Azure AD Audit¶
About¶
Microsoft Entra activity logs include audit logs, which is a comprehensive report on every logged event in Microsoft Entra ID. Changes to applications, groups, users, and licenses are all captured in the Microsoft Entra audit logs.
Product Details¶
Vendor URL: Azure AD Audit
Product Type: Audit Logs
Product Tier: Tier III
Integration Method: Azure Event Hub
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 100%
Data Label: AZURE_AD_AUDIT
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| appDisplayName | target.application |
| appId | target.resource.attribute.labels |
| AppId | target.process.pid |
| appliedConditionalAccessPolicie.id | about.user.userid |
| appliedConditionalAccessPolicies.displayName | about.user.user_display_name |
| callerIpAddress | principal.ip |
| category | security_result.category_details |
| Client | network.http.user_agent |
| clientAppUsed | principal.application |
| conditionalAccessStatus | additional.fields |
| correlationId | network.session_id |
| DomainName | target.hostname |
| DomainName | target.asset.hostname |
| EmailAddress | target.user.email_addresses |
| id | product_log_id |
| identity | target.user.userid |
| initiatedBy.app.displayName | principal.application |
| initiatedBy.app.servicePrincipalId | principal.user.product_object_id |
| initiatedBy.app.servicePrincipalName | principal.user.userid |
| initiatedBy.user.displayName | principal.user.user_display_name |
| initiatedBy.user.displayName | principal.user.email_addresses |
| initiatedBy.user.id | principal.user.userid |
| initiatedBy.user.ipAddress | principal.ip |
| initiatedBy.user.ipAddress | principal.asset.ip |
| initiatedBy.user.userPrincipalName | principal.administrative_domain |
| initiatedBy.user.userPrincipalName | principal.resource.attribute.labels |
| ipAddress | principal.ip |
| Level | security_result.severity_details |
| location.city | principal.location.city |
| location.countryOrRegion | principal.location.country_or_region |
| location.geoCoordinates.latitude | principal.location.region_latitude |
| location.geoCoordinates.longitude | principal.location.region_longitude |
| location.state | principal.location.state |
| loggedByService | additional.fields |
| modifiedProperties.newValue department | target.user.department |
| modifiedProperties.newValue DisplayName | target.user.title |
| modifiedProperties.newValue employeeId | target.user.employee_id |
| modifiedProperties.newValue givenName | target.user.first_name |
| modifiedProperties.newValue jobTitle | target.user.title |
| modifiedProperties.newValue MailNickname | target.user.userid |
| modifiedProperties.newValue mobile | target.user.phone_numbers |
| modifiedProperties.newValue objectId | target.user.product_object_id |
| modifiedProperties.newValue physicalDeliveryOfficeName | target.user.office_address.name |
| modifiedProperties.newValue surname | target.user.last_name |
| modifiedProperties.newValue WellKnownObjectName | target.resource.attribute.roles |
| modifiedProperty.displayName | additional.fields |
| newValue.conditions.applications.includeApplications | additional.fields |
| newValue.conditions.clientAppTypes | additional.fields |
| newValue.conditions.locations.includeLocations | additional.fields |
| newValue.state | additional.fields |
| oldValue.conditions.applications.includeApplications | additional.fields |
| oldValue.conditions.clientAppTypes.0 | additional.fields |
| oldValue.conditions.locations.includeLocations | additional.fields |
| oldValue.id | additional.fields |
| oldValue.state | additional.fields |
| operationName | metadata.product_event_type |
| operationType | security_result.action_details |
| PhoneNumber | target.user.phone_numbers |
| PolicyId | security_result.rule_name |
| properties.initiatedBy.app.appId | principal.resource.attribute.labels |
| Request | target.url |
| resourceDisplayName | target.resource.name |
| resourceId | target.resource.id |
| result | security_result.summary |
| result | security_result.action |
| resultReason | security_result.description |
| resultType | security_result.rule_id |
| riskEventTypes | additional.fields |
| riskLevelAggregated | additional.fields |
| riskLevelDuringSignIn | security_result.priority |
| riskState | additional.fields |
| targetResource.resource.name | target.resource.name |
| targetResource.user.product_object_id | target.user.product_object_id |
| targetResources.DeviceId | target.asset.asset_id |
| targetResources.displayName | target.user.user_display_name |
| targetResources.type | target.resource.resource_type |
| targetResourceType | targetResource.user.group_identifiers |
| targetTenant | target.user.userid |
