<span class="pill kill-chain">_time</span>
<span class="pill kill-chain">Level</span>
<span class="pill kill-chain">callerIpAddress</span>
<span class="pill kill-chain">category</span>
<span class="pill kill-chain">correlationId</span>
<span class="pill kill-chain">date_hour</span>
<span class="pill kill-chain">date_mday</span>
<span class="pill kill-chain">date_minute</span>
<span class="pill kill-chain">date_month</span>
<span class="pill kill-chain">date_second</span>
<span class="pill kill-chain">date_wday</span>
<span class="pill kill-chain">date_year</span>
<span class="pill kill-chain">date_zone</span>
<span class="pill kill-chain">durationMs</span>
<span class="pill kill-chain">eventtype</span>
<span class="pill kill-chain">host</span>
<span class="pill kill-chain">index</span>
<span class="pill kill-chain">linecount</span>
<span class="pill kill-chain">operationName</span>
<span class="pill kill-chain">operationVersion</span>
<span class="pill kill-chain">properties.activityDateTime</span>
<span class="pill kill-chain">properties.activityDisplayName</span>
<span class="pill kill-chain">properties.additionalDetails{}.key</span>
<span class="pill kill-chain">properties.additionalDetails{}.value</span>
<span class="pill kill-chain">properties.category</span>
<span class="pill kill-chain">properties.correlationId</span>
<span class="pill kill-chain">properties.id</span>
<span class="pill kill-chain">properties.initiatedBy.user.displayName</span>
<span class="pill kill-chain">properties.initiatedBy.user.id</span>
<span class="pill kill-chain">properties.initiatedBy.user.ipAddress</span>
<span class="pill kill-chain">properties.initiatedBy.user.userPrincipalName</span>
<span class="pill kill-chain">properties.loggedByService</span>
<span class="pill kill-chain">properties.operationType</span>
<span class="pill kill-chain">properties.result</span>
<span class="pill kill-chain">properties.resultReason</span>
<span class="pill kill-chain">properties.targetResources{}.displayName</span>
<span class="pill kill-chain">properties.targetResources{}.id</span>
<span class="pill kill-chain">properties.targetResources{}.modifiedProperties{}.displayName</span>
<span class="pill kill-chain">properties.targetResources{}.modifiedProperties{}.newValue</span>
<span class="pill kill-chain">properties.targetResources{}.modifiedProperties{}.oldValue</span>
<span class="pill kill-chain">properties.targetResources{}.type</span>
<span class="pill kill-chain">properties.userAgent</span>
<span class="pill kill-chain">punct</span>
<span class="pill kill-chain">resourceId</span>
<span class="pill kill-chain">resultDescription</span>
<span class="pill kill-chain">resultSignature</span>
<span class="pill kill-chain">source</span>
<span class="pill kill-chain">sourcetype</span>
<span class="pill kill-chain">splunk_server</span>
<span class="pill kill-chain">tag</span>
<span class="pill kill-chain">tag::eventtype</span>
<span class="pill kill-chain">tenantId</span>
<span class="pill kill-chain">time</span>
<span class="pill kill-chain">timeendpos</span>
<span class="pill kill-chain">timestartpos</span>
</div>
Data Source: Azure Active Directory Consent to application
Description
Logs user or admin consent to an application's permissions in Azure Active Directory, including details about the application, granted permissions, and the consenting user or process.
Details
| Property | Value |
|---|---|
| Source | Azure AD |
| Sourcetype | azure:monitor:aad |
| Separator | operationName |
Supported Apps
- Splunk Add-on for Microsoft Cloud Services (version 5.4.3)
Event Fields
Fields
Example Log
1{"time": "2023-10-27T16:14:14.9747033Z", "resourceId": "/tenants/75243ab2-44f8-435c-a7a6-b479385df6d4/providers/Microsoft.aadiam", "operationName": "Consent to application", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "resultSignature": "None", "resultDescription": "Microsoft.Online.Security.UserConsentBlockedForRiskyAppsException", "durationMs": 0, "callerIpAddress": "13.85.188.242", "correlationId": "864210f1-2950-47cb-9e12-1a71dcbdb1d5", "Level": 4, "properties": {"id": "Directory_864210f1-2950-47cb-9e12-1a71dcbdb1d5_DO21D_338329364", "category": "ApplicationManagement", "correlationId": "864210f1-2950-47cb-9e12-1a71dcbdb1d5", "result": "failure", "resultReason": "Microsoft.Online.Security.UserConsentBlockedForRiskyAppsException", "activityDisplayName": "Consent to application", "activityDateTime": "2023-10-27T16:14:14.9747033+00:00", "loggedByService": "Core Directory", "operationType": "Assign", "userAgent": null, "initiatedBy": {"user": {"id": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "displayName": null, "userPrincipalName": "user15@splunkresearch.onmicrosoft.com", "ipAddress": "13.85.188.242", "roles": []}}, "targetResources": [{"id": "6228c72e-8895-4681-bbda-238132dc4f3c", "displayName": "Bad App 1", "type": "Application", "modifiedProperties": [{"displayName": "ConsentContext.IsAdminConsent", "oldValue": null, "newValue": "\"False\""}, {"displayName": "ConsentContext.IsAppOnly", "oldValue": null, "newValue": "\"False\""}, {"displayName": "ConsentContext.OnBehalfOfAll", "oldValue": null, "newValue": "\"False\""}, {"displayName": "ConsentContext.Tags", "oldValue": null, "newValue": "\"WindowsAzureActiveDirectoryIntegratedApp\""}, {"displayName": "ConsentAction.Permissions", "oldValue": null, "newValue": "\"[] => [[Id: AAAAAAAAAAAAAAAAAAAAALSZcc5Sj_NGtUtP2B3pYeI2veRXIpdKSpcpcgPY4Aty, ClientId: 00000000-0000-0000-0000-000000000000, PrincipalId: 57e4bd36-9722-4a4a-9729-7203d8e00b72, ResourceId: ce7199b4-8f52-46f3-b54b-4fd81de961e2, ConsentType: Principal, Scope: Mail.Read Mail.Read.Shared Mail.ReadBasic Mail.ReadBasic.Shared Mail.ReadWrite Mail.ReadWrite.Shared Mail.Send Mail.Send.Shared User.Read, CreatedDateTime: , LastModifiedDateTime ]]; \""}, {"displayName": "ConsentAction.Reason", "oldValue": null, "newValue": "\"Risky application detected\""}, {"displayName": "MethodExecutionResult.", "oldValue": null, "newValue": "\"Microsoft.Online.Security.UserConsentBlockedForRiskyAppsException\""}], "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value": "EvoSTS"}, {"key": "AppId", "value": "96f6a3d6-d5aa-4af5-a77a-9319b5283712"}]}}
Source: GitHub | Version: 2