Data Source: Azure Active Directory Sign-in activity

Date: 2026-05-13

ID: f9ed0a3a-9e20-4198-a035-d0a29593fbe0

Author: Patrick Bareiss, Splunk

Description

Logs an event when a user attempts to sign into Azure Active Directory, capturing authentication details and outcomes.

Details

Property	Value
Source	`Azure AD`
Sourcetype	`azure:monitor:aad`
Separator	operationName

Name ▲▼	Technique ▲▼	Type ▲▼
Detect Distributed Password Spray Attempts	Password Spraying	Hunting
Azure AD Multiple Denied MFA Requests For User	Multi-Factor Authentication Request Generation	TTP
Azure AD Service Principal Authentication	Cloud Accounts	TTP
Azure AD User Consent Denied for OAuth Application	Steal Application Access Token	TTP
Azure AD Multiple Failed MFA Requests For User	Cloud Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation	TTP
Azure AD Multiple AppIDs and UserAgents Authentication Spike	Valid Accounts	Anomaly

Supported Apps

Splunk Add-on for Microsoft Cloud Services (version 6.1.1)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">callerIpAddress</span>
  
  <span class="pill kill-chain">category</span>
  
  <span class="pill kill-chain">correlationId</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">durationMs</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">identity</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">location</span>
  
  <span class="pill kill-chain">operationName</span>
  
  <span class="pill kill-chain">operationVersion</span>
  
  <span class="pill kill-chain">properties.alternateSignInName</span>
  
  <span class="pill kill-chain">properties.appDisplayName</span>
  
  <span class="pill kill-chain">properties.appId</span>
  
  <span class="pill kill-chain">properties.appServicePrincipalId</span>
  
  <span class="pill kill-chain">properties.authenticationDetails{}.RequestSequence</span>
  
  <span class="pill kill-chain">properties.authenticationDetails{}.StatusSequence</span>
  
  <span class="pill kill-chain">properties.authenticationDetails{}.authenticationMethod</span>
  
  <span class="pill kill-chain">properties.authenticationDetails{}.authenticationMethodDetail</span>
  
  <span class="pill kill-chain">properties.authenticationDetails{}.authenticationStepDateTime</span>
  
  <span class="pill kill-chain">properties.authenticationDetails{}.authenticationStepRequirement</span>
  
  <span class="pill kill-chain">properties.authenticationDetails{}.authenticationStepResultDetail</span>
  
  <span class="pill kill-chain">properties.authenticationDetails{}.succeeded</span>
  
  <span class="pill kill-chain">properties.authenticationProcessingDetails{}.key</span>
  
  <span class="pill kill-chain">properties.authenticationProcessingDetails{}.value</span>
  
  <span class="pill kill-chain">properties.authenticationProtocol</span>
  
  <span class="pill kill-chain">properties.authenticationRequirement</span>
  
  <span class="pill kill-chain">properties.authenticationRequirementPolicies{}.detail</span>
  
  <span class="pill kill-chain">properties.authenticationRequirementPolicies{}.requirementProvider</span>
  
  <span class="pill kill-chain">properties.autonomousSystemNumber</span>
  
  <span class="pill kill-chain">properties.clientAppUsed</span>
  
  <span class="pill kill-chain">properties.clientCredentialType</span>
  
  <span class="pill kill-chain">properties.conditionalAccessStatus</span>
  
  <span class="pill kill-chain">properties.correlationId</span>
  
  <span class="pill kill-chain">properties.createdDateTime</span>
  
  <span class="pill kill-chain">properties.crossTenantAccessType</span>
  
  <span class="pill kill-chain">properties.deviceDetail.deviceId</span>
  
  <span class="pill kill-chain">properties.deviceDetail.operatingSystem</span>
  
  <span class="pill kill-chain">properties.flaggedForReview</span>
  
  <span class="pill kill-chain">properties.homeTenantId</span>
  
  <span class="pill kill-chain">properties.id</span>
  
  <span class="pill kill-chain">properties.incomingTokenType</span>
  
  <span class="pill kill-chain">properties.ipAddress</span>
  
  <span class="pill kill-chain">properties.isInteractive</span>
  
  <span class="pill kill-chain">properties.isTenantRestricted</span>
  
  <span class="pill kill-chain">properties.location.city</span>
  
  <span class="pill kill-chain">properties.location.countryOrRegion</span>
  
  <span class="pill kill-chain">properties.location.geoCoordinates.latitude</span>
  
  <span class="pill kill-chain">properties.location.geoCoordinates.longitude</span>
  
