Data Source: Azure Active Directory Add unverified domain

Description

Logs the addition of an unverified domain to Azure Active Directory, including details about the domain name and the user or process performing the action.

Details

Property Value
Source Azure AD
Sourcetype azure:monitor:aad
Separator operationName

Supported Apps

Event Fields

+ Fields
  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">callerIpAddress</span>
  
  <span class="pill kill-chain">category</span>
  
  <span class="pill kill-chain">correlationId</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">durationMs</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">operationName</span>
  
  <span class="pill kill-chain">operationVersion</span>
  
  <span class="pill kill-chain">properties.activityDateTime</span>
  
  <span class="pill kill-chain">properties.activityDisplayName</span>
  
  <span class="pill kill-chain">properties.additionalDetails{}.key</span>
  
  <span class="pill kill-chain">properties.additionalDetails{}.value</span>
  
  <span class="pill kill-chain">properties.category</span>
  
  <span class="pill kill-chain">properties.correlationId</span>
  
  <span class="pill kill-chain">properties.id</span>
  
  <span class="pill kill-chain">properties.initiatedBy.user.displayName</span>
  
  <span class="pill kill-chain">properties.initiatedBy.user.id</span>
  
  <span class="pill kill-chain">properties.initiatedBy.user.ipAddress</span>
  
  <span class="pill kill-chain">properties.initiatedBy.user.userPrincipalName</span>
  
  <span class="pill kill-chain">properties.loggedByService</span>
  
  <span class="pill kill-chain">properties.operationType</span>
  
  <span class="pill kill-chain">properties.result</span>
  
  <span class="pill kill-chain">properties.resultReason</span>
  
  <span class="pill kill-chain">properties.targetResources{}.displayName</span>
  
  <span class="pill kill-chain">properties.targetResources{}.id</span>
  
  <span class="pill kill-chain">properties.targetResources{}.modifiedProperties{}.displayName</span>
  
  <span class="pill kill-chain">properties.targetResources{}.modifiedProperties{}.newValue</span>
  
  <span class="pill kill-chain">properties.targetResources{}.modifiedProperties{}.oldValue</span>
  
  <span class="pill kill-chain">properties.userAgent</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">resourceId</span>
  
  <span class="pill kill-chain">resultSignature</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">tenantId</span>
  
  <span class="pill kill-chain">time</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
</div>

Example Log

1{"time": "2023-07-26T13:45:54.1582053Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Add unverified domain", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "2601:646:a000:200:6419:f55c:946d:17d1", "correlationId": "bdab88f3-69a4-4e66-883d-5b1e1558e61b", "Level": 4, "properties": {"id": "Directory_bdab88f3-69a4-4e66-883d-5b1e1558e61b_311NT_82497138", "category": "DirectoryManagement", "correlationId": "bdab88f3-69a4-4e66-883d-5b1e1558e61b", "result": "success", "resultReason": "", "activityDisplayName": "Add unverified domain", "activityDateTime": "2023-07-26T13:45:54.1582053+00:00", "loggedByService": "Core Directory", "operationType": "Add", "userAgent": null, "initiatedBy": {"user": {"id": "728989f4-eb3d-45c2-8741-2f2af4e485ce", "displayName": null, "userPrincipalName": "tommyr@splunkresearch.com", "ipAddress": "2601:646:a000:200:6419:f55c:946d:17d1", "roles": []}}, "targetResources": [{"id": null, "displayName": "newdomain.com", "modifiedProperties": [{"displayName": "Name", "oldValue": "[\"\"]", "newValue": "[\"newdomain.com\"]"}, {"displayName": "LiveType", "oldValue": "[\"None\"]", "newValue": "[\"Managed\"]"}, {"displayName": "Included Updated Properties", "oldValue": null, "newValue": "\"Name,LiveType\""}], "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36"}]}}

Source: GitHub | Version: 2