detection.wiki

Entra-AuditLogs

88 operations, identified by OperationName in the audit log.

OperationNameDescription
_catch_allAny Microsoft Entra ID directory audit operation recorded in the AuditLogs table (no specific OperationName filter).
Add app role assignment grant to userAn app role was assigned to a user.
Add app role assignment to service principalAn application (app-only) role assignment was granted to a service principal.
Add applicationAn application registration was created.
Add conditional access policyA Conditional Access policy was created.
Add delegated permission grantAn OAuth2 delegated permission grant was created for an application.
Add deviceA device object was added to the directory.
Add eligible member (eligible)A principal was assigned eligible for a role through PIM.
Add eligible member (permanent)A principal was assigned a permanent eligible role through PIM.
Add eligible member to roleA principal was made eligible for a directory role via PIM.
Add eligible member to role in PIM completed (permanent)A permanent PIM role-eligibility assignment completed.
Add groupA new group was created.
Add member to groupA principal was added as a member of a group (including role-assignable groups).
Add member to roleA principal was added as a permanent member of a directory role (privileged role assignment).
Add member to role completed (PIM activation)A PIM-eligible role activation completed, granting the role for the activation window.
Add member to role in PIM completed (timebound)A time-bound PIM role assignment completed.
Add member to role in PIM requested (permanent)A permanent PIM role assignment was requested.
Add member to role outside of PIM (permanent)A permanent directory-role assignment was made directly, bypassing PIM (no just-in-time activation).
Add member to role request denied (PIM activation)A PIM role activation request was denied.
Add named locationA named location (IP range) was created for Conditional Access.
Add OAuth2PermissionGrantAn OAuth2 delegated permission grant was created.
Add owner to applicationAn owner was added to an application registration.
Add owner to groupAn owner was added to a group.
Add owner to service principalAn owner was added to a service principal.
Add registered owner to deviceA registered owner was added to a device.
Add registered users to deviceRegistered users were added to a device.
Add role definitionA custom directory role definition was created.
Add service principalA service principal (enterprise application instance) was created.
Add service principal credentialsCredentials were added to a service principal (common persistence technique).
Add unverified domainAn unverified custom domain was added to the tenant.
Add userA new user account was created in the directory.
Add verified domainA verified custom domain was added to the tenant.
Admin deleted security infoAn admin removed a user's security info.
Admin registered security infoAn admin registered security info on behalf of a user (e.g. Temporary Access Pass).
Admin updated security infoAn admin modified a user's security info.
Assigns the caller to user access adminA Global Administrator elevated access to User Access Administrator over Azure resources.
Authentication Methods Policy UpdateThe tenant authentication-methods policy was changed.
Bulk invite users - started (bulk)A bulk guest-invite operation was started.
Change user passwordA user changed their own password.
Consent to applicationAdmin or user consent was granted to an application (illicit-consent-grant target).
Delete applicationAn application registration was deleted.
Delete conditional access policyA Conditional Access policy was deleted.
Delete deviceA device object was deleted.
Delete groupA group was deleted.
Delete userA user account was deleted.
Disable accountA user account was disabled.
Disable Strong AuthenticationStrong authentication (MFA) was disabled for a user.
Enable accountA user account was enabled.
Hard Delete applicationAn application registration was permanently deleted (purged from the deleted-items store, not recoverable).
Invite external userA guest (B2B) user was invited to the tenant.
Invite external user with reset invitation statusA guest user invitation was re-sent/reset.
Read BitLocker keyA BitLocker recovery key was read from the directory.
Redeem external user inviteA guest user redeemed their B2B invitation.
Register deviceA device was registered or joined to Entra ID.
Remove member from groupA principal was removed from a group.
Remove member from roleA principal was removed from a directory role.
Remove service principalA service principal was removed.
Remove service principal credentialsCredentials were removed from a service principal.
Reset user passwordAn administrator reset a user's password.
Restore applicationA soft-deleted application registration was restored.
Restore userA soft-deleted user account was restored.
Risky userA user was flagged as risky by Identity Protection.
Set Company InformationTenant company branding/information was changed.
Set device registration policiesDevice registration policies were changed.
Set DirSyncEnabled flagDirectory synchronization was enabled or disabled for the tenant.
Set domain authenticationA domain's authentication type was changed (managed vs federated).
Set federation settings on domainFederation settings on a domain were changed (federated-trust backdoor technique).
Set force change user passwordA user was flagged to change password at next sign-in.
Suspicious activity reportedSuspicious activity was reported for a user (e.g. MFA fraud report).
Update applicationAn application registration was modified.
Update Application - Certificates and secrets managementCredentials (certificate or client secret) were added or changed on an application.
Update conditional access policyA Conditional Access policy was modified (tampering can weaken enforcement).
Update deviceA device object was modified.
Update groupA group's properties were modified.
Update named locationA named location was modified.
Update role definitionA custom directory role definition was modified.
Update role setting in PIMPIM role settings (activation duration, approval, MFA requirement) were changed.
Update StsRefreshTokenValidFrom TimestampA user's refresh tokens were invalidated (revoke sessions); also set silently by some attacks.
Update userA user account attribute was modified.
Update User Risk and MFA Registration PolicyThe user-risk or MFA-registration policy was changed.
User changed default security infoA user changed their default authentication method.
User deleted security infoA user removed one of their authentication methods.
User has elevated their access to User Access Administrator for their Azure ResourcesA Global Administrator elevated access to manage all Azure subscriptions (root-scope RBAC).
User registered security infoA user registered an authentication method (MFA/SSPR security info).
User reviewed security infoA user reviewed their registered security info.
User Risk DetectionIdentity Protection raised a user-risk detection.
Verify domainA custom domain was verified.
Verify email verified domainAn email-verified domain was verified.