  <span class="pill kill-chain">properties.location.state</span>
  
  <span class="pill kill-chain">properties.originalRequestId</span>
  
  <span class="pill kill-chain">properties.originalTransferMethod</span>
  
  <span class="pill kill-chain">properties.processingTimeInMilliseconds</span>
  
  <span class="pill kill-chain">properties.resourceDisplayName</span>
  
  <span class="pill kill-chain">properties.resourceId</span>
  
  <span class="pill kill-chain">properties.resourceServicePrincipalId</span>
  
  <span class="pill kill-chain">properties.resourceTenantId</span>
  
  <span class="pill kill-chain">properties.riskDetail</span>
  
  <span class="pill kill-chain">properties.riskLevelAggregated</span>
  
  <span class="pill kill-chain">properties.riskLevelDuringSignIn</span>
  
  <span class="pill kill-chain">properties.riskState</span>
  
  <span class="pill kill-chain">properties.rngcStatus</span>
  
  <span class="pill kill-chain">properties.servicePrincipalId</span>
  
  <span class="pill kill-chain">properties.signInIdentifier</span>
  
  <span class="pill kill-chain">properties.signInTokenProtectionStatus</span>
  
  <span class="pill kill-chain">properties.ssoExtensionVersion</span>
  
  <span class="pill kill-chain">properties.status.additionalDetails</span>
  
  <span class="pill kill-chain">properties.status.errorCode</span>
  
  <span class="pill kill-chain">properties.status.failureReason</span>
  
  <span class="pill kill-chain">properties.tenantId</span>
  
  <span class="pill kill-chain">properties.tokenIssuerName</span>
  
  <span class="pill kill-chain">properties.tokenIssuerType</span>
  
  <span class="pill kill-chain">properties.uniqueTokenIdentifier</span>
  
  <span class="pill kill-chain">properties.userAgent</span>
  
  <span class="pill kill-chain">properties.userDisplayName</span>
  
  <span class="pill kill-chain">properties.userId</span>
  
  <span class="pill kill-chain">properties.userPrincipalName</span>
  
  <span class="pill kill-chain">properties.userType</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">resourceId</span>
  
  <span class="pill kill-chain">resultDescription</span>
  
  <span class="pill kill-chain">resultSignature</span>
  
  <span class="pill kill-chain">resultType</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">tenantId</span>
  
  <span class="pill kill-chain">time</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
</div>

Example Log

1{"time": "2023-10-24T20:13:31.4449614Z", "resourceId": "/tenants/887c9144-28b8-431b-885b-764fdeefcf62/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs", "tenantId": "887c9144-28b8-431b-885b-764fdeefcf62", "resultType": "50076", "resultSignature": "None", "resultDescription": "Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access the resource.", "durationMs": 0, "callerIpAddress": "1.2.3.4", "correlationId": "1f577997-0710-4bd4-848e-5854f748f7dc", "identity": "user15", "Level": 4, "location": "US", "properties": {"id": "22608a25-1d9b-44b5-b0f2-cb94f06b2d00", "createdDateTime": "2023-10-24T20:01:11.9490387+00:00", "userDisplayName": "user15", "userPrincipalName": "user15@splunkresearch.onmicrosoft.com", "userId": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "appId": "1b730954-1685-4b74-9bfd-dac224a7b894", "appDisplayName": "Azure Active Directory PowerShell", "ipAddress": "1.2.3.4", "status": {"errorCode": 50076, "failureReason": "Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access the resource.", "additionalDetails": "MFA required in Azure AD"}, "clientAppUsed": "Mobile Apps and Desktop clients", "userAgent": "Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.22621.2428", "deviceDetail": {"deviceId": "", "operatingSystem": "Windows"}, "location": {"city": "Rochester", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 20.756160123483984, "longitude": -73.99697875976562}}, "mfaDetail": {}, "correlationId": "1f577997-0710-4bd4-848e-5854f748f7dc", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "authenticationContextClassReferences": [], "originalRequestId": "22608a25-1d9b-44b5-b0f2-cb94f06b2d00", "isInteractive": true, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 72, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "887c9144-28b8-431b-885b-764fdeefcf62", "homeTenantId": "887c9144-28b8-431b-885b-764fdeefcf62", "tenantId": "887c9144-28b8-431b-885b-764fdeefcf62", "authenticationDetails": [{"authenticationStepDateTime": "2023-10-24T20:01:11.9490387+00:00", "authenticationMethod": "Password", "authenticationMethodDetail": "Password in the cloud", "succeeded": true, "authenticationStepResultDetail": "Correct password", "authenticationStepRequirement": "Primary authentication", "StatusSequence": 0, "RequestSequence": 1}, {"authenticationStepDateTime": "2023-10-24T20:01:11.9490387+00:00", "succeeded": false, "authenticationStepResultDetail": "MFA required in Azure AD", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "sessionLifetimePolicies": [], "authenticationRequirement": "multiFactorAuthentication", "alternateSignInName": "user15@splunkresearch.onmicrosoft.com", "signInIdentifier": "user15@splunkresearch.onmicrosoft.com", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "JYpgIpsdtUSw8suU8GstAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "ropc", "appServicePrincipalId": null, "resourceServicePrincipalId": "56ad242f-e13b-47fc-8de8-19e3bf6f6575", "rngcStatus": 0, "signInTokenProtectionStatus": "none", "originalTransferMethod": "none"}}

Required Output Fields

dest
user
src
vendor_account
vendor_product

Source: GitHub | Version: 3