<span class="pill kill-chain">action</span>
<span class="pill kill-chain">additional_details</span>
<span class="pill kill-chain">app</span>
<span class="pill kill-chain">authentication_method</span>
<span class="pill kill-chain">authentication_service</span>
<span class="pill kill-chain">callerIpAddress</span>
<span class="pill kill-chain">category</span>
<span class="pill kill-chain">change_type</span>
<span class="pill kill-chain">command</span>
<span class="pill kill-chain">correlationId</span>
<span class="pill kill-chain">dataset_name</span>
<span class="pill kill-chain">date_hour</span>
<span class="pill kill-chain">date_mday</span>
<span class="pill kill-chain">date_minute</span>
<span class="pill kill-chain">date_month</span>
<span class="pill kill-chain">date_second</span>
<span class="pill kill-chain">date_wday</span>
<span class="pill kill-chain">date_year</span>
<span class="pill kill-chain">date_zone</span>
<span class="pill kill-chain">description</span>
<span class="pill kill-chain">dest</span>
<span class="pill kill-chain">dest_type</span>
<span class="pill kill-chain">duration</span>
<span class="pill kill-chain">durationMs</span>
<span class="pill kill-chain">dvc</span>
<span class="pill kill-chain">enabled</span>
<span class="pill kill-chain">eventtype</span>
<span class="pill kill-chain">host</span>
<span class="pill kill-chain">id</span>
<span class="pill kill-chain">index</span>
<span class="pill kill-chain">level</span>
<span class="pill kill-chain">linecount</span>
<span class="pill kill-chain">location</span>
<span class="pill kill-chain">object</span>
<span class="pill kill-chain">object_attrs</span>
<span class="pill kill-chain">object_category</span>
<span class="pill kill-chain">object_id</span>
<span class="pill kill-chain">object_path</span>
<span class="pill kill-chain">operationName</span>
<span class="pill kill-chain">operationVersion</span>
<span class="pill kill-chain">path_from_resourceId</span>
<span class="pill kill-chain">properties.C_Iat</span>
<span class="pill kill-chain">properties.C_Idtyp</span>
<span class="pill kill-chain">properties.UserPrincipalObjectID</span>
<span class="pill kill-chain">properties.__UDI_RequiredFields_EventTime</span>
<span class="pill kill-chain">properties.__UDI_RequiredFields_RegionScope</span>
<span class="pill kill-chain">properties.__UDI_RequiredFields_TenantId</span>
<span class="pill kill-chain">properties.__UDI_RequiredFields_UniqueId</span>
<span class="pill kill-chain">properties.apiVersion</span>
<span class="pill kill-chain">properties.appId</span>
<span class="pill kill-chain">properties.clientAuthMethod</span>
<span class="pill kill-chain">properties.clientRequestId</span>
<span class="pill kill-chain">properties.durationMs</span>
<span class="pill kill-chain">properties.identityProvider</span>
<span class="pill kill-chain">properties.ipAddress</span>
<span class="pill kill-chain">properties.location</span>
<span class="pill kill-chain">properties.operationId</span>
<span class="pill kill-chain">properties.requestId</span>
<span class="pill kill-chain">properties.requestMethod</span>
<span class="pill kill-chain">properties.requestUri</span>
<span class="pill kill-chain">properties.responseSizeBytes</span>
<span class="pill kill-chain">properties.responseStatusCode</span>
<span class="pill kill-chain">properties.resultReason</span>
<span class="pill kill-chain">properties.roles</span>
<span class="pill kill-chain">properties.scopes</span>
<span class="pill kill-chain">properties.signInActivityId</span>
<span class="pill kill-chain">properties.tenantId</span>
<span class="pill kill-chain">properties.timeGenerated</span>
<span class="pill kill-chain">properties.tokenIssuedAt</span>
<span class="pill kill-chain">properties.userAgent</span>
<span class="pill kill-chain">properties.userId</span>
<span class="pill kill-chain">properties.wids</span>
<span class="pill kill-chain">punct</span>
<span class="pill kill-chain">reason</span>
<span class="pill kill-chain">resourceId</span>
<span class="pill kill-chain">response_time</span>
<span class="pill kill-chain">result</span>
<span class="pill kill-chain">resultSignature</span>
<span class="pill kill-chain">result_id</span>
<span class="pill kill-chain">severity</span>
<span class="pill kill-chain">signature</span>
<span class="pill kill-chain">signature_id</span>
<span class="pill kill-chain">signinDateTime</span>
<span class="pill kill-chain">source</span>
<span class="pill kill-chain">sourcetype</span>
<span class="pill kill-chain">splunk_server</span>
<span class="pill kill-chain">splunk_server_group</span>
<span class="pill kill-chain">src</span>
