Data Source: Azure Monitor Activity

Date: 2026-05-13

ID: 1997a515-a61a-4f78-ada9-54af34c764f2

Author: Bhavin Patel, Splunk

Description

Data source object for Azure Monitor Activity. The Splunk Add-on for Microsoft Cloud Services add-on is required to ingest In-Tune audit logs via Azure EventHub. To configure this logging, visit Intune > Tenant administration > Diagnostic settings > Add diagnostic settings & send events to the activity audit event hub.

Details

Property	Value
Source	`Azure AD`
Sourcetype	`azure:monitor:activity`
Separator	operationName

Name ▲▼	Technique ▲▼	Type ▲▼
Microsoft Intune Device Health Scripts	Cloud Services, Software Deployment Tools, Ingress Tool Transfer, Indirect Command Execution	Hunting
Microsoft Intune Mobile Apps	Cloud Services, Software Deployment Tools, Ingress Tool Transfer, Indirect Command Execution	Hunting
Microsoft Intune Bulk Wipe	Disk Content Wipe	TTP
Microsoft Intune Manual Device Management	Cloud Services, Software Deployment Tools, System Shutdown/Reboot	Hunting
Microsoft Intune DeviceManagementConfigurationPolicies	Cloud Services, Software Deployment Tools, Domain or Tenant Policy Modification, Disable or Modify Tools, Disable or Modify System Firewall	Hunting

Supported Apps

Splunk Add-on for Microsoft Cloud Services (version 6.1.1)

Event Fields

+ Fields

  <span class="pill kill-chain">column</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">category</span>
  
  <span class="pill kill-chain">change_type</span>
  
  <span class="pill kill-chain">command</span>
  
  <span class="pill kill-chain">correlationId</span>
  
  <span class="pill kill-chain">dataset_name</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">identity</span>
  
  <span class="pill kill-chain">image_id</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">instance_type</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">object</span>
  
  <span class="pill kill-chain">object_attrs</span>
  
  <span class="pill kill-chain">object_category</span>
  
  <span class="pill kill-chain">object_id</span>
  
  <span class="pill kill-chain">object_path</span>
  
  <span class="pill kill-chain">operationName</span>
  
  <span class="pill kill-chain">properties.ActivityDate</span>
  
  <span class="pill kill-chain">properties.ActivityResultStatus</span>
  
  <span class="pill kill-chain">properties.ActivityType</span>
  
  <span class="pill kill-chain">properties.Actor.ActorType</span>
  
  <span class="pill kill-chain">properties.Actor.Application</span>
  
  <span class="pill kill-chain">properties.Actor.ApplicationName</span>
  
  <span class="pill kill-chain">properties.Actor.IsDelegatedAdmin</span>
  
  <span class="pill kill-chain">properties.Actor.Name</span>
  
  <span class="pill kill-chain">properties.Actor.ObjectId</span>
  
  <span class="pill kill-chain">properties.Actor.PartnerTenantId</span>
  
  <span class="pill kill-chain">properties.Actor.UPN</span>
  
  <span class="pill kill-chain">properties.Actor.UserPermissions{}</span>
  
  <span class="pill kill-chain">properties.AdditionalDetails</span>
  
  <span class="pill kill-chain">properties.AuditEventId</span>
  
  <span class="pill kill-chain">properties.Category</span>
  
  <span class="pill kill-chain">properties.RelationId</span>
  
  <span class="pill kill-chain">properties.TargetDisplayNames{}</span>
  
  <span class="pill kill-chain">properties.TargetObjectIds{}</span>
  
  <span class="pill kill-chain">properties.Targets{}.ModifiedProperties{}.Name</span>
  
  <span class="pill kill-chain">properties.Targets{}.ModifiedProperties{}.New</span>
  
  <span class="pill kill-chain">properties.Targets{}.ModifiedProperties{}.Old</span>
  
  <span class="pill kill-chain">properties.Targets{}.Name</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">resourceId</span>
  
  <span class="pill kill-chain">resource_provider</span>
  
  <span class="pill kill-chain">response_body</span>
  
  <span class="pill kill-chain">result</span>
  
  <span class="pill kill-chain">resultDescription</span>
  
  <span class="pill kill-chain">resultType</span>
  
  <span class="pill kill-chain">result_id</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">splunk_server_group</span>
  
  <span class="pill kill-chain">src</span>
  
  <span class="pill kill-chain">status</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::action</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">tag::object_category</span>
  
  <span class="pill kill-chain">tenantId</span>
  
  <span class="pill kill-chain">time</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user</span>
  
  <span class="pill kill-chain">user_name</span>
  
  <span class="pill kill-chain">user_type</span>
  
  <span class="pill kill-chain">vendor_account</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
  <span class="pill kill-chain">vendor_region</span>
  
  <span class="pill kill-chain">_time</span>
  
</div>

Example Log

1{"time": "2024-04-29T13:30:28.8622000Z", "tenantId": "26db52ee-c1b5-4c96-a0d4-129e25dc0388", "category": "AuditLogs", "operationName": "createDeviceHealthScript DeviceHealthScript", "properties": {"ActivityDate": "4/29/2024 1:30:28 PM", "ActivityResultStatus": 1, "ActivityType": 0, "Actor": {"ActorType": 1, "Application": "5926fc8e-304e-4f59-8bed-58ca97cc39a4", "ApplicationName": "Microsoft Intune portal extension", "IsDelegatedAdmin": false, "Name": null, "ObjectId": "cf2ef473-7d3b-4f14-961c-2e470e9a70f2", "PartnerTenantId": "00000000-0000-0000-0000-000000000000", "UserPermissions": ["*"], "UPN": "brian.cove@frothlydev.onmicrosoft.com"}, "AdditionalDetails": "", "AuditEventId": "3e7e790e-f15a-4c2c-a91a-516483bb4e37", "Category": 3, "RelationId": null, "TargetDisplayNames": ["<null>"], "TargetObjectIds": ["b16fcad4-b9f5-46fe-9bf0-841cd9be7bc9"], "Targets": [{"ModifiedProperties": [{"Name": "DeviceManagementAPIVersion", "Old": null, "New": "5024-02-13"}], "Name": null}]}, "resultType": "Success", "resultDescription": "None", "correlationId": "949ac544-b4e5-4576-a117-915c47c0ee00", "identity": "brian.cove@frothlydev.onmicrosoft.com"}

Required Output Fields

action
dest
user
src
vendor_account
vendor_product

Source: GitHub | Version: 2