Data Source: O365 Change user license.

Date: 2024-07-18

ID: 1029a20d-3d0d-4fb9-b5e2-22ac5380b20a

Author: Patrick Bareiss, Splunk

Description

Data source object for O365 Change user license.

Details

Property	Value
Source	`o365`
Sourcetype	`o365:management:activity`
Separator	Operation

Supported Apps

Splunk Add-on for Microsoft Office 365 (version 4.5.1)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">ActorContextId</span>
  
  <span class="pill kill-chain">Actor{}.ID</span>
  
  <span class="pill kill-chain">Actor{}.Type</span>
  
  <span class="pill kill-chain">AzureActiveDirectoryEventType</span>
  
  <span class="pill kill-chain">CreationTime</span>
  
  <span class="pill kill-chain">ExtendedProperties{}.Name</span>
  
  <span class="pill kill-chain">ExtendedProperties{}.Value</span>
  
  <span class="pill kill-chain">Id</span>
  
  <span class="pill kill-chain">InterSystemsId</span>
  
  <span class="pill kill-chain">IntraSystemId</span>
  
  <span class="pill kill-chain">ObjectId</span>
  
  <span class="pill kill-chain">Operation</span>
  
  <span class="pill kill-chain">OrganizationId</span>
  
  <span class="pill kill-chain">RecordType</span>
  
  <span class="pill kill-chain">ResultStatus</span>
  
  <span class="pill kill-chain">SupportTicketId</span>
  
  <span class="pill kill-chain">TargetContextId</span>
  
  <span class="pill kill-chain">Target{}.ID</span>
  
  <span class="pill kill-chain">Target{}.Type</span>
  
  <span class="pill kill-chain">UserId</span>
  
  <span class="pill kill-chain">UserKey</span>
  
  <span class="pill kill-chain">UserType</span>
  
  <span class="pill kill-chain">Version</span>
  
  <span class="pill kill-chain">Workload</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">additionalDetails</span>
  
  <span class="pill kill-chain">app</span>
  
  <span class="pill kill-chain">authentication_service</span>
  
  <span class="pill kill-chain">change_type</span>
  
  <span class="pill kill-chain">command</span>
  
  <span class="pill kill-chain">dataset_name</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dest_name</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">event_type</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">extendedAuditEventCategory</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">object</span>
  
  <span class="pill kill-chain">object_attrs</span>
  
  <span class="pill kill-chain">object_category</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">record_type</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">src_user</span>
  
  <span class="pill kill-chain">status</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">user_type</span>
  
  <span class="pill kill-chain">vendor_account</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1{"CreationTime": "2023-09-11T15:55:46", "Id": "1e39f32d-081d-4494-994a-533b57f91df7", "Operation": "Change user license.", "OrganizationId": "bbad9541-eb53-4533-bcef-2b76182c3b75", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "victimUser@splunkresearch.onmicrosoft.com", "UserId": "evilUser@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"id\":\"64c07906-cb25-4d37-b38c-a862f2e49671\",\"seq\":\"6\",\"b\":\"://admin.microsoft.com;https://wusportalprv.office.com;https://auth.microsoftonline.com;https://portal.office.com;https://portal-sdf.office.com/;https://portal.office.com/;https://cp.portal.office.com/;https://scuportalprv.office.com;https://ncuportalprv.office.com;https://ncuportal.office.com;https://weuportal.office.com;https://eusportal.office.com;https://neuportal.office.com;https://scuportal.office.com;https://seaportal.office.com;https://wusportal.office.com;https://easportal.office.com;https://wjpportal.office.com;https://ejpportal.office.com;https://nukportal.office.com;https://sukportal.office.com;https://admin-ignite.microsoft.com;https://admin-sdf.microsoft.com;https://wukportal.office.com/\\\\\\\"},{\\\\\\\"Name\\\\\\\":\\\\\\\"SPN\\\\\\\",\\\\\\\"OldValue\\\\\\\":null,\\\\\\\"NewValue\\\\\\\":\\\\\\\"Microsoft.Office365Portal;00000006-0000-0ff1-ce00-000000000000;00000006-0000-0ff1-ce00-000000000000/portal.microsoftonline.com;https://ncuportalprv-staging.office.com;https://scuportalprv-staging.office.com;https://admin.microsoft365.com;https://portal-sdf.apps.mil/;https://portal-sdf.apps.mil;https://portal.apps.mil/;https://portal.apps.mil;https://portal-sdf.office365.us/;https://portal-sdf.office365.us;https://portal.office365.us/;https://portal.office365.us;https://portal.microsoft.com;https://admin.microsoft.com;https://wusportalprv.office.com;https://auth.microsoftonline.com;https://portal.office.com;https://portal-sdf.office.com/;https://portal.office.com/;https://cp.portal.office.com/;https://scuportalprv.office.com;https://ncuportalprv.office.com;https://ncuportal.office.com;https://weuportal.office.com;https://eusportal.office.com;https://neuportal.office.com;https://scuportal.office.com;https://seaportal.office.com;https://wusportal.office.com;https://easportal.office.com;https://wjpportal.office.com;https://ejpportal.office.com;https://nukportal.office.com;https://sukportal.office.com;https://admin-ignite.microsoft.com;https://admin-sdf.microsoft.com;https://wukportal.office.com/\\\\\\\"}]\\\",\\\"additionalDetails\\\":\\\"{\\\\\\\"User-Agent\\\\\\\":\\\\\\\"O365AdminPortal\\\\\\\"}\\\"}\",\"c\":\"6\"}"}, {"Name": "extendedAuditEventCategory", "Value": "User"}], "ModifiedProperties": [], "Actor": [{"ID": "evilUser@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "Microsoft Office 365 Portal", "Type": 1}, {"ID": "00000006-0000-0ff1-ce00-000000000000", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "bbad9541-eb53-4533-bcef-2b76182c3b75", "InterSystemsId": "0817f79e-f0ea-4518-9c21-7babc9a36a79", "IntraSystemId": "6ae5503d-8764-4f6f-9547-668f4b2f82ca", "SupportTicketId": "", "Target": [{"ID": "User_57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "User", "Type": 2}, {"ID": "victimUser@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID": "10032002CC029AE9", "Type": 3}], "TargetContextId": "bbad9541-eb53-4533-bcef-2b76182c3b75"}

Source: GitHub | Version: 1