Data Source: Azure Active Directory Sign-in activity

Description

Data source object for Azure Active Directory Sign-in activity

Details

Property Value
Source Azure AD
Sourcetype azure:monitor:aad
Separator operationName

Supported Apps

Event Fields

+ Fields
  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">Level</span>
  
  <span class="pill kill-chain">callerIpAddress</span>
  
  <span class="pill kill-chain">category</span>
  
  <span class="pill kill-chain">correlationId</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">durationMs</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">identity</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">location</span>
  
  <span class="pill kill-chain">operationName</span>
  
  <span class="pill kill-chain">operationVersion</span>
  
  <span class="pill kill-chain">properties.alternateSignInName</span>
  
  <span class="pill kill-chain">properties.appDisplayName</span>
  
  <span class="pill kill-chain">properties.appId</span>
  
  <span class="pill kill-chain">properties.appServicePrincipalId</span>
  
  <span class="pill kill-chain">properties.authenticationDetails{}.RequestSequence</span>
  
  <span class="pill kill-chain">properties.authenticationDetails{}.StatusSequence</span>
  
  <span class="pill kill-chain">properties.authenticationDetails{}.authenticationMethod</span>
  
  <span class="pill kill-chain">properties.authenticationDetails{}.authenticationMethodDetail</span>
  
  <span class="pill kill-chain">properties.authenticationDetails{}.authenticationStepDateTime</span>
  
  <span class="pill kill-chain">properties.authenticationDetails{}.authenticationStepRequirement</span>
  
  <span class="pill kill-chain">properties.authenticationDetails{}.authenticationStepResultDetail</span>
  
  <span class="pill kill-chain">properties.authenticationDetails{}.succeeded</span>
  
  <span class="pill kill-chain">properties.authenticationProcessingDetails{}.key</span>
  
  <span class="pill kill-chain">properties.authenticationProcessingDetails{}.value</span>
  
  <span class="pill kill-chain">properties.authenticationProtocol</span>
  
  <span class="pill kill-chain">properties.authenticationRequirement</span>
  
  <span class="pill kill-chain">properties.authenticationRequirementPolicies{}.detail</span>
  
  <span class="pill kill-chain">properties.authenticationRequirementPolicies{}.requirementProvider</span>
  
  <span class="pill kill-chain">properties.autonomousSystemNumber</span>
  
  <span class="pill kill-chain">properties.clientAppUsed</span>
  
  <span class="pill kill-chain">properties.clientCredentialType</span>
  
  <span class="pill kill-chain">properties.conditionalAccessStatus</span>
  
  <span class="pill kill-chain">properties.correlationId</span>
  
  <span class="pill kill-chain">properties.createdDateTime</span>
  
  <span class="pill kill-chain">properties.crossTenantAccessType</span>
  
  <span class="pill kill-chain">properties.deviceDetail.deviceId</span>
  
  <span class="pill kill-chain">properties.deviceDetail.operatingSystem</span>
  
  <span class="pill kill-chain">properties.flaggedForReview</span>
  
  <span class="pill kill-chain">properties.homeTenantId</span>
  
  <span class="pill kill-chain">properties.id</span>
  
  <span class="pill kill-chain">properties.incomingTokenType</span>
  
  <span class="pill kill-chain">properties.ipAddress</span>
  
  <span class="pill kill-chain">properties.isInteractive</span>
  
  <span class="pill kill-chain">properties.isTenantRestricted</span>
  
  <span class="pill kill-chain">properties.location.city</span>
  
  <span class="pill kill-chain">properties.location.countryOrRegion</span>
  
  <span class="pill kill-chain">properties.location.geoCoordinates.latitude</span>
  
  <span class="pill kill-chain">properties.location.geoCoordinates.longitude</span>
  
  <span class="pill kill-chain">properties.location.state</span>
  
  <span class="pill kill-chain">properties.originalRequestId</span>
  
  <span class="pill kill-chain">properties.originalTransferMethod</span>
  
  <span class="pill kill-chain">properties.processingTimeInMilliseconds</span>
  
  <span class="pill kill-chain">properties.resourceDisplayName</span>
  
  <span class="pill kill-chain">properties.resourceId</span>
  
  <span class="pill kill-chain">properties.resourceServicePrincipalId</span>
  
  <span class="pill kill-chain">properties.resourceTenantId</span>
  
  <span class="pill kill-chain">properties.riskDetail</span>
  
  <span class="pill kill-chain">properties.riskLevelAggregated</span>
  
  <span class="pill kill-chain">properties.riskLevelDuringSignIn</span>
  
  <span class="pill kill-chain">properties.riskState</span>
  
  <span class="pill kill-chain">properties.rngcStatus</span>
  
  <span class="pill kill-chain">properties.servicePrincipalId</span>
  
  <span class="pill kill-chain">properties.signInIdentifier</span>
  
  <span class="pill kill-chain">properties.signInTokenProtectionStatus</span>
  
  <span class="pill kill-chain">properties.ssoExtensionVersion</span>
  
  <span class="pill kill-chain">properties.status.additionalDetails</span>
  
  <span class="pill kill-chain">properties.status.errorCode</span>
  
  <span class="pill kill-chain">properties.status.failureReason</span>
  
  <span class="pill kill-chain">properties.tenantId</span>
  
  <span class="pill kill-chain">properties.tokenIssuerName</span>
  
  <span class="pill kill-chain">properties.tokenIssuerType</span>
  
  <span class="pill kill-chain">properties.uniqueTokenIdentifier</span>
  
  <span class="pill kill-chain">properties.userAgent</span>
  
  <span class="pill kill-chain">properties.userDisplayName</span>
  
  <span class="pill kill-chain">properties.userId</span>
  
  <span class="pill kill-chain">properties.userPrincipalName</span>
  
  <span class="pill kill-chain">properties.userType</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">resourceId</span>
  
