<span class="pill kill-chain">_time</span>
<span class="pill kill-chain">Level</span>
<span class="pill kill-chain">additional_details</span>
<span class="pill kill-chain">additional_details_name</span>
<span class="pill kill-chain">additional_details_value</span>
<span class="pill kill-chain">category</span>
<span class="pill kill-chain">command</span>
<span class="pill kill-chain">correlationId</span>
<span class="pill kill-chain">date_hour</span>
<span class="pill kill-chain">date_mday</span>
<span class="pill kill-chain">date_minute</span>
<span class="pill kill-chain">date_month</span>
<span class="pill kill-chain">date_second</span>
<span class="pill kill-chain">date_wday</span>
<span class="pill kill-chain">date_year</span>
<span class="pill kill-chain">date_zone</span>
<span class="pill kill-chain">dest</span>
<span class="pill kill-chain">dest_type</span>
<span class="pill kill-chain">durationMs</span>
<span class="pill kill-chain">dvc</span>
<span class="pill kill-chain">eventtype</span>
<span class="pill kill-chain">host</span>
<span class="pill kill-chain">id</span>
<span class="pill kill-chain">identity</span>
<span class="pill kill-chain">index</span>
<span class="pill kill-chain">linecount</span>
<span class="pill kill-chain">object_attrs</span>
<span class="pill kill-chain">object_id</span>
<span class="pill kill-chain">operationName</span>
<span class="pill kill-chain">operationVersion</span>
<span class="pill kill-chain">path_from_resourceId</span>
<span class="pill kill-chain">properties.activityDateTime</span>
<span class="pill kill-chain">properties.activityDisplayName</span>
<span class="pill kill-chain">properties.additionalDetails{}.key</span>
<span class="pill kill-chain">properties.additionalDetails{}.value</span>
<span class="pill kill-chain">properties.category</span>
<span class="pill kill-chain">properties.correlationId</span>
<span class="pill kill-chain">properties.id</span>
<span class="pill kill-chain">properties.initiatedBy.app.appId</span>
<span class="pill kill-chain">properties.initiatedBy.app.displayName</span>
<span class="pill kill-chain">properties.initiatedBy.app.servicePrincipalId</span>
<span class="pill kill-chain">properties.initiatedBy.app.servicePrincipalName</span>
<span class="pill kill-chain">properties.loggedByService</span>
<span class="pill kill-chain">properties.operationType</span>
<span class="pill kill-chain">properties.result</span>
<span class="pill kill-chain">properties.resultReason</span>
<span class="pill kill-chain">properties.targetResources{}.displayName</span>
<span class="pill kill-chain">properties.targetResources{}.id</span>
<span class="pill kill-chain">properties.targetResources{}.modifiedProperties{}.displayName</span>
<span class="pill kill-chain">properties.targetResources{}.modifiedProperties{}.newValue</span>
<span class="pill kill-chain">properties.targetResources{}.modifiedProperties{}.oldValue</span>
<span class="pill kill-chain">properties.targetResources{}.type</span>
<span class="pill kill-chain">properties.userAgent</span>
<span class="pill kill-chain">punct</span>
<span class="pill kill-chain">resourceId</span>
<span class="pill kill-chain">result</span>
<span class="pill kill-chain">resultSignature</span>
<span class="pill kill-chain">result_id</span>
<span class="pill kill-chain">signature</span>
<span class="pill kill-chain">source</span>
<span class="pill kill-chain">sourcetype</span>
<span class="pill kill-chain">splunk_server</span>
<span class="pill kill-chain">src_user_type</span>
<span class="pill kill-chain">status</span>
<span class="pill kill-chain">tag</span>
<span class="pill kill-chain">tag::eventtype</span>
<span class="pill kill-chain">tenantId</span>
<span class="pill kill-chain">time</span>
<span class="pill kill-chain">timeendpos</span>
<span class="pill kill-chain">timestartpos</span>
<span class="pill kill-chain">user_agent</span>
<span class="pill kill-chain">user_type</span>
<span class="pill kill-chain">vendor_account</span>
