythe@jacobsmythe111.onmicrosoft.com |
Ry_P5_Splunk_AAFS_ResourceGroups |
Included Updated Properties TargetId.ServicePrincipalNames |
null |
"" "40bae523-d8ad-4ca5-bfed-d490bc1f16a7" |
24e307-af3f-4649-b000-b040fdf39265 |
Add app role assignment grant to user Add app role assignment to service principal |
jacobsmythe@jacobsmythe111.onmicrosoft.com |
Office 365 Management APIs e30f549b-294a-44e1-984d-c4bbb1ddc399 null splunk_o365 |
ServicePrincipal.AppId ServicePrincipal.DisplayName ServicePrincipal.Name ServicePrincipal.ObjectID TargetId.ServicePrincipalNames User.ObjectID User.PUID User.UPN |
null |
"10037FFEA0721F18" "16619e0791-870d-4278-bf42-9c0d866135cb" "545cdc90-e36f-41c9-a3df-0558cb8fe2cd" "e30f549b-294a-44e1-984d-c4bbb1ddc399" "https://manage-gcc.office.com;https://manage.protection.apps.mil;https://manage.office.com;https://manage.office365.us;c5393580-f805-4401-95e8-94b7a6ef2fc2" "jacobsmythe@jacobsmythe111.onmicrosoft.com" "splunk_o365" |
Comments
0 comments
Please sign in to leave a comment.