| tenantId | metadata.product_version |
| userAgent | network.http.user_agent |
| userId | target.user.product_object_id |
| userPrincipalName | target.user.email_addresses |
| userPrincipalName | target.user.user_display_name |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| Admin deleted security info | USER_DELETION |
| AdministrativeUnit | USER_RESOURCE_CREATION |
| AdministrativeUnit | USER_CHANGE_PERMISSIONS |
| AdministrativeUnit | USER_RESOURCE_DELETION |
| Agreement | SETTING_CREATION |
| Application Management | SERVICE_CREATION |
| ApplicationManagement | SERVICE_MODIFICATION |
| ApplicationManagement | USER_CHANGE_PERMISSIONS |
| ApplicationManagement | SERVICE_CREATION |
| ApplicationManagement | RESOURCE_CREATION |
| ApplicationManagement | USER_RESOURCE_UPDATE_PERMISSIONS |
| ApplicationManagement | USER_CHANGE_PERMISSIONS |
| ApplicationManagement | USER_CHANGE_PASSWORD |
| ApplicationManagement | USER_UNCATEGORIZED |
| Delete agreement | SETTING_DELETION |
| Delete application | SERVICE_DELETION |
| Resource accessed | USER_RESOURCE_ACCESS |
| Update administrative unit | USER_RESOURCE_UPDATE_CONTENT |
| Update agreement | SETTING_MODIFICATION |
| Update application | SERVICE_MODIFICATION |
Log Sample¶
{"Level":4,"category":"AuditLogs","correlationId":"12345-1234-1234-1234-123456","durationMs":0,"operationName":"Change user password","operationVersion":"1.0","properties":{"activityDateTime":"2024-04-26T14:43:29.1565754+00:00","activityDisplayName":"Change user password","additionalDetails":[],"category":"UserManagement","correlationId":"12345-1234-1234-1234-123456","id":"Directory_1234-1234-1234-1234-abcdefg_ABCD_1234","identity":"","initiatedBy":{"user":{"displayName":null,"id":"abced-1234-abcde-1234d","ipAddress":"","roles":[],"userPrincipalName":"Sync_USER_12345@example.onmicrosoft.com"}},"loggedByService":"Core Directory","operationName":"Change user password","operationType":"Update","result":"success","resultDescription":"","resultReason":"","resultType":"","targetResources":[{"administrativeUnits":[],"displayName":null,"id":"1234-abc-123-abc-1234abcd","modifiedProperties":[{"displayName":"Action Client Name","newValue":"\"DirectorySync\"","oldValue":null}],"type":"User","userPrincipalName":"user@example.com"}],"tenantGeo":"NA","tenantId":"12345-123-abc-1234-1234abcde","userAgent":null},"resourceId":"/tenants/12345-123-abc-1234-1234abcde/providers/Microsoft.aadiam","resultSignature":"None","tenantId":"12345-123-abc-1234-1234abcde","time":"2024-04-26T14:43:29.1565754Z"}
Sample Parsing¶
additional.fields["log_category"] = "UserManagement"
additional.fields["log_service"] = "Core Directory"
additional.fields["newValue Action Client Name 0"] = "DirectorySync"
additional.fields["targetResources.modifiedProperties.displayname 0"] = "Action Client Name"
additional.fields["targetResources.modifiedProperties.newValue 0"] = "DirectorySync"
additional.fields["targetResources.modifiedProperties.oldValue 0"] = "null"
additional.fields["tenantId"] = "12345-123-abc-1234-1234abcde"
metadata.event_type = "USER_CHANGE_PASSWORD"
metadata.product_event_type = "Change user password"
metadata.product_log_id = "Directory_1234-1234-1234-1234-abcdefg_ABCD_1234"
metadata.product_name = "Azure AD Directory Audit"
metadata.product_version = "1.0"
network.session_id = "12345-1234-1234-1234-123456"
principal.administrative_domain = "toryprod.onmicrosoft.com"
principal.resource.attribute.labels.key = "User Principal Name"
principal.resource.attribute.labels.value = "Sync_USER_12345@example.onmicrosoft.com"
principal.user.email_addresses = "Sync_USER_12345@example.onmicrosoft.com"
principal.user.user_display_name = "Sync_USER_12345"
principal.user.userid = "abced-1234-abcde-1234d"
security_result.action_details = "Update"
security_result.action = "ALLOW"
security_result.category_details = "AuditLogs"
security_result.category_details = "UserManagement"
security_result.severity = "INFORMATIONAL"
security_result.severity_details = "4"
security_result.summary = "success"
target.administrative_domain = "example.com"
target.resource.attribute.labels.key = "targetResource type"
target.resource.attribute.labels.value = "User"
target.resource.attribute.labels.key = "User Principal Name"
target.resource.attribute.labels.value = "user@example.com"
target.resource.attribute.labels.key = "Action Client Name"
target.resource.attribute.labels.value = "DirectorySync"
target.resource.id = "/tenants/12345-123-abc-1234-1234abcde/providers/Microsoft.aadiam"
target.resource.resource_type = "SERVICE_ACCOUNT"
target.resource.type = "User"
target.user.product_object_id = "1234-abc-123-abc-1234abcd"
target.user.user_display_name = "user@example.com"
target.user.userid = "user@example.com"