Skip to content

Azure AD

Azure AD

About

A directory is a hierarchical structure that stores information about objects on the network. A directory service, such as Active Directory Domain Services (AD DS), provides the methods for storing directory data and making this data available to network users and administrators. For example, AD DS stores information about user accounts, such as names, passwords, phone numbers, and so on, and enables other authorized users on the same network to access this information.

The Azure Active Directory (Azure AD) enterprise identity service provides single sign-on, multifactor authentication, and conditional access to guard against 99.9 percent of cybersecurity attacks. Azure AD Domain Services enables you to use managed domain services—such as Windows Domain Join, group policy, LDAP, and Kerberos authentication—without having to deploy, manage, or patch domain controllers. Provide highly secure digital experiences for partners, customers, citizens, patients, or any users outside your organization with customization controls. Combine user directories in one portal to seamlessly manage access across the organization.

Product Details

Vendor URL: Azure AD

Product Type: Authentication

Product Tier: Tier II

Integration Method: Custom

Integration URL: Azure AD - Cyderes Documentation

Log Guide: Sample Logs by Log Type

Parser Details

Log Format: JSON

Expected Normalization Rate: Above 90%

Data Label: AZURE_AD

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
AUTHTYPE_UNSPECIFIED extensions.auth.type
description metadata.description
GENERIC_EVENT metadata.event_type
GROUP_MODIFICATION metadata.event_type
USER_CHANGE_PASSWORD metadata.event_type
USER_CHANGE_PERMISSIONS metadata.event_type
USER_LOGIN metadata.event_type
USER_UNCATEGORIZED metadata.event_type
product_event metadata.product_event_type
summary metadata.product_event_type
product metadata.product_name
version metadata.product_version
vendor metadata.vendor_name
user_agent network.http.user_agent
observer_domain observer.administrative_domain
observer_hostname observer.hostname
observer observer.ip
principal_domain principal.administrative_domain
principal_app principal.application
initiatedBy.user.ipAddress principal.asset.ip
principal_os principal.asset.platform_software.platform
azureTenantId principal.group.product_object_id
principal_hostname principal.hostname
principal principal.ip
userStates.0.userPrincipalName principal.user.email_addresses
principal_user principal.user.userid
properties.initiatedBy.user.id principal.user.windows_sid
ALERTING security_result.alert_state
HIGH_CONFIDENCE security_result.confidence
HIGH_PRIORITY security_result.priority
INFORMATIONAL security_result.severity
LOW security_result.severity
MEDIUM security_result.severity
summary security_result.summary
target_domain target.administrative_domain
target_app target.application
targetResources.0.displayName target.asset.hostname
target target.hostname
target target.ip
identity target.user.user_display_name
target_user target.user.userid

Product Event Types

Event UDM Event Classification
Update group GROUP_MODIFICATION
login-event,login-success,login-failed USER_LOGIN
password-changed-success,password-changed-failed,password-changed,Change user password USER_CHANGE_PASSWORD
Update user, user-updated USER_UNCATEGORIZED
Add member to group USER_CHANGE_PERMISSIONS
all others GENERIC_EVENT

Log Sample

{"riskLevelDuringSignIn":"none","riskState":"none","riskEventTypes":[],"appliedConditionalAccessPolicies":[{"displayName":"CA001: Require multi-factor authentication for admins","enforcedGrantControls":["Mfa"],"enforcedSessionControls":[],"result":"success","id":"2e6d9c3b-681e-4725-883e-ac93a7e2ac16"},{"id":"6688edac-8260-405f-9b0e-f1cb5d82e9a6","displayName":"CA006: Require multi-factor authentication for Azure management","enforcedGrantControls":["Mfa"],"enforcedSessionControls":[],"result":"success"},{"result":"reportOnlyNotApplied","id":"419ca737-9549-4c37-b6ce-0ee7c5b43a0b","displayName":"CA003: Block legacy authentication","enforcedGrantControls":["Block"],"enforcedSessionControls":[]}],"userPrincipalName":"john.doe@domain.com","appDisplayName":"Azure Portal","isInteractive":true,"createdDateTime":"2022-04-20T13:02:00Z","riskLevelAggregated":"none","status":{"errorCode":0,"failureReason":"Other.","additionalDetails":null},"appId":"c44b4083-3bb0-49c1-b47d-974e53cbdf3c","clientAppUsed":"Browser","correlationId":"d47d29ff-c971-47fa-8034-e9a0e1fd4fff","riskDetail":"none","riskEventTypes_v2":[],"id":"346909c4-014f-46b3-b171-dda0ecaf1f00","userDisplayName":"Doe, John","userId":"34a103c1-17bc-4720-bc1d-34b210ad756e","deviceDetail":{"isManaged":true,"trustType":"Hybrid Azure AD joined","deviceId":"{PII Removed}","displayName":"{PII Removed}","operatingSystem":"Windows 10","browser":"Chrome 100.0.4896","isCompliant":true},"resourceId":"797f4846-ba00-4fd7-ba43-dac1f8f63013","location":{"city":"Best City","state":"State","countryOrRegion":"US","geoCoordinates":{"latitude":42.38296,"longitude":-71.09557,"altitude":null}},"ipAddress":"10.2.4.2","conditionalAccessStatus":"success","resourceDisplayName":"Windows Azure Service Management API"}

Sample Parsing

metadata.product_log_id: "346909c4-014f-46b3-b171-dda0ecaf1f00"
metadata.event_timestamp: 2022-04-20T13:02:00Z
metadata.event_type: USER_LOGIN
metadata.vendor_name: "Microsoft"
metadata.product_name: "Azure AD"
principal.hostname: "{PII Removed}"
principal.user.userid: "john.doe@domain.com"
principal.user.user_display_name: "Doe, John"
principal.user.email_addresses: "john.doe@domain.com"
principal.ip: "10.2.4.2"
principal.platform: WINDOWS
principal.platform_version: "Windows 10"
principal.location.city: "Best City"
principal.location.state: "State"
principal.location.country_or_region: "US"
target.user.application: "Azure Portal"
security_result.outcomes.key: "CA001: Require multi-factor authentication for admins"
security_result.outcomes.value: "success"
security_result.outcomes.key: "CA006: Require multi-factor authentication for Azure management"
security_result.outcomes.value: "success"
security_result.summary: "Successful login occurred"
security_result.action: ALLOW
network.http.user_agent: "Chrome 100.0.4896"

Parser Alerting

loglevel sec_result.severity security_action is_alert
(blank) INFORMATIONAL ALLOW
(1), (2), (Unknown) INFORMATIONAL ALLOW
(3), (4) LOW ALLOW
(5), (6) MEDIUM ALLOW
High HIGH BLOCK Y
Error ERROR BLOCK Y
Critical CRITICAL BLOCK Y