How to Decipher Azure AD Audit Logs

With so many companies out there and the pliability afforded by the Microsoft Azure AD service, it’s essential that correct auditing will be achieved. Azure AD presents two totally different audit logs that may be queried to trace most occasions that happen within the Azure AD atmosphere. These two logs are the Unified Audit Log and the Admin Audit Log. To drag info from each of those, with out utilizing the GUI, you will have the Alternate On-line module. Although these may also be discovered within the Azure AD portal, it’s typically best to script and filter by way of PowerShell.

Connecting PowerShell by way of the Alternate On-line Module

The Search-UnifiedAuditLog and Search-AdminAuditLog is simply out there within the Alternate cmdlets. The under instructions can help you import the cmdlets from the distant [Microsoft.Exchange]endpoint. It will work in each the older and newer variations of PowerShell, reminiscent of PowerShell 7.

What this command does is definitely create a proxy module in your native file system in a temp listing. This does serialize the information however usually works properly and on this case, permits viewing of the audit logs.

Retrieving a Unified Audit Log Entry

Utilizing the Search-UnifiedAuditLog command, we are able to retrieve a specified date vary of outcomes. To see what properties can be found, we are able to merely choose the primary one.

There are a selection of entries positioned right here, however let’s break down what properties we see right here. One massive merchandise to notice is that the AuditData comprises a JSON encoded set of properties that include much more knowledge.

• RecordType – This means the class that the audit entry belongs too, on this case the Alternate system.
• CreationDate – The creation date and time that the document has been recorded.
• UserIds – What person initiated the document occasion that was recorded.
• Operations – The operation carried out and the command used to carry out the operation.
• AuditData – JSON encoded set of further prolonged properties associated to the document.
• ResultIndex – The quantity assigned to the returned outcome set from the Search-UnifiedAuditLog.
• ResultCount – The full variety of outcomes from the Search-UnifiedAuditLog.
• Id – The ID assigned to this particular document.

So what about all of the values throughout the AuditData property. We are able to convert this worth from JSON to a readable worth to find further properties that we are able to use.

Let’s break down what the values listed here are telling us. There are a selection or properties which are an identical in values to the unique audit object reminiscent of: CreationTime, Id, Operation, UserId, UserKey (this final property can be an alternate key, however usually mirrors the UserId). They’re omitted from the record under.

• OrganizationId – The group that the operation has been run underneath.
• RecordType – A quantity comparable to a particular audit document kind as listed on this documentation web page.
• ResultStatus – Whether or not or not the operation was successful.
• UserType – The kind of person, reminiscent of a system account or administrator.
• Model – The model of the exercise as recognized by the operation.
• Workload – Which Microsoft 365 service originated the exercise.
• ObjectId – Relying on the exercise will record a number of various kinds of values as documented on the beforehand listed documentation web page.
• UserId – The person who carried out the motion.
• AppId – The ID of the appliance.
• ClientAppId – The precise ID of the consumer that carried out the motion.
• ExternalAccess – If true, this was run by a Microsoft Datacenter personnel or delegated administrator, sometimes false if run by the group.
• OrganizationName – The GUID of the group.
• OriginatingServer – Which server the operation was carried out on.
• Parameters – The identify and values of the parameters handed to a cmdlet.

As you possibly can inform there are lots of properties that when correctly managed can present a wealth of knowledge to auditors or system directors.

Retrieving an Admin Audit Log Entry

The admin audit log is a distinct audit log that exhibits the PowerShell instructions have been run that may enable you to decide what modifications had been made within the Azure atmosphere. Similar to how the primary command works, Search-AdminAuditLog is close to an identical.

Similar to earlier than, let’s break down what the values listed here are telling us.

• SerializationData – Serialized model of the operation.
• ObjectModified – What the item the operation was carried out on.
• CmdletName – The identify of the cmdlet that was used to carry out the operation.
• CmdletParameters – The parameters that had been used within the operation.
• ModifiedProperties – What properties modified.
• Caller – The identify or GUID of the originator of the operation.
• ExternalAccess – If true, this was run by a Microsoft Datacenter personnel or delegated administrator, sometimes false if run by the group.
• Succeeded – If the operation was successful or not.
• Error – The error message returned by the cmdlet.
• RunDate – The date that the operation was run on.
• OriginatingServer – Which server the cmdlet operation was carried out on.
• ClientIP – The IP tackle of the consumer that originated the operation.
• SessionId – The ID of the session for which the operation was carried out in.
• AppId – The ID of that utility used to carry out the operation.
• ClientAppId – The consumer utility ID.
• Id – The identifier assigned to this audit document.

Conclusion

There’s lots of knowledge that the audit logs expose and understanding that knowledge is crucial to creating positive that your atmosphere is working securely. Although this text doesn’t dive into all of the methods to interpret log occasions, that could be a giant and various subject as a consequence of every answer having totally different wants. It will hopefully get you began on a quick understanding of the log construction of Azure AD!