<span class="pill kill-chain">vendor_product</span>
</div>
Data Source: Azure Active Directory Add app role assignment to service principal
Description
Data source object for Azure Active Directory Add app role assignment to service principal
Details
| Property | Value |
|---|---|
| Source | Azure AD |
| Sourcetype | azure:monitor:aad |
| Separator | operationName |
Supported Apps
- Splunk Add-on for Microsoft Cloud Services (version 5.4.1)
Event Fields
Fields
Example Log
1{"time": "2024-02-08T21:49:53.7643129Z", "resourceId": "/tenants/75243ab2-44f8-435c-a7a6-b479385df6d4/providers/Microsoft.aadiam", "operationName": "Add app role assignment to service principal", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "resultSignature": "None", "durationMs": 0, "correlationId": "ed53faec-49b5-444f-b6af-b928558ca433", "identity": "LegacyTestOAuthApp", "Level": 4, "properties": {"id": "Directory_ed53faec-49b5-444f-b6af-b928558ca433_XH34Q_29215277", "category": "ApplicationManagement", "correlationId": "ed53faec-49b5-444f-b6af-b928558ca433", "result": "success", "resultReason": "", "activityDisplayName": "Add app role assignment to service principal", "activityDateTime": "2024-02-08T21:49:53.7643129+00:00", "loggedByService": "Core Directory", "operationType": "Assign", "userAgent": null, "initiatedBy": {"app": {"appId": null, "displayName": "LegacyTestOAuthApp", "servicePrincipalId": "fc8c8125-bc0c-499d-8344-e53c6e3caa81", "servicePrincipalName": null}}, "targetResources": [{"id": "8429eb5c-faeb-4ade-8eac-acc003790769", "displayName": "Office 365 Exchange Online", "type": "ServicePrincipal", "modifiedProperties": [{"displayName": "AppRole.Id", "oldValue": null, "newValue": "\"dc890d15-9560-4a4c-9b7f-a736ec74ec40\""}, {"displayName": "AppRole.Value", "oldValue": null, "newValue": "\"full_access_as_app\""}, {"displayName": "AppRole.DisplayName", "oldValue": null, "newValue": "\"Use Exchange Web Services with full access to all mailboxes\""}, {"displayName": "AppRoleAssignment.CreatedDateTime", "oldValue": null, "newValue": "\"2024-02-08T21:49:53.6813076Z\""}, {"displayName": "AppRoleAssignment.LastModifiedDateTime", "oldValue": null, "newValue": "\"2024-02-08T21:49:53.6813076Z\""}, {"displayName": "ServicePrincipal.ObjectID", "oldValue": null, "newValue": "\"2e5c2fd0-cca4-452c-9891-a07c0dafd964\""}, {"displayName": "ServicePrincipal.DisplayName", "oldValue": null, "newValue": "\"STRT_Oauth\""}, {"displayName": "ServicePrincipal.AppId", "oldValue": null, "newValue": "\"5f91ce94-4cc5-4ebe-aeb6-f074e57201bb\""}, {"displayName": "ServicePrincipal.Name", "oldValue": null, "newValue": "\"5f91ce94-4cc5-4ebe-aeb6-f074e57201bb\""}, {"displayName": "TargetId.ServicePrincipalNames", "oldValue": null, "newValue": "\"https://outlook.office.com;Microsoft.Exchange;00000002-0000-0ff1-ce00-000000000000;00000002-0000-0ff1-ce00-000000000000/*.outlook.com;00000002-0000-0ff1-ce00-000000000000/outlook.com;00000002-0000-0ff1-ce00-000000000000/mail.office365.com;00000002-0000-0ff1-ce00-000000000000/outlook.office365.com;https://webmail.apps.mil/;https://ps.protection.outlook.com/;https://outlook-dod.office365.us/;https://outlook.com/;https://outlook.office365.com/;https://outlook.office.com/;https://outlook.office365.com:443/;https://outlook-sdf.office365.com/;https://outlook-sdf.office.com/;https://outlook.office365.us/;https://autodiscover-s.office365.us/;https://ps.compliance.protection.outlook.com;https://manage.protection.apps.mil;https://outlook-tdf.office.com/;https://outlook-tdf-2.office.com/;https://ps.outlook.com\""}], "administrativeUnits": []}, {"id": "2e5c2fd0-cca4-452c-9891-a07c0dafd964", "displayName": "5f91ce94-4cc5-4ebe-aeb6-f074e57201bb", "type": "ServicePrincipal", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Darwin 23.3.0 Darwin Kernel Version 23.3.0: Wed Dec 20 21:28:58 PST 2023; root:xnu-10002.81.5~7/RELEASE_X86_64; en-US) PowerShell/7.3.4"}, {"key": "AppId", "value": "00000002-0000-0ff1-ce00-000000000000"}]}}
Source: GitHub | Version: 1