_catch_all: Entra ID audit event (any operation)

#
Provider
Entra-AuditLogs

Description

Any Microsoft Entra ID directory audit operation recorded in the AuditLogs table (no specific OperationName filter).

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
CategoryeqRoleManagement8 ruleskusto, sigma
Resulteqsuccess8 ruleskusto
keyeqUser-Agent6 ruleskusto
typeeqPolicy6 ruleskusto
AADOperationTypeinAssign5 ruleskusto
AADOperationTypeinAssignEligibleRole4 ruleskusto
OperationNamecontainscertificates and secrets management5 ruleskusto
OperationNamecontainsadd service principal4 ruleskusto
OperationNamecontainsupdate a partner cross-tenant access setting4 ruleskusto
azure_ad::activity_display_namecontainsadd eligible member to role5 ruleskusto
azure_ad::activity_display_namecontainsadd member to role5 ruleskusto
displayNamecontains@5 ruleskusto
displayNameeqKeyDescription5 ruleskusto
displayNameeqRole.DisplayName5 ruleskusto
userPrincipalNamecontains@5 ruleskusto

Detection Rules #

View all rules referencing this event →

Elastic #

  • Entra ID Sign-in BloodHound Suite User-Agent Detected source medium: Identifies potential enumeration activity using AzureHound, SharpHound, or BloodHound across Microsoft cloud services. These tools are often used by red teamers and adversaries to map users, groups, roles, applications, and access relationships within Microsoft Entra ID (Azure AD) and Microsoft 365.
  • Entra ID Kali365 Default User-Agent Detected source high: Identifies the default user agent string associated with Kali365 (also referred to as Kali365 Live), a phishing-as-a-service (PhaaS) platform that automates OAuth 2.0 device code phishing and adversary-in-the-middle (AiTM) session capture against Microsoft 365 and Microsoft Entra ID. The Kali365 Electron desktop client identifies itself with the user agent kali365-live/1.0.0 when polling for and replaying captured OAuth tokens, so its appearance in Entra ID sign-in logs, Entra ID audit logs, or the Microsoft 365 unified audit log indicates that an attacker-controlled Kali365 client is interacting with the tenant using stolen tokens. Unlike dual-use offensive tooling, Kali365 is a criminal service with no legitimate enterprise use, making this user agent a high-fidelity indicator of active account compromise.

Kusto #

Show 17 more (27 total)

References #

Add app role assignment grant to user

#
Provider
Entra-AuditLogs

Description

An app role was assigned to a user.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

References #

Add app role assignment to service principal

#
Provider
Entra-AuditLogs

Description

An application (app-only) role assignment was granted to a service principal.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
CategoryeqApplicationManagement2 ruleskusto
CategoryeqRoleManagement1 rulekusto, sigma
OperationNamecontainscertificates and secrets management1 rulekusto
OperationNamecontainsupdate application1 rulekusto
OperationNameeqAdd app role assignment to service principal2 ruleskusto
PermissionGrantcontainsrolemanagement.readwrite.directory2 ruleskusto
azure_ad::logged_by_serviceeqCore Directory2 ruleskusto, sigma
displayNameeqAppRole.Value2 ruleskusto
displayNameeqServicePrincipal.DisplayName2 ruleskusto
displayNameeqServicePrincipal.ObjectID2 ruleskusto
displayNameeqDelegatedPermissionGrant.Scope1 rulekusto
displayNameis_not_null1 rulekusto
TargetResources_0_modifiedPropertiesis_not_null1 rulekusto
azure_ad::activity_display_nameeqAdd service principal1 ruleelastic, kusto
azure_ad::modified_properties_newgt01 rulekusto

Detection Rules #

View all rules referencing this event →

Kusto #

Show 1 more (4 total)

References #

Add application

#
Provider
Entra-AuditLogs

Description

An application registration was created.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Detection Rules #

View all rules referencing this event →

YARA-L #

  • Entra ID Application Creation source: Application creation can be legitimate but aren't frequently created. Validating application creation may be appropriate to ensure rogue apps aren't being created.