  <span class="pill kill-chain">resultDescription</span>
  
  <span class="pill kill-chain">resultSignature</span>
  
  <span class="pill kill-chain">resultType</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">tenantId</span>
  
  <span class="pill kill-chain">time</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
</div>

Example Log

1{"time": "2023-10-24T20:13:31.4449614Z", "resourceId": "/tenants/887c9144-28b8-431b-885b-764fdeefcf62/providers/Microsoft.aadiam", "operationName": "Sign-in activity", "operationVersion": "1.0", "category": "SignInLogs", "tenantId": "887c9144-28b8-431b-885b-764fdeefcf62", "resultType": "50076", "resultSignature": "None", "resultDescription": "Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access the resource.", "durationMs": 0, "callerIpAddress": "1.2.3.4", "correlationId": "1f577997-0710-4bd4-848e-5854f748f7dc", "identity": "user15", "Level": 4, "location": "US", "properties": {"id": "22608a25-1d9b-44b5-b0f2-cb94f06b2d00", "createdDateTime": "2023-10-24T20:01:11.9490387+00:00", "userDisplayName": "user15", "userPrincipalName": "user15@splunkresearch.onmicrosoft.com", "userId": "57e4bd36-9722-4a4a-9729-7203d8e00b72", "appId": "1b730954-1685-4b74-9bfd-dac224a7b894", "appDisplayName": "Azure Active Directory PowerShell", "ipAddress": "1.2.3.4", "status": {"errorCode": 50076, "failureReason": "Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access the resource.", "additionalDetails": "MFA required in Azure AD"}, "clientAppUsed": "Mobile Apps and Desktop clients", "userAgent": "Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.22621.2428", "deviceDetail": {"deviceId": "", "operatingSystem": "Windows"}, "location": {"city": "Rochester", "state": "New York", "countryOrRegion": "US", "geoCoordinates": {"latitude": 20.756160123483984, "longitude": -73.99697875976562}}, "mfaDetail": {}, "correlationId": "1f577997-0710-4bd4-848e-5854f748f7dc", "conditionalAccessStatus": "notApplied", "appliedConditionalAccessPolicies": [], "authenticationContextClassReferences": [], "originalRequestId": "22608a25-1d9b-44b5-b0f2-cb94f06b2d00", "isInteractive": true, "tokenIssuerName": "", "tokenIssuerType": "AzureAD", "authenticationProcessingDetails": [{"key": "Legacy TLS (TLS 1.0, 1.1, 3DES)", "value": "False"}, {"key": "Is CAE Token", "value": "False"}], "networkLocationDetails": [], "clientCredentialType": "none", "processingTimeInMilliseconds": 72, "riskDetail": "none", "riskLevelAggregated": "none", "riskLevelDuringSignIn": "none", "riskState": "none", "riskEventTypes": [], "riskEventTypes_v2": [], "resourceDisplayName": "Windows Azure Active Directory", "resourceId": "00000002-0000-0000-c000-000000000000", "resourceTenantId": "887c9144-28b8-431b-885b-764fdeefcf62", "homeTenantId": "887c9144-28b8-431b-885b-764fdeefcf62", "tenantId": "887c9144-28b8-431b-885b-764fdeefcf62", "authenticationDetails": [{"authenticationStepDateTime": "2023-10-24T20:01:11.9490387+00:00", "authenticationMethod": "Password", "authenticationMethodDetail": "Password in the cloud", "succeeded": true, "authenticationStepResultDetail": "Correct password", "authenticationStepRequirement": "Primary authentication", "StatusSequence": 0, "RequestSequence": 1}, {"authenticationStepDateTime": "2023-10-24T20:01:11.9490387+00:00", "succeeded": false, "authenticationStepResultDetail": "MFA required in Azure AD", "authenticationStepRequirement": "Primary authentication"}], "authenticationRequirementPolicies": [{"requirementProvider": "user", "detail": "Per-user MFA"}], "sessionLifetimePolicies": [], "authenticationRequirement": "multiFactorAuthentication", "alternateSignInName": "user15@splunkresearch.onmicrosoft.com", "signInIdentifier": "user15@splunkresearch.onmicrosoft.com", "servicePrincipalId": "", "userType": "Member", "flaggedForReview": false, "isTenantRestricted": false, "autonomousSystemNumber": 12271, "crossTenantAccessType": "none", "privateLinkDetails": {}, "ssoExtensionVersion": "", "uniqueTokenIdentifier": "JYpgIpsdtUSw8suU8GstAA", "authenticationStrengths": [], "incomingTokenType": "none", "authenticationProtocol": "ropc", "appServicePrincipalId": null, "resourceServicePrincipalId": "56ad242f-e13b-47fc-8de8-19e3bf6f6575", "rngcStatus": 0, "signInTokenProtectionStatus": "none", "originalTransferMethod": "none"}}

Source: GitHub | Version: 1