Azure Active Directory Messages
Vendor Documentation
Classification
| Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| Azure Active Directory Messages | Base Rule | General Audit Message | Other Audit |
| Logon Using DA Token | Sub Rule | User Logon | Authentication Success |
| Logon Failure Using DA Token | Sub Rule | User Logon Failure | Authentication Failure |
| Logon Using Federated Token | Sub Rule | User Logon | Authentication Success |
| Logon Failed Using Federated Token | Sub Rule | User Logon Failure | Authentication Failure |
| Logon Using Password | Sub Rule | User Logon | Authentication Success |
| Logon Failed Using Password | Sub Rule | User Logon Failure | Authentication Failure |
| Add App Role Assignment Grant to User | Sub Rule | Successful Activity | Other Audit Success |
| Add App Role Assignment Grant to User Fail | Sub Rule | Unsuccessful Activity | Other Audit Failure |
| Add App Role Assignment to Service Principal | Sub Rule | Successful Activity | Other Audit Success |
| Add App Role Assignment to Service Principal Fail | Sub Rule | Successful Activity | Other Audit Success |
| Add Application | Sub Rule | Software Installed | Configuration |
| Add Application Fail | Sub Rule | Unsuccessful Activity | Other Audit Failure |
| Add OAuth2PermissionGrant | Sub Rule | Privilege Granted | Access Granted |
| Add OAuth2PermissionGrant Failed | Sub Rule | Unsuccessful Activity | Other Audit Failure |
| Add Service Principal | Sub Rule | Successful Activity | Other Audit Success |
| Add Service Principal Failed | Sub Rule | Unsuccessful Activity | Other Audit Failure |
| Add User | Sub Rule | User Account Created | Account Created |
| Add User Failed | Sub Rule | Unsuccessful Activity | Other Audit Failure |
| Change User License | Sub Rule | User Account Attribute Modified | Account Modified |
| Change User License Failed | Sub Rule | Unsuccessful Activity | Other Audit Failure |
| Consent to Application | Sub Rule | Successful Activity | Other Audit Success |
| Consent to Application Failed | Sub Rule | Unsuccessful Activity | Other Audit Failure |
| Delete Group | Sub Rule | Group Deleted | Account Deleted |
| Delete Group Failed | Sub Rule | Unsuccessful Activity | Other Audit Failure |
| Delete User | Sub Rule | User Account Deleted | Account Deleted |
| Delete User Failed | Sub Rule | Unsuccessful Activity | Other Audit Failure |
| Reset User Password | Sub Rule | Password Modified | Account Modified |
| Reset User Password Failed | Sub Rule | Password Change Attempted | Other Audit Failure |
| Update Application | Sub Rule | Software Updated | Configuration |
| Update Application Failed | Sub Rule | Unsuccessful Activity | Other Audit Failure |
| Update Group | Sub Rule | Group Attribute Modified | Account Modified |
| Update Group Failed | Sub Rule | Unsuccessful Activity | Other Audit Failure |
| Update Service Principal | Sub Rule | Role Attribute Modified | Account Modified |
| Update Service Principal Failed | Sub Rule | Unsuccessful Activity | Other Audit Failure |
| Update User | Sub Rule | User Account Attribute Modified | Account Modified |
| Update User Failed | Sub Rule | Unsuccessful Activity | Other Audit Failure |
| Authentication Success | Sub Rule | User Logon | Authentication Success |
| Authentication Failure | Sub Rule | User Logon Failure | Authentication Failure |
| Add Member to Role | Sub Rule | Account Added to Group | Access Granted |
| Add Member to Group | Sub Rule | Account Added to Group | Access Granted |
| Add Member to Role | Sub Rule | Set Role Success | Other Audit |
| Add Owner to Group | Sub Rule | Ownership Granted | Access Granted |
| Add Group | Sub Rule | Group Created | Account Created |
| Remove Member from Role | Sub Rule | Account Removed from Group | Access Revoked |
| User Account Not Found | Sub Rule | User Not Found | Error |
| Set Group License | Sub Rule | License Allocated | Information |
| Add Member to Role Failed | Sub Rule | General Failed Activity | Failed Activity |
| Remove Member from Role | Sub Rule | General Failed Activity | Failed Activity |
| FlowToken Expired | Sub Rule | Token Not Found | Error |
| Redirected User Login Success | Sub Rule | User Logon | Authentication Success |
| Redirected User Login Failure | Sub Rule | User Logon Failure | Authentication Failure |
| Fault Domain Redirected | Sub Rule | Authentication Failure Activity | Authentication Failure |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type |
|---|---|---|
| TS | N/A | N/A |
| SESSID | <session> | Text/String |
| COMMAND | <command> | Text/String |
| USERTYPE | <objecttype> | Text/String |
| USERKEY | <login> <domainorigin> | Text/String |
| WORKLOAD | <process> | Text/String |
| RESULTCODE | <result> <tag1> | Text/String |
| OBJECT | <account> | Text/String |
| USER | <subject> | Text/String |
| SIP | <sip> | IP Address |
| EVENTTYPE | <vmid> | Text/String |
| EXTENDEDPROPERTIES "name":"targetName","value":" | <group> | Text/String |
| EXTENDEDPROPERTIES "Name":"Group.DisplayName","NewValue":" | <group> | Text/String |
| MODIFIEDPROPERTIES "name":"role.displayname","newvalue":" | <group> | Text/String |
| MODIFIEDPROPERTIES "name":"RequestType","value":" | <policy> | Text/String |
| APPLICATION | <objectname> | Text/String |
| USERAGENT | <useragent> <object> | Text/String |
| LOGINSTATUS | <tag5> <status> | Text/String |
| USERDOMAIN | N/A | N/A |
| ACTOR | N/A | N/A |
| ACTORCONTEXTID | N/A | N/A |
| ACTORIP | N/A | N/A |
| INTERSYSTEMSID | N/A | N/A |
| INTRASYSTEMSID | N/A | N/A |
| SUPPORTTICKETID | N/A | N/A |
| TARGET | N/A | N/A |
| TARGETCONTEXTID | N/A | N/A |