Data Source: Azure Monitor Activity

Date: 2025-01-13

ID: 1997a515-a61a-4f78-ada9-54af34c764f2

Author: Bhavin Patel, Splunk

Description

Data source object for Azure Monitor Activity. The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest In-Tune audit logs via Azure EventHub. To configure this logging, visit Intune > Tenant administration > Diagnostic settings > Add diagnostic settings & send events to the activity audit event hub.

Details

Property	Value
Source	`Azure AD`
Sourcetype	`azure:monitor:activity`
Separator	operationName

Name ▲▼	Technique ▲▼	Type ▲▼
Microsoft Intune Device Health Scripts	Software Deployment Tools, Cloud Services, Indirect Command Execution, Ingress Tool Transfer	Hunting
Microsoft Intune DeviceManagementConfigurationPolicies	Software Deployment Tools, Domain or Tenant Policy Modification, Cloud Services, Disable or Modify Tools, Disable or Modify System Firewall	Hunting
Microsoft Intune Manual Device Management	Cloud Services, Software Deployment Tools, System Shutdown/Reboot	Hunting
Microsoft Intune Mobile Apps	Software Deployment Tools, Cloud Services, Indirect Command Execution, Ingress Tool Transfer	Hunting

Supported Apps

Splunk Add-on for Microsoft Cloud Services (version 6.1.0)

Event Fields

+ Fields

  <span class="pill kill-chain">column</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">category</span>
  
  <span class="pill kill-chain">change_type</span>
  
  <span class="pill kill-chain">command</span>
  
  <span class="pill kill-chain">correlationId</span>
  
  <span class="pill kill-chain">dataset_name</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">identity</span>
  
  <span class="pill kill-chain">image_id</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">instance_type</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">object</span>
  
  <span class="pill kill-chain">object_attrs</span>
  
  <span class="pill kill-chain">object_category</span>
  
  <span class="pill kill-chain">object_id</span>
  
  <span class="pill kill-chain">object_path</span>
  
  <span class="pill kill-chain">operationName</span>
  
  <span class="pill kill-chain">properties.ActivityDate</span>
  
  <span class="pill kill-chain">properties.ActivityResultStatus</span>
  
  <span class="pill kill-chain">properties.ActivityType</span>
  
  <span class="pill kill-chain">properties.Actor.ActorType</span>
  
  <span class="pill kill-chain">properties.Actor.Application</span>
  
  <span class="pill kill-chain">properties.Actor.ApplicationName</span>
  
  <span class="pill kill-chain">properties.Actor.IsDelegatedAdmin</span>
  
  <span class="pill kill-chain">properties.Actor.Name</span>
  
  <span class="pill kill-chain">properties.Actor.ObjectId</span>
  
  <span class="pill kill-chain">properties.Actor.PartnerTenantId</span>
  
  <span class="pill kill-chain">properties.Actor.UPN</span>
  
  <span class="pill kill-chain">properties.Actor.UserPermissions{}</span>
  
  <span class="pill kill-chain">properties.AdditionalDetails</span>
  
  <span class="pill kill-chain">properties.AuditEventId</span>
  
  <span class="pill kill-chain">properties.Category</span>
  
  <span class="pill kill-chain">properties.RelationId</span>
  
  <span class="pill kill-chain">properties.TargetDisplayNames{}</span>
  
  <span class="pill kill-chain">properties.TargetObjectIds{}</span>
  
  <span class="pill kill-chain">properties.Targets{}.ModifiedProperties{}.Name</span>
  
  <span class="pill kill-chain">properties.Targets{}.ModifiedProperties{}.New</span>
  
  <span class="pill kill-chain">properties.Targets{}.ModifiedProperties{}.Old</span>
  
  <span class="pill kill-chain">properties.Targets{}.Name</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">resourceId</span>
  
  <span class="pill kill-chain">resource_provider</span>
  
  <span class="pill kill-chain">response_body</span>
  
  <span class="pill kill-chain">result</span>
  
  <span class="pill kill-chain">resultDescription</span>
  
  <span class="pill kill-chain">resultType</span>
  
  <span class="pill kill-chain">result_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">splunk_server_group</span>
  
  <span class="pill kill-chain">src</span>
  
  <span class="pill kill-chain">status</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::action</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">tag::object_category</span>
  
  <span class="pill kill-chain">tenantId</span>
  
  <span class="pill kill-chain">time</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user</span>
  
  <span class="pill kill-chain">user_name</span>
  
  <span class="pill kill-chain">user_type</span>
  
  <span class="pill kill-chain">vendor_account</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
  <span class="pill kill-chain">vendor_region</span>
  
  <span class="pill kill-chain">_time</span>
  
</div>

Example Log

1{"time": "2024-04-29T13:30:28.8622000Z", "tenantId": "26db52ee-c1b5-4c96-a0d4-129e25dc0388", "category": "AuditLogs", "operationName": "createDeviceHealthScript DeviceHealthScript", "properties": {"ActivityDate": "4/29/2024 1:30:28 PM", "ActivityResultStatus": 1, "ActivityType": 0, "Actor": {"ActorType": 1, "Application": "5926fc8e-304e-4f59-8bed-58ca97cc39a4", "ApplicationName": "Microsoft Intune portal extension", "IsDelegatedAdmin": false, "Name": null, "ObjectId": "cf2ef473-7d3b-4f14-961c-2e470e9a70f2", "PartnerTenantId": "00000000-0000-0000-0000-000000000000", "UserPermissions": ["*"], "UPN": "brian.cove@frothlydev.onmicrosoft.com"}, "AdditionalDetails": "", "AuditEventId": "3e7e790e-f15a-4c2c-a91a-516483bb4e37", "Category": 3, "RelationId": null, "TargetDisplayNames": ["<null>"], "TargetObjectIds": ["b16fcad4-b9f5-46fe-9bf0-841cd9be7bc9"], "Targets": [{"ModifiedProperties": [{"Name": "DeviceManagementAPIVersion", "Old": null, "New": "5024-02-13"}], "Name": null}]}, "resultType": "Success", "resultDescription": "None", "correlationId": "949ac544-b4e5-4576-a117-915c47c0ee00", "identity": "brian.cove@frothlydev.onmicrosoft.com"}

Required Output Fields

action
dest
user
src
vendor_account
vendor_product

Source: GitHub | Version: 1