Data Source: Azure Active Directory Invite external user

Date: 2025-01-23

ID: d3818bd5-f283-4518-8b67-df19240c3e40

Author: Patrick Bareiss, Splunk

Description

Logs an event when an external user is invited to join an Azure Active Directory tenant.

Details

Property	Value
Source	`Azure AD`
Sourcetype	`azure:monitor:aad`
Separator	operationName

Supported Apps

Splunk Add-on for Microsoft Cloud Services (version 5.5.0)

Event Fields

+ Fields


            1
            _time
          
            3
            Level
          
            5
            callerIpAddress
          
            7
            category
          
            9
            correlationId
          
            11
            date_hour
          
            13
            date_mday
          
            15
            date_minute
          
            17
            date_month
          
            19
            date_second
          
            21
            date_wday
          
            23
            date_year
          
            25
            date_zone
          
            27
            durationMs
          
            29
            host
          
            31
            index
          
            33
            linecount
          
            35
            operationName
          
            37
            operationVersion
          
            39
            properties.activityDateTime
          
            41
            properties.activityDisplayName
          
            43
            properties.additionalDetails{}.key
          
            45
            properties.additionalDetails{}.value
          
            47
            properties.category
          
            49
            properties.correlationId
          
            51
            properties.id
          
            53
            properties.initiatedBy.user.displayName
          
            55
            properties.initiatedBy.user.id
          
            57
            properties.initiatedBy.user.ipAddress
          
            59
            properties.initiatedBy.user.userPrincipalName
          
            61
            properties.loggedByService
          
            63
            properties.operationType
          
            65
            properties.result
          
            67
            properties.resultReason
          
            69
            properties.targetResources{}.displayName
          
            71
            properties.targetResources{}.id
          
            73
            properties.targetResources{}.type
          
            75
            properties.targetResources{}.userPrincipalName
          
            77
            properties.userAgent
          
            79
            punct
          
            81
            resourceId
          
            83
            resultSignature
          
            85
            source
          
            87
            sourcetype
          
            89
            splunk_server
          
            91
            tenantId
          
            93
            time
          
            95
            timeendpos
          
            97
            timestartpos
          
            99

...

not set

Example Log

1{"time": "2023-07-13T00:29:59.5100003Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Invite external user", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "40.126.4.40", "correlationId": "e7d580a6-eaac-4f82-843c-40b0b5f3cf99", "Level": 4, "properties": {"id": "Invited Users_e7d580a6-eaac-4f82-843c-40b0b5f3cf99_YNUMP_7291793", "category": "UserManagement", "correlationId": "e7d580a6-eaac-4f82-843c-40b0b5f3cf99", "result": "success", "resultReason": null, "activityDisplayName": "Invite external user", "activityDateTime": "2023-07-13T00:29:59.5100003+00:00", "loggedByService": "Invited Users", "operationType": "Add", "userAgent": null, "initiatedBy": {"user": {"id": "728989f4-eb3d-45c2-8741-2f2af4e485ce", "displayName": null, "userPrincipalName": "oopsr@splunkresearch.com", "ipAddress": "40.126.4.40", "roles": []}}, "targetResources": [{"id": "f416526a-17ee-4129-8ca9-f5ee55f69f34", "displayName": "oops", "type": "User", "userPrincipalName": "oops360_gmail.com#EXT#@strtadminsplunkresearch.onmicrosoft.com", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key": "oid", "value": "728989f4-eb3d-45c2-8741-2f2af4e485ce"}, {"key": "tid", "value": "fc69e276-e9e8-4af9-9002-1e410d77244e"}, {"key": "ipaddr", "value": "2601:646:a000:200:c4db:f288:7e28:21b3"}, {"key": "wids", "value": "62e90394-69f5-4237-9190-012177145e10"}, {"key": "InvitationId", "value": "65c7d12f-c6f3-44f0-8fad-4f57a1020484"}, {"key": "invitedUserEmailAddress", "value": "oops360@gmail.com"}]}}

Source: GitHub | Version: 2