Data Source: O365 Add service principal.

Logs the addition of a new service principal in Microsoft 365, including details about the associated application and the action initiator.

Property Value
Source o365
Sourcetype o365:management:activity
Separator Operation
+ Fields

            1
            _time
          
            3
            ActorContextId
          
            5
            Actor{}.ID
          
            7
            Actor{}.Type
          
            9
            AzureActiveDirectoryEventType
          
            11
            CreationTime
          
            13
            ExtendedProperties{}.Name
          
            15
            ExtendedProperties{}.Value
          
            17
            Id
          
            19
            InterSystemsId
          
            21
            IntraSystemId
          
            23
            ModifiedProperties{}.Name
          
            25
            ModifiedProperties{}.NewValue
          
            27
            ModifiedProperties{}.OldValue
          
            29
            ObjectId
          
            31
            Operation
          
            33
            OrganizationId
          
            35
            RecordType
          
            37
            ResultStatus
          
            39
            SupportTicketId
          
            41
            TargetContextId
          
            43
            Target{}.ID
          
            45
            Target{}.Type
          
            47
            UserId
          
            49
            UserKey
          
            51
            UserType
          
            53
            Version
          
            55
            Workload
          
            57
            action
          
            59
            additionalDetails
          
            61
            app
          
            63
            authentication_service
          
            65
            change_type
          
            67
            command
          
            69
            dataset_name
          
            71
            date_hour
          
            73
            date_mday
          
            75
            date_minute
          
            77
            date_month
          
            79
            date_second
          
            81
            date_wday
          
            83
            date_year
          
            85
            date_zone
          
            87
            dest
          
            89
            dest_name
          
            91
            dvc
          
            93
            event_type
          
            95
            eventtype
          
            97
            extendedAuditEventCategory
          
            99
            host
          
            101
            index
          
            103
            linecount
          
            105
            object_attrs
          
            107
            object_category
          
            109
            punct
          
            111
            record_type
          
            113
            signature
          
            115
            source
          
            117
            sourcetype
          
            119
            splunk_server
          
            121
            src_user
          
            123
            status
          
            125
            tag
          
            127
            tag::eventtype
          
            129
            timeendpos
          
            131
            timestartpos
          
            133
            user
          
            135
            user_agent
          
            137
            user_agent_change
          
            139
            user_id
          
            141
            user_type
          
            143
            vendor_account
          
            145
            vendor_product
          
            147
            
          
...
not set
1{"CreationTime": "2024-02-07T22:31:14", "Id": "f624ed92-b4a2-4d42-aa8b-20a261d06b7f", "Operation": "Add service principal.", "OrganizationId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@splunkresearch.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "e06366ca-8489-4748-b6a2-d7e4332f45c1", "UserId": "user30@splunkresearch.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36\",\"AppId\":\"e06366ca-8489-4748-b6a2-d7e4332f45c1\"}"}, {"Name": "extendedAuditEventCategory", "Value": "ServicePrincipal"}], "ModifiedProperties": [{"Name": "AccountEnabled", "NewValue": "[\r\n  true\r\n]", "OldValue": "[]"}, {"Name": "AppPrincipalId", "NewValue": "[\r\n  \"e06366ca-8489-4748-b6a2-d7e4332f45c1\"\r\n]", "OldValue": "[]"}, {"Name": "DisplayName", "NewValue": "[\r\n  \"Malicious11\"\r\n]", "OldValue": "[]"}, {"Name": "ServicePrincipalName", "NewValue": "[\r\n  \"e06366ca-8489-4748-b6a2-d7e4332f45c1\"\r\n]", "OldValue": "[]"}, {"Name": "Credential", "NewValue": "[\r\n  {\r\n    \"CredentialType\": 2,\r\n    \"KeyStoreId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\",\r\n    \"KeyGroupId\": \"291154f0-a9f5-45bb-87be-9c8ee5b6d62c\"\r\n  }\r\n]", "OldValue": "[]"}, {"Name": "Included Updated Properties", "NewValue": "AccountEnabled, AppPrincipalId, DisplayName, ServicePrincipalName, Credential", "OldValue": ""}, {"Name": "TargetId.ServicePrincipalNames", "NewValue": "e06366ca-8489-4748-b6a2-d7e4332f45c1", "OldValue": ""}], "Actor": [{"ID": "user30@splunkresearch.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4", "InterSystemsId": "ea473f15-64b3-435a-a885-6ee3908919e2", "IntraSystemId": "00000000-0000-0000-0000-000000000000", "SupportTicketId": "", "Target": [{"ID": "ServicePrincipal_2dedf863-ac93-4f45-87b3-e32f48145380", "Type": 2}, {"ID": "2dedf863-ac93-4f45-87b3-e32f48145380", "Type": 2}, {"ID": "ServicePrincipal", "Type": 2}, {"ID": "Malicious11", "Type": 1}, {"ID": "e06366ca-8489-4748-b6a2-d7e4332f45c1", "Type": 2}, {"ID": "e06366ca-8489-4748-b6a2-d7e4332f45c1", "Type": 4}], "TargetContextId": "75243ab2-44f8-435c-a7a6-b479385df6d4"}

Source: GitHub | Version: 2