<span class="pill kill-chain">_time</span>
<span class="pill kill-chain">ActorContextId</span>
<span class="pill kill-chain">Actor{}.ID</span>
<span class="pill kill-chain">Actor{}.Type</span>
<span class="pill kill-chain">AzureActiveDirectoryEventType</span>
<span class="pill kill-chain">CreationTime</span>
<span class="pill kill-chain">ExtendedProperties{}.Name</span>
<span class="pill kill-chain">ExtendedProperties{}.Value</span>
<span class="pill kill-chain">Id</span>
<span class="pill kill-chain">InterSystemsId</span>
<span class="pill kill-chain">IntraSystemId</span>
<span class="pill kill-chain">ModifiedProperties{}.Name</span>
<span class="pill kill-chain">ModifiedProperties{}.NewValue</span>
<span class="pill kill-chain">ModifiedProperties{}.OldValue</span>
<span class="pill kill-chain">ObjectId</span>
<span class="pill kill-chain">Operation</span>
<span class="pill kill-chain">OrganizationId</span>
<span class="pill kill-chain">RecordType</span>
<span class="pill kill-chain">ResultStatus</span>
<span class="pill kill-chain">SupportTicketId</span>
<span class="pill kill-chain">TargetContextId</span>
<span class="pill kill-chain">Target{}.ID</span>
<span class="pill kill-chain">Target{}.Type</span>
<span class="pill kill-chain">UserId</span>
<span class="pill kill-chain">UserKey</span>
<span class="pill kill-chain">UserType</span>
<span class="pill kill-chain">Version</span>
<span class="pill kill-chain">Workload</span>
<span class="pill kill-chain">action</span>
<span class="pill kill-chain">additionalDetails</span>
<span class="pill kill-chain">app</span>
<span class="pill kill-chain">authentication_service</span>
<span class="pill kill-chain">change_type</span>
<span class="pill kill-chain">command</span>
<span class="pill kill-chain">dataset_name</span>
<span class="pill kill-chain">date_hour</span>
<span class="pill kill-chain">date_mday</span>
<span class="pill kill-chain">date_minute</span>
<span class="pill kill-chain">date_month</span>
<span class="pill kill-chain">date_second</span>
<span class="pill kill-chain">date_wday</span>
<span class="pill kill-chain">date_year</span>
<span class="pill kill-chain">date_zone</span>
<span class="pill kill-chain">dest</span>
<span class="pill kill-chain">dest_name</span>
<span class="pill kill-chain">dvc</span>
<span class="pill kill-chain">event_type</span>
<span class="pill kill-chain">eventtype</span>
<span class="pill kill-chain">extendedAuditEventCategory</span>
<span class="pill kill-chain">host</span>
<span class="pill kill-chain">index</span>
<span class="pill kill-chain">linecount</span>
<span class="pill kill-chain">object</span>
<span class="pill kill-chain">object_attrs</span>
<span class="pill kill-chain">object_category</span>
<span class="pill kill-chain">punct</span>
<span class="pill kill-chain">record_type</span>
<span class="pill kill-chain">signature</span>
<span class="pill kill-chain">source</span>
<span class="pill kill-chain">sourcetype</span>
<span class="pill kill-chain">splunk_server</span>
<span class="pill kill-chain">status</span>
<span class="pill kill-chain">tag</span>
<span class="pill kill-chain">tag::eventtype</span>
<span class="pill kill-chain">timeendpos</span>
<span class="pill kill-chain">timestartpos</span>
<span class="pill kill-chain">user</span>
<span class="pill kill-chain">user_agent</span>
<span class="pill kill-chain">user_agent_change</span>
<span class="pill kill-chain">user_id</span>
<span class="pill kill-chain">user_type</span>
<span class="pill kill-chain">vendor_account</span>
<span class="pill kill-chain">vendor_product</span>
</div>
Data Source: O365 Add owner to application.
Description
Logs the addition of an owner to an application in Microsoft 365, including details about the application, the new owner, and the user or administrator performing the action.
Details
| Property | Value |
|---|---|
| Source | o365 |
| Sourcetype | o365:management:activity |
| Separator | Operation |
Supported Apps
- Splunk Add-on for Microsoft Office 365 (version 4.8.0)
Event Fields
Fields
Example Log
1{"CreationTime": "2023-09-07T13:42:04", "Id": "6e2c723b-8f6e-47f4-8c60-fa23ef3fccee", "Operation": "Add owner to application.", "OrganizationId": "48203edf-5d2c-45f2-8123-a368cc8b0e51", "RecordType": 8, "ResultStatus": "Success", "UserKey": "1003BFFD98415B4E@contoso.onmicrosoft.com", "UserType": 0, "Version": 1, "Workload": "AzureActiveDirectory", "ObjectId": "user2@contoso.onmicrosoft.com", "UserId": "user@contoso.onmicrosoft.com", "AzureActiveDirectoryEventType": 1, "ExtendedProperties": [{"Name": "additionalDetails", "Value": "{\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36\"}"}, {"Name": "extendedAuditEventCategory", "Value": "Application"}], "ModifiedProperties": [{"Name": "Application.ObjectID", "NewValue": "a2d68f8b-ab9f-47ac-934f-b966c3ac134f", "OldValue": ""}, {"Name": "Application.DisplayName", "NewValue": "TestApp2", "OldValue": ""}, {"Name": "Application.AppId", "NewValue": "95106c0e-3519-450e-8e38-7f326d873454", "OldValue": ""}], "Actor": [{"ID": "user@contoso.onmicrosoft.com", "Type": 5}, {"ID": "1003BFFD98415B4E", "Type": 3}, {"ID": "18ed3507-a475-4ccb-b669-d66bc9f2a36e", "Type": 2}, {"ID": "User_e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "e4c722ac-3b83-478d-8f52-c388885dc30f", "Type": 2}, {"ID": "User", "Type": 2}], "ActorContextId": "48203edf-5d2c-45f2-8123-a368cc8b0e51", "InterSystemsId": "3f6a58c5-2fba-401d-b137-82b860830213", "IntraSystemId": "e8034ddc-0ca3-4aca-996c-1dc6dee48679", "SupportTicketId": "", "Target": [{"ID": "User_57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "Type": 2}, {"ID": "User", "Type": 2}, {"ID": "user2@contoso.onmicrosoft.com", "Type": 5}, {"ID": "10032002CC029AE9", "Type": 3}], "TargetContextId": "48203edf-5d2c-45f2-8123-a368cc8b0e51"}
Source: GitHub | Version: 2