Data Source: Azure Active Directory Add unverified domain

Date: 2025-01-23

ID: d4c01fb1-3b88-46d3-bd12-9b9e256450f7

Author: Patrick Bareiss, Splunk

Description

Logs the addition of an unverified domain to Azure Active Directory, including details about the domain name and the user or process performing the action.

Details

Property	Value
Source	`Azure AD`
Sourcetype	`azure:monitor:aad`
Separator	operationName

Supported Apps

Splunk Add-on for Microsoft Cloud Services (version 5.4.3)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">callerIpAddress</span>
  
  <span class="pill kill-chain">category</span>
  
  <span class="pill kill-chain">correlationId</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">durationMs</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">operationName</span>
  
  <span class="pill kill-chain">operationVersion</span>
  
  <span class="pill kill-chain">properties.activityDateTime</span>
  
  <span class="pill kill-chain">properties.activityDisplayName</span>
  
  <span class="pill kill-chain">properties.additionalDetails{}.key</span>
  
  <span class="pill kill-chain">properties.additionalDetails{}.value</span>
  
  <span class="pill kill-chain">properties.category</span>
  
  <span class="pill kill-chain">properties.correlationId</span>
  
  <span class="pill kill-chain">properties.id</span>
  
  <span class="pill kill-chain">properties.initiatedBy.user.displayName</span>
  
  <span class="pill kill-chain">properties.initiatedBy.user.id</span>
  
  <span class="pill kill-chain">properties.initiatedBy.user.ipAddress</span>
  
  <span class="pill kill-chain">properties.initiatedBy.user.userPrincipalName</span>
  
  <span class="pill kill-chain">properties.loggedByService</span>
  
  <span class="pill kill-chain">properties.operationType</span>
  
  <span class="pill kill-chain">properties.result</span>
  
  <span class="pill kill-chain">properties.resultReason</span>
  
  <span class="pill kill-chain">properties.targetResources{}.displayName</span>
  
  <span class="pill kill-chain">properties.targetResources{}.id</span>
  
  <span class="pill kill-chain">properties.targetResources{}.modifiedProperties{}.displayName</span>
  
  <span class="pill kill-chain">properties.targetResources{}.modifiedProperties{}.newValue</span>
  
  <span class="pill kill-chain">properties.targetResources{}.modifiedProperties{}.oldValue</span>
  
  <span class="pill kill-chain">properties.userAgent</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">resourceId</span>
  
  <span class="pill kill-chain">resultSignature</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">tenantId</span>
  
  <span class="pill kill-chain">time</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
</div>

Example Log

1{"time": "2023-07-26T13:45:54.1582053Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Add unverified domain", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "2601:646:a000:200:6419:f55c:946d:17d1", "correlationId": "bdab88f3-69a4-4e66-883d-5b1e1558e61b", "Level": 4, "properties": {"id": "Directory_bdab88f3-69a4-4e66-883d-5b1e1558e61b_311NT_82497138", "category": "DirectoryManagement", "correlationId": "bdab88f3-69a4-4e66-883d-5b1e1558e61b", "result": "success", "resultReason": "", "activityDisplayName": "Add unverified domain", "activityDateTime": "2023-07-26T13:45:54.1582053+00:00", "loggedByService": "Core Directory", "operationType": "Add", "userAgent": null, "initiatedBy": {"user": {"id": "728989f4-eb3d-45c2-8741-2f2af4e485ce", "displayName": null, "userPrincipalName": "tommyr@splunkresearch.com", "ipAddress": "2601:646:a000:200:6419:f55c:946d:17d1", "roles": []}}, "targetResources": [{"id": null, "displayName": "newdomain.com", "modifiedProperties": [{"displayName": "Name", "oldValue": "[\"\"]", "newValue": "[\"newdomain.com\"]"}, {"displayName": "LiveType", "oldValue": "[\"None\"]", "newValue": "[\"Managed\"]"}, {"displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"Name,LiveType\""}], "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"}]}}

Source: GitHub | Version: 2