<span class="pill kill-chain">src_ip</span>
<span class="pill kill-chain">src_user</span>
<span class="pill kill-chain">src_user_name</span>
<span class="pill kill-chain">src_user_type</span>
<span class="pill kill-chain">status</span>
<span class="pill kill-chain">tag</span>
<span class="pill kill-chain">tag::action</span>
<span class="pill kill-chain">tag::app</span>
<span class="pill kill-chain">tag::eventtype</span>
<span class="pill kill-chain">tag::object_category</span>
<span class="pill kill-chain">tenantId</span>
<span class="pill kill-chain">time</span>
<span class="pill kill-chain">timeendpos</span>
<span class="pill kill-chain">timestartpos</span>
<span class="pill kill-chain">user</span>
<span class="pill kill-chain">user_agent</span>
<span class="pill kill-chain">user_id</span>
<span class="pill kill-chain">user_name</span>
<span class="pill kill-chain">user_role</span>
<span class="pill kill-chain">user_type</span>
<span class="pill kill-chain">vendor_account</span>
<span class="pill kill-chain">vendor_product</span>
<span class="pill kill-chain">vendor_region</span>
<span class="pill kill-chain">_bkt</span>
<span class="pill kill-chain">_cd</span>
<span class="pill kill-chain">_eventtype_color</span>
<span class="pill kill-chain">_indextime</span>
<span class="pill kill-chain">_raw</span>
<span class="pill kill-chain">_serial</span>
<span class="pill kill-chain">_si</span>
<span class="pill kill-chain">_sourcetype</span>
<span class="pill kill-chain">_subsecond</span>
<span class="pill kill-chain">_time</span>
</div>
Data Source: Azure Active Directory NonInteractiveUserSignInLogs
Description
Data source object for Azure Active Directory NonInteractiveUserSignInLogs
Details
| Property | Value |
|---|---|
| Source | Azure AD |
| Sourcetype | azure:monitor:aad |
| Separator | operationName |
Supported Apps
- Splunk Add-on for Microsoft Cloud Services (version 5.5.0)
Event Fields
Fields
Example Log
1{"time": "2023-01-12T19:22:14.5285742Z", "resourceId": "/tenants/95d19bda-09de-4d93-b7ae-acecd1e68186/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "NonInteractiveUserSignInLogs", "tenantId": "95d19bda-09de-4d93-b7ae-acecd1e68186", "resultType": "0", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "34.1.3.194", "correlationId": "fc78e38c-1e61-4be3-b47d-f3e6a9724a65", "identity": "User30", "Level": 4, "location": "US", "properties": {"id": "0f94f5fb-3583-4c46-9bfa-0390c1988800", "createdDateTime": "2023-01-12T19:22:14.5285742+00:00", "userDisplayName": "User30", "userPrincipalName": "user30@splunkresearch.com", "userId": "40b61050-e814-4ae5-8ffe-66b6f0c53998", "appId": "4765445b-32c6-49b0-83e6-1d93765276ca", "appDisplayName": "OfficeHome", "ipAddress": "34.1.3.194", "status": {"errorCode": 0, "additionalDetails": "MFA requirement satisfied by claim in the token"}, "clientAppUsed": "Browser", "deviceDetail": {"deviceId": "", "operatingSystem": "Windows", "browser": "Rich Client 4.43.0.0"}, "location": {"city": "Boardman", "state": "Oregon", "countryOrRegion": "US", "geoCoordinates": {"latitude": 45.73722839355469, "longitude": -119.81143188476562}}, "mfaDetail": {}, "correlationId": "fc78e38c-1e61-4be3-b47d-f3e6a9724a65", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [{"id": "SecurityDefaults", "displayName": "Security Defaults", "enforcedGrantControls": [], "enforcedSessionControls": [], "result": "success", "conditionsSatisfied": 3, "conditionsNotSatisfied": 0}], "authenticationContextClassReferences": [], "originalRequestId": "0f94f5fb-3583-4c46-9bfa-0390c1988800", "isInteractive": false, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Oauth Scope Info", "value": "[\"OfficeHome.All\"]"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 192, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "OfficeHome", "resourceId": "4765445b-32c6-49b0-83e6-1d93765276ca", "resourceTenantId": "95d19bda-09de-4d93-b7ae-acecd1e68186", "homeTenantId": "95d19bda-09de-4d93-b7ae-acecd1e68186", "authenticationDetails": [{"authenticationStepDateTime": "2023-01-12T19:22:14.5285742+00:00", "authenticationMethod": "Previously satisfied", "succeeded": true, "authenticationStepResultDetail": "MFA requirement satisfied by claim in the token", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "authenticationRequirement": "multiFactorAuthentication", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 16509, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "-_WUD4M1Rkyb-gOQwZiIAA", "authenticationStrengths": [], "incomingTokenType": "primaryRefreshToken", "authenticationProtocol": "none", "appServicePrincipalId": null, "resourceServicePrincipalId": null, "rngcStatus": 0}}
Source: GitHub | Version: 1