Data Source: Azure Active Directory User registered security info

Date: 2024-07-18

ID: b63240de-8a01-4ba8-8987-89d18d4b375d

Author: Patrick Bareiss, Splunk

Description

Data source object for Azure Active Directory User registered security info

Details

Property	Value
Source	`Azure AD`
Sourcetype	`azure:monitor:aad`
Separator	operationName

Supported Apps

Splunk Add-on for Microsoft Cloud Services (version 5.4.0)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">callerIpAddress</span>
  
  <span class="pill kill-chain">category</span>
  
  <span class="pill kill-chain">correlationId</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">durationMs</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">operationName</span>
  
  <span class="pill kill-chain">operationVersion</span>
  
  <span class="pill kill-chain">properties.activityDateTime</span>
  
  <span class="pill kill-chain">properties.activityDisplayName</span>
  
  <span class="pill kill-chain">properties.category</span>
  
  <span class="pill kill-chain">properties.correlationId</span>
  
  <span class="pill kill-chain">properties.id</span>
  
  <span class="pill kill-chain">properties.initiatedBy.user.displayName</span>
  
  <span class="pill kill-chain">properties.initiatedBy.user.id</span>
  
  <span class="pill kill-chain">properties.initiatedBy.user.ipAddress</span>
  
  <span class="pill kill-chain">properties.initiatedBy.user.userPrincipalName</span>
  
  <span class="pill kill-chain">properties.loggedByService</span>
  
  <span class="pill kill-chain">properties.operationType</span>
  
  <span class="pill kill-chain">properties.result</span>
  
  <span class="pill kill-chain">properties.resultReason</span>
  
  <span class="pill kill-chain">properties.targetResources{}.displayName</span>
  
  <span class="pill kill-chain">properties.targetResources{}.id</span>
  
  <span class="pill kill-chain">properties.targetResources{}.type</span>
  
  <span class="pill kill-chain">properties.targetResources{}.userPrincipalName</span>
  
  <span class="pill kill-chain">properties.userAgent</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">resourceId</span>
  
  <span class="pill kill-chain">resultDescription</span>
  
  <span class="pill kill-chain">resultSignature</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">tenantId</span>
  
  <span class="pill kill-chain">time</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
</div>

Example Log

1{"time": "2023-01-30T21:11:30.8690619Z", "resourceId": "/tenants/91da745f-8abb-4a7d-ba94-5667c6f9e01a/providers/Microsoft.aadiam", "operationName": "User registered security info", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "91da745f-8abb-4a7d-ba94-5667c6f9e01a", "resultSignature": "None", "resultDescription": "User registered App Password", "durationMs": 0, "callerIpAddress": "72.1.2.43", "correlationId": "14279c94-7ebc-409f-be4e-7861f13c8a79", "Level": 4, "properties": {"id": "IAMUX_14279c94-7ebc-409f-be4e-7861f13c8a79_K2ATV_323947358", "category": "UserManagement", "correlationId": "14279c94-7ebc-409f-be4e-7861f13c8a79", "result": "success", "resultReason": "User registered App Password", "activityDisplayName": "User registered security info", "activityDateTime": "2023-01-30T21:11:30.8690619+00:00", "loggedByService": "Authentication Methods", "operationType": "Add", "userAgent": null, "initiatedBy": {"user": {"id": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "displayName": null, "userPrincipalName": "User30@splunkresearch.com", "ipAddress": "72.1.2.43", "roles": []}}, "targetResources": [{"id": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "displayName": "User30", "type": "User", "userPrincipalName": "User30@splunkresearch.com", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": []}}

Source: GitHub | Version: 1