<span class="pill kill-chain">column</span>
<span class="pill kill-chain">action</span>
<span class="pill kill-chain">category</span>
<span class="pill kill-chain">change_type</span>
<span class="pill kill-chain">command</span>
<span class="pill kill-chain">correlationId</span>
<span class="pill kill-chain">dataset_name</span>
<span class="pill kill-chain">date_hour</span>
<span class="pill kill-chain">date_mday</span>
<span class="pill kill-chain">date_minute</span>
<span class="pill kill-chain">date_month</span>
<span class="pill kill-chain">date_second</span>
<span class="pill kill-chain">date_wday</span>
<span class="pill kill-chain">date_year</span>
<span class="pill kill-chain">date_zone</span>
<span class="pill kill-chain">dest</span>
<span class="pill kill-chain">dvc</span>
<span class="pill kill-chain">eventtype</span>
<span class="pill kill-chain">host</span>
<span class="pill kill-chain">identity</span>
<span class="pill kill-chain">image_id</span>
<span class="pill kill-chain">index</span>
<span class="pill kill-chain">instance_type</span>
<span class="pill kill-chain">linecount</span>
<span class="pill kill-chain">object</span>
<span class="pill kill-chain">object_attrs</span>
<span class="pill kill-chain">object_category</span>
<span class="pill kill-chain">object_id</span>
<span class="pill kill-chain">object_path</span>
<span class="pill kill-chain">operationName</span>
<span class="pill kill-chain">properties.ActivityDate</span>
<span class="pill kill-chain">properties.ActivityResultStatus</span>
<span class="pill kill-chain">properties.ActivityType</span>
<span class="pill kill-chain">properties.Actor.ActorType</span>
<span class="pill kill-chain">properties.Actor.Application</span>
<span class="pill kill-chain">properties.Actor.ApplicationName</span>
<span class="pill kill-chain">properties.Actor.IsDelegatedAdmin</span>
<span class="pill kill-chain">properties.Actor.Name</span>
<span class="pill kill-chain">properties.Actor.ObjectId</span>
<span class="pill kill-chain">properties.Actor.PartnerTenantId</span>
<span class="pill kill-chain">properties.Actor.UPN</span>
<span class="pill kill-chain">properties.Actor.UserPermissions{}</span>
<span class="pill kill-chain">properties.AdditionalDetails</span>
<span class="pill kill-chain">properties.AuditEventId</span>
<span class="pill kill-chain">properties.Category</span>
<span class="pill kill-chain">properties.RelationId</span>
<span class="pill kill-chain">properties.TargetDisplayNames{}</span>
<span class="pill kill-chain">properties.TargetObjectIds{}</span>
<span class="pill kill-chain">properties.Targets{}.ModifiedProperties{}.Name</span>
<span class="pill kill-chain">properties.Targets{}.ModifiedProperties{}.New</span>
<span class="pill kill-chain">properties.Targets{}.ModifiedProperties{}.Old</span>
<span class="pill kill-chain">properties.Targets{}.Name</span>
<span class="pill kill-chain">punct</span>
<span class="pill kill-chain">resourceId</span>
<span class="pill kill-chain">resource_provider</span>
<span class="pill kill-chain">response_body</span>
<span class="pill kill-chain">result</span>
<span class="pill kill-chain">resultDescription</span>
<span class="pill kill-chain">resultType</span>
<span class="pill kill-chain">result_id</span>
<span class="pill kill-chain">source</span>
<span class="pill kill-chain">sourcetype</span>
<span class="pill kill-chain">splunk_server</span>
<span class="pill kill-chain">splunk_server_group</span>
<span class="pill kill-chain">src</span>
<span class="pill kill-chain">status</span>
<span class="pill kill-chain">tag</span>
<span class="pill kill-chain">tag::action</span>
<span class="pill kill-chain">tag::eventtype</span>
<span class="pill kill-chain">tag::object_category</span>
<span class="pill kill-chain">tenantId</span>
<span class="pill kill-chain">time</span>
<span class="pill kill-chain">timeendpos</span>
<span class="pill kill-chain">timestartpos</span>
<span class="pill kill-chain">user</span>
<span class="pill kill-chain">user_name</span>
<span class="pill kill-chain">user_type</span>
<span class="pill kill-chain">vendor_account</span>
<span class="pill kill-chain">vendor_product</span>
<span class="pill kill-chain">vendor_region</span>
<span class="pill kill-chain">_time</span>
</div>
Data Source: Azure Monitor Activity
Description
Data source object for Azure Monitor Activity. The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest In-Tune audit logs via Azure EventHub. To configure this logging, visit Intune > Tenant administration > Diagnostic settings > Add diagnostic settings & send events to the activity audit event hub.
Details
| Property | Value |
|---|---|
| Source | Azure AD |
| Sourcetype | azure:monitor:activity |
| Separator | operationName |
Supported Apps
- Splunk Add-on for Microsoft Cloud Services (version 5.4.1)
Event Fields
Fields
Example Log
1{"time": "2024-04-29T13:30:28.8622000Z", "tenantId": "26db52ee-c1b5-4c96-a0d4-129e25dc0388", "category": "AuditLogs", "operationName": "createDeviceHealthScript DeviceHealthScript", "properties": {"ActivityDate": "4/29/2024 1:30:28 PM", "ActivityResultStatus": 1, "ActivityType": 0, "Actor": {"ActorType": 1, "Application": "5926fc8e-304e-4f59-8bed-58ca97cc39a4", "ApplicationName": "Microsoft Intune portal extension", "IsDelegatedAdmin": false, "Name": null, "ObjectId": "cf2ef473-7d3b-4f14-961c-2e470e9a70f2", "PartnerTenantId": "00000000-0000-0000-0000-000000000000", "UserPermissions": ["*"], "UPN": "brian.cove@frothlydev.onmicrosoft.com"}, "AdditionalDetails": "", "AuditEventId": "3e7e790e-f15a-4c2c-a91a-516483bb4e37", "Category": 3, "RelationId": null, "TargetDisplayNames": ["<null>"], "TargetObjectIds": ["b16fcad4-b9f5-46fe-9bf0-841cd9be7bc9"], "Targets": [{"ModifiedProperties": [{"Name": "DeviceManagementAPIVersion", "Old": null, "New": "5024-02-13"}], "Name": null}]}, "resultType": "Success", "resultDescription": "None", "correlationId": "949ac544-b4e5-4576-a117-915c47c0ee00", "identity": "brian.cove@frothlydev.onmicrosoft.com"}
Source: GitHub | Version: 1