<span class="pill kill-chain">_time</span>
<span class="pill kill-chain">Level</span>
<span class="pill kill-chain">callerIpAddress</span>
<span class="pill kill-chain">category</span>
<span class="pill kill-chain">correlationId</span>
<span class="pill kill-chain">date_hour</span>
<span class="pill kill-chain">date_mday</span>
<span class="pill kill-chain">date_minute</span>
<span class="pill kill-chain">date_month</span>
<span class="pill kill-chain">date_second</span>
<span class="pill kill-chain">date_wday</span>
<span class="pill kill-chain">date_year</span>
<span class="pill kill-chain">date_zone</span>
<span class="pill kill-chain">durationMs</span>
<span class="pill kill-chain">host</span>
<span class="pill kill-chain">index</span>
<span class="pill kill-chain">linecount</span>
<span class="pill kill-chain">operationName</span>
<span class="pill kill-chain">operationVersion</span>
<span class="pill kill-chain">properties.activityDateTime</span>
<span class="pill kill-chain">properties.activityDisplayName</span>
<span class="pill kill-chain">properties.additionalDetails{}.key</span>
<span class="pill kill-chain">properties.additionalDetails{}.value</span>
<span class="pill kill-chain">properties.category</span>
<span class="pill kill-chain">properties.correlationId</span>
<span class="pill kill-chain">properties.id</span>
<span class="pill kill-chain">properties.initiatedBy.user.displayName</span>
<span class="pill kill-chain">properties.initiatedBy.user.id</span>
<span class="pill kill-chain">properties.initiatedBy.user.ipAddress</span>
<span class="pill kill-chain">properties.initiatedBy.user.userPrincipalName</span>
<span class="pill kill-chain">properties.loggedByService</span>
<span class="pill kill-chain">properties.operationType</span>
<span class="pill kill-chain">properties.result</span>
<span class="pill kill-chain">properties.resultReason</span>
<span class="pill kill-chain">properties.targetResources{}.displayName</span>
<span class="pill kill-chain">properties.targetResources{}.id</span>
<span class="pill kill-chain">properties.targetResources{}.modifiedProperties{}.displayName</span>
<span class="pill kill-chain">properties.targetResources{}.modifiedProperties{}.newValue</span>
<span class="pill kill-chain">properties.targetResources{}.modifiedProperties{}.oldValue</span>
<span class="pill kill-chain">properties.userAgent</span>
<span class="pill kill-chain">punct</span>
<span class="pill kill-chain">resourceId</span>
<span class="pill kill-chain">resultSignature</span>
<span class="pill kill-chain">source</span>
<span class="pill kill-chain">sourcetype</span>
<span class="pill kill-chain">splunk_server</span>
<span class="pill kill-chain">tenantId</span>
<span class="pill kill-chain">time</span>
<span class="pill kill-chain">timeendpos</span>
<span class="pill kill-chain">timestartpos</span>
</div>
Data Source: Azure Active Directory Add unverified domain
Description
Logs the addition of an unverified domain to Azure Active Directory, including details about the domain name and the user or process performing the action.
Details
Property | Value |
---|---|
Source | Azure AD |
Sourcetype | azure:monitor:aad |
Separator | operationName |
Supported Apps
- Splunk Add-on for Microsoft Cloud Services (version 5.4.3)
Event Fields
Example Log
1{"time": "2023-07-26T13:45:54.1582053Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Add unverified domain", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "2601:646:a000:200:6419:f55c:946d:17d1", "correlationId": "bdab88f3-69a4-4e66-883d-5b1e1558e61b", "Level": 4, "properties": {"id": "Directory_bdab88f3-69a4-4e66-883d-5b1e1558e61b_311NT_82497138", "category": "DirectoryManagement", "correlationId": "bdab88f3-69a4-4e66-883d-5b1e1558e61b", "result": "success", "resultReason": "", "activityDisplayName": "Add unverified domain", "activityDateTime": "2023-07-26T13:45:54.1582053+00:00", "loggedByService": "Core Directory", "operationType": "Add", "userAgent": null, "initiatedBy": {"user": {"id": "728989f4-eb3d-45c2-8741-2f2af4e485ce", "displayName": null, "userPrincipalName": "tommyr@splunkresearch.com", "ipAddress": "2601:646:a000:200:6419:f55c:946d:17d1", "roles": []}}, "targetResources": [{"id": null, "displayName": "newdomain.com", "modifiedProperties": [{"displayName": "Name", "oldValue": "[\"\"]", "newValue": "[\"newdomain.com\"]"}, {"displayName": "LiveType", "oldValue": "[\"None\"]", "newValue": "[\"Managed\"]"}, {"displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"Name,LiveType\""}], "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"}]}}
Source: GitHub | Version: 2