Azure Active Directory audit data provides information on the operations of your Active Directory resources. These audit logs capture CRUD (Create-Read-Update-Delete) type actions against Azure AD resources such as user accounts, security groups, and devices. These logs are separate to Azure Audit Logs, which focus specifically on auditing Azure from a management control plane perspective.
Data visibility
This data source provides insight into Active Directory changes, including new and old values. It is crucial for monitoring changes to Azure Active Directory. Critical security use cases can be delivered with this data. The following table describes high-value fields.
|
Field Name |
Field Type |
Description |
Example |
|
activityDate |
string |
Timestamp of activity |
2020-07-16T07:22:48.4694093Z |
|
activityDateTime |
string |
Timestamp of activity |
2020-07-16T07:22:48.4694093Z |
|
activityDisplayName |
string |
What action the user is performing |
Update application – Certificates and secrets management |
|
additionalDetails{}.key |
string |
Key value for the following field |
User-Agent |
|
additionalDetails{}.value |
string |
User agent for the users device |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36 |
|
category |
string |
Azure category |
ApplicationManagement |
|
correlationId |
string |
Unique Azure correlation ID |
6ef39773-eb79-4258-8ad0-c07fe5816715 |
|
initiatedBy.user.displayName |
string |
Display Name (if configured) of the user that initiated the activity |
null |
|
initiatedBy.user.id |
string |
User ID of the user that initiated the activity |
545cdc90-e36f-41c9-a3df-0558cb8fe2cd |
|
initiatedBy.user.ipAddress |
string |
IP Address (if known) of the device that initiated the activity |
null |
|
initiatedBy.user.userPrincipalName |
string |
Which user initiated the activity |
jacobsmythe@jacobsmythe111.onmicrosoft.com |
|
loggedByService |
string |
Which Azure service logged the activity |
Core Directory |
|
operationType |
string |
What type of operation was performed |
Update |
|
result |
string |
Status of the activity |
success |
|
targetResources{}.displayName |
string |
What resource was modified |
Ry_P5_Splunk_AAFS_AAD |
|
targetResources{}.id |
string |
ID of the resource |
68fb76ac-2e44-4b65-a133-f7d40aa5c8f1 |
Data application
When your Splunk deployment is ingesting Azure Active Directory audit data, you can use the data to achieve the following objectives:
Configuration
The following sections provide information on configuring Splunk software to ingest this data source. To configure the device or software, we recommend that you leverage official Microsoft Azure resources.
Data ingestion
If your deployment is not already ingesting Azure Active Directory data, follow the Getting Data In guidance for Splunk Enterprise or the Onboarding and Forwarding Your Data guidance for Splunk Cloud.
The source type is azure:aad:audit.
In addition, you will need the Microsoft Azure Add-on for Splunk. The add-on can be downloaded here and the add-on documentation can be accessed here. Read and follow the documentation carefully to understand all the essential information you need to work with this data source, including how to install the add-on, configure Active Directory, and configure Splunk.
Comments
0 comments
Please sign in to leave a comment.