Data Source: Azure Active Directory Add owner to application

Date: 2024-07-18

ID: e895ed56-7be4-4b3a-b782-ecd0f594ec4c

Author: Patrick Bareiss, Splunk

Description

Data source object for Azure Active Directory Add owner to application

Details

Property	Value
Source	`Azure AD`
Sourcetype	`azure:monitor:aad`
Separator	operationName

Supported Apps

Splunk Add-on for Microsoft Cloud Services (version 5.4.0)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">callerIpAddress</span>
  
  <span class="pill kill-chain">category</span>
  
  <span class="pill kill-chain">correlationId</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">durationMs</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">operationName</span>
  
  <span class="pill kill-chain">operationVersion</span>
  
  <span class="pill kill-chain">properties.activityDateTime</span>
  
  <span class="pill kill-chain">properties.activityDisplayName</span>
  
  <span class="pill kill-chain">properties.additionalDetails{}.key</span>
  
  <span class="pill kill-chain">properties.additionalDetails{}.value</span>
  
  <span class="pill kill-chain">properties.category</span>
  
  <span class="pill kill-chain">properties.correlationId</span>
  
  <span class="pill kill-chain">properties.id</span>
  
  <span class="pill kill-chain">properties.initiatedBy.user.displayName</span>
  
  <span class="pill kill-chain">properties.initiatedBy.user.id</span>
  
  <span class="pill kill-chain">properties.initiatedBy.user.ipAddress</span>
  
  <span class="pill kill-chain">properties.initiatedBy.user.userPrincipalName</span>
  
  <span class="pill kill-chain">properties.loggedByService</span>
  
  <span class="pill kill-chain">properties.operationType</span>
  
  <span class="pill kill-chain">properties.result</span>
  
  <span class="pill kill-chain">properties.resultReason</span>
  
  <span class="pill kill-chain">properties.targetResources{}.displayName</span>
  
  <span class="pill kill-chain">properties.targetResources{}.id</span>
  
  <span class="pill kill-chain">properties.targetResources{}.modifiedProperties{}.displayName</span>
  
  <span class="pill kill-chain">properties.targetResources{}.modifiedProperties{}.newValue</span>
  
  <span class="pill kill-chain">properties.targetResources{}.modifiedProperties{}.oldValue</span>
  
  <span class="pill kill-chain">properties.targetResources{}.type</span>
  
  <span class="pill kill-chain">properties.targetResources{}.userPrincipalName</span>
  
  <span class="pill kill-chain">properties.userAgent</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">resourceId</span>
  
  <span class="pill kill-chain">resultSignature</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">tenantId</span>
  
  <span class="pill kill-chain">time</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
</div>

Example Log

1{"time": "2023-06-20T15:54:13.2420879Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Add owner to application", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "20.190.135.43", "correlationId": "231de5d4-2156-433a-8163-48956bdaa040", "Level": 4, "properties": {"id": "Directory_231de5d4-2156-433a-8163-48956bdaa040_C21RW_365283677", "category": "ApplicationManagement", "correlationId": "231de5d4-2156-433a-8163-48956bdaa040", "result": "success", "resultReason": "", "activityDisplayName": "Add owner to application", "activityDateTime": "2023-06-20T15:54:13.2420879+00:00", "loggedByService": "Core Directory", "operationType": "Assign", "userAgent": null, "initiatedBy": {"user": {"id": "4d3f1865-b395-4430-91dc-1b9dd337712e", "displayName": null, "userPrincipalName": "globaladmin@splunkresearch.com", "ipAddress": "20.190.135.43", "roles": []}}, "targetResources": [{"id": "dd92f1af-43d7-47d9-b93c-a78c6b635180", "displayName": null, "type": "User", "userPrincipalName": "Abigail.Clark@splunkresearch.com", "modifiedProperties": [{"displayName": "Application.ObjectID", "oldValue": null, "newValue": "\"bb2479d8-5e89-4480-bb7e-3178d5a5d469\""}, {"displayName": "Application.DisplayName", "oldValue": null, "newValue": "\"CloudForge\""}, {"displayName": "Application.AppId", "oldValue": null, "newValue": "\"f0748f3d-45f2-4e2e-a4e1-f2e2b5271bdf\""}], "administrativeUnits": []}, {"id": "bb2479d8-5e89-4480-bb7e-3178d5a5d469", "displayName": null, "type": "Application", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Darwin 22.4.0 Darwin Kernel Version 22.4.0: Mon Mar  6 21:00:17 PST 2023; root:xnu-8796.101.5~3/RELEASE_X86_64; en-US) PowerShell/7.3.4"}]}}

Source: GitHub | Version: 1