Data Source: Azure Active Directory Invite external user

Description

Logs an event when an external user is invited to join an Azure Active Directory tenant.

Details

Property Value
Source Azure AD
Sourcetype azure:monitor:aad
Separator operationName

Supported Apps

Event Fields

+ Fields
  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">callerIpAddress</span>
  
  <span class="pill kill-chain">category</span>
  
  <span class="pill kill-chain">correlationId</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">durationMs</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">operationName</span>
  
  <span class="pill kill-chain">operationVersion</span>
  
  <span class="pill kill-chain">properties.activityDateTime</span>
  
  <span class="pill kill-chain">properties.activityDisplayName</span>
  
  <span class="pill kill-chain">properties.additionalDetails{}.key</span>
  
  <span class="pill kill-chain">properties.additionalDetails{}.value</span>
  
  <span class="pill kill-chain">properties.category</span>
  
  <span class="pill kill-chain">properties.correlationId</span>
  
  <span class="pill kill-chain">properties.id</span>
  
  <span class="pill kill-chain">properties.initiatedBy.user.displayName</span>
  
  <span class="pill kill-chain">properties.initiatedBy.user.id</span>
  
  <span class="pill kill-chain">properties.initiatedBy.user.ipAddress</span>
  
  <span class="pill kill-chain">properties.initiatedBy.user.userPrincipalName</span>
  
  <span class="pill kill-chain">properties.loggedByService</span>
  
  <span class="pill kill-chain">properties.operationType</span>
  
  <span class="pill kill-chain">properties.result</span>
  
  <span class="pill kill-chain">properties.resultReason</span>
  
  <span class="pill kill-chain">properties.targetResources{}.displayName</span>
  
  <span class="pill kill-chain">properties.targetResources{}.id</span>
  
  <span class="pill kill-chain">properties.targetResources{}.type</span>
  
  <span class="pill kill-chain">properties.targetResources{}.userPrincipalName</span>
  
  <span class="pill kill-chain">properties.userAgent</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">resourceId</span>
  
  <span class="pill kill-chain">resultSignature</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">tenantId</span>
  
  <span class="pill kill-chain">time</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
</div>

Example Log

1{"time": "2023-07-13T00:29:59.5100003Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Invite external user", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "40.126.4.40", "correlationId": "e7d580a6-eaac-4f82-843c-40b0b5f3cf99", "Level": 4, "properties": {"id": "Invited Users_e7d580a6-eaac-4f82-843c-40b0b5f3cf99_YNUMP_7291793", "category": "UserManagement", "correlationId": "e7d580a6-eaac-4f82-843c-40b0b5f3cf99", "result": "success", "resultReason": null, "activityDisplayName": "Invite external user", "activityDateTime": "2023-07-13T00:29:59.5100003+00:00", "loggedByService": "Invited Users", "operationType": "Add", "userAgent": null, "initiatedBy": {"user": {"id": "728989f4-eb3d-45c2-8741-2f2af4e485ce", "displayName": null, "userPrincipalName": "oopsr@splunkresearch.com", "ipAddress": "40.126.4.40", "roles": []}}, "targetResources": [{"id": "f416526a-17ee-4129-8ca9-f5ee55f69f34", "displayName": "oops", "type": "User", "userPrincipalName": "oops360_gmail.com#EXT#@strtadminsplunkresearch.onmicrosoft.com", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key": "oid", "value": "728989f4-eb3d-45c2-8741-2f2af4e485ce"}, {"key": "tid", "value": "fc69e276-e9e8-4af9-9002-1e410d77244e"}, {"key": "ipaddr", "value": "2601:646:a000:200:c4db:f288:7e28:21b3"}, {"key": "wids", "value": "62e90394-69f5-4237-9190-012177145e10"}, {"key": "InvitationId", "value": "65c7d12f-c6f3-44f0-8fad-4f57a1020484"}, {"key": "invitedUserEmailAddress", "value": "oops360@gmail.com"}]}}

Source: GitHub | Version: 2