<span class="pill kill-chain">_time</span>
<span class="pill kill-chain">Level</span>
<span class="pill kill-chain">callerIpAddress</span>
<span class="pill kill-chain">category</span>
<span class="pill kill-chain">correlationId</span>
<span class="pill kill-chain">date_hour</span>
<span class="pill kill-chain">date_mday</span>
<span class="pill kill-chain">date_minute</span>
<span class="pill kill-chain">date_month</span>
<span class="pill kill-chain">date_second</span>
<span class="pill kill-chain">date_wday</span>
<span class="pill kill-chain">date_year</span>
<span class="pill kill-chain">date_zone</span>
<span class="pill kill-chain">durationMs</span>
<span class="pill kill-chain">eventtype</span>
<span class="pill kill-chain">host</span>
<span class="pill kill-chain">index</span>
<span class="pill kill-chain">linecount</span>
<span class="pill kill-chain">operationName</span>
<span class="pill kill-chain">operationVersion</span>
<span class="pill kill-chain">properties.activityDateTime</span>
<span class="pill kill-chain">properties.activityDisplayName</span>
<span class="pill kill-chain">properties.additionalDetails{}.key</span>
<span class="pill kill-chain">properties.additionalDetails{}.value</span>
<span class="pill kill-chain">properties.category</span>
<span class="pill kill-chain">properties.correlationId</span>
<span class="pill kill-chain">properties.id</span>
<span class="pill kill-chain">properties.initiatedBy.user.displayName</span>
<span class="pill kill-chain">properties.initiatedBy.user.id</span>
<span class="pill kill-chain">properties.initiatedBy.user.ipAddress</span>
<span class="pill kill-chain">properties.initiatedBy.user.userPrincipalName</span>
<span class="pill kill-chain">properties.loggedByService</span>
<span class="pill kill-chain">properties.operationType</span>
<span class="pill kill-chain">properties.result</span>
<span class="pill kill-chain">properties.resultReason</span>
<span class="pill kill-chain">properties.targetResources{}.displayName</span>
<span class="pill kill-chain">properties.targetResources{}.id</span>
<span class="pill kill-chain">properties.targetResources{}.modifiedProperties{}.displayName</span>
<span class="pill kill-chain">properties.targetResources{}.modifiedProperties{}.newValue</span>
<span class="pill kill-chain">properties.targetResources{}.modifiedProperties{}.oldValue</span>
<span class="pill kill-chain">properties.targetResources{}.type</span>
<span class="pill kill-chain">properties.targetResources{}.userPrincipalName</span>
<span class="pill kill-chain">properties.userAgent</span>
<span class="pill kill-chain">punct</span>
<span class="pill kill-chain">resourceId</span>
<span class="pill kill-chain">resultSignature</span>
<span class="pill kill-chain">source</span>
<span class="pill kill-chain">sourcetype</span>
<span class="pill kill-chain">splunk_server</span>
<span class="pill kill-chain">tag</span>
<span class="pill kill-chain">tag::eventtype</span>
<span class="pill kill-chain">tenantId</span>
<span class="pill kill-chain">time</span>
<span class="pill kill-chain">timeendpos</span>
<span class="pill kill-chain">timestartpos</span>
</div>
Data Source: Azure Active Directory Add owner to application
Description
Logs the addition of an owner to an application in Azure Active Directory, including details about the application, the owner added, and the user or process performing the action.
Details
| Property | Value |
|---|---|
| Source | Azure AD |
| Sourcetype | azure:monitor:aad |
| Separator | operationName |
Supported Apps
- Splunk Add-on for Microsoft Cloud Services (version 5.4.3)
Event Fields
Fields
Example Log
1{"time": "2023-06-20T15:54:13.2420879Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam", "operationName": "Add owner to application", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "20.190.135.43", "correlationId": "231de5d4-2156-433a-8163-48956bdaa040", "Level": 4, "properties": {"id": "Directory_231de5d4-2156-433a-8163-48956bdaa040_C21RW_365283677", "category": "ApplicationManagement", "correlationId": "231de5d4-2156-433a-8163-48956bdaa040", "result": "success", "resultReason": "", "activityDisplayName": "Add owner to application", "activityDateTime": "2023-06-20T15:54:13.2420879+00:00", "loggedByService": "Core Directory", "operationType": "Assign", "userAgent": null, "initiatedBy": {"user": {"id": "4d3f1865-b395-4430-91dc-1b9dd337712e", "displayName": null, "userPrincipalName": "globaladmin@splunkresearch.com", "ipAddress": "20.190.135.43", "roles": []}}, "targetResources": [{"id": "dd92f1af-43d7-47d9-b93c-a78c6b635180", "displayName": null, "type": "User", "userPrincipalName": "Abigail.Clark@splunkresearch.com", "modifiedProperties": [{"displayName": "Application.ObjectID", "oldValue": null, "newValue": "\"bb2479d8-5e89-4480-bb7e-3178d5a5d469\""}, {"displayName": "Application.DisplayName", "oldValue": null, "newValue": "\"CloudForge\""}, {"displayName": "Application.AppId", "oldValue": null, "newValue": "\"f0748f3d-45f2-4e2e-a4e1-f2e2b5271bdf\""}], "administrativeUnits": []}, {"id": "bb2479d8-5e89-4480-bb7e-3178d5a5d469", "displayName": null, "type": "Application", "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key": "User-Agent", "value": "Mozilla/5.0 (Macintosh; Darwin 22.4.0 Darwin Kernel Version 22.4.0: Mon Mar 6 21:00:17 PST 2023; root:xnu-8796.101.5~3/RELEASE_X86_64; en-US) PowerShell/7.3.4"}]}}
Source: GitHub | Version: 2