References #

Add conditional access policy

#
Provider
Entra-AuditLogs

Description

A Conditional Access policy was created.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Detection Rules #

View all rules referencing this event →

Kusto #

References #

Add delegated permission grant

#
Provider
Entra-AuditLogs

Description

An OAuth2 delegated permission grant was created for an application.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
CategoryeqApplicationManagement4 ruleskusto
azure_ad::logged_by_serviceeqCore Directory4 ruleskusto, sigma
azure_ad::modified_properties_newcontainsaddresstype3 ruleskusto
azure_ad::modified_properties_newgt04 ruleskusto
displayNameeqAppAddress3 ruleskusto
displayNameeqConsentAction.Permissions3 ruleskusto
displayNameis_not_null4 ruleskusto
typeeqServicePrincipal4 ruleskusto
GrantConsentTypeneAllPrincipals3 ruleskusto
OperationNameeqAdd OAuth2PermissionGrant3 ruleskusto
OperationNameeqAdd delegated permission grant3 ruleskusto
OperationNameeqAdd service principal3 ruleskusto
OperationNameeqConsent to application3 ruleskusto
ConsentFullcontainsfiles.read2 ruleskusto
ConsentFullcontainsfiles.read.all2 ruleskusto

Detection Rules #

View all rules referencing this event →

Kusto #

Show 1 more (4 total)

References #

Add device

#
Provider
Entra-AuditLogs

Description

A device object was added to the directory.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Detection Rules #

View all rules referencing this event →

Elastic #

  • Entra ID Device Registration with ROADtools Default OS Build source medium: Identifies a Microsoft Entra ID device registration where the recorded cloud device operating system build is "10.0.19041.928" and the device display name follows the default "DESKTOP-" pattern. This combination is the default device profile that ROADtools (roadtx) uses when registering a device, and it is uncommon for the OS build to match the hardcoded value across an environment of otherwise patched hosts. Adversaries register rogue devices in Entra ID to acquire a Primary Refresh Token (PRT), establish persistence, and obtain trusted, programmatic access to the tenant. Because the OS build is a tool default, this is a high-fidelity but evadable indicator; baseline approved provisioning tooling and device naming conventions before relying on it.
  • Entra ID Unusual Cloud Device Registration source medium: Detects a sequence of events in Microsoft Entra ID indicative of suspicious cloud-based device registration via automated tooling like ROADtools or similar frameworks. This behavior involves adding a device via the Device Registration Service, followed by the assignment of registered users and owners — a pattern consistent with techniques used to establish persistence or acquire a Primary Refresh Token (PRT). ROADtools and similar tooling leave distinct telemetry signatures such as the Microsoft.OData.Client user agent. These sequences are uncommon in typical user behavior and may reflect abuse of device trust for session hijacking or silent token replay.↳ also matches Add registered owner to device, Add registered users to device

References #

Add eligible member (eligible)

#
Provider
Entra-AuditLogs

Description

A principal was assigned eligible for a role through PIM.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
OperationNameinAdd member to role1 rulekusto
RoleNamecontainsadmin1 rulekusto
displayNameeqRole.DisplayName1 rulekusto

Detection Rules #

View all rules referencing this event →

Kusto #

References #

Add eligible member (permanent)

#
Provider
Entra-AuditLogs

Description

A principal was assigned a permanent eligible role through PIM.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
OperationNameinAdd member to role1 rulekusto
RoleNamecontainsadmin1 rulekusto
displayNameeqRole.DisplayName1 rulekusto

Detection Rules #

View all rules referencing this event →

Kusto #

References #

Add eligible member to role

#
Provider
Entra-AuditLogs

Description

A principal was made eligible for a directory role via PIM.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
CategoryeqRoleManagement2 ruleskusto, sigma
GroupNameinPrivilegedAuthenticationAdmins2 ruleskusto
GroupNameinPrivilegedRoleAdmins2 ruleskusto
GroupNameinTenantAdmins2 ruleskusto
GroupNameinUserAccountAdmins2 ruleskusto
OperationNameinAdd eligible member to role2 ruleskusto
OperationNameinAdd member to role2 ruleskusto
displayNameeqRole.WellKnownObjectName2 ruleskusto

Detection Rules #

View all rules referencing this event →

Kusto #

References #

Add eligible member to role in PIM completed (permanent)

#
Provider
Entra-AuditLogs

Description

A permanent PIM role-eligibility assignment completed.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
azure.auditlogs.properties.categoryeqRoleManagement1 ruleelastic

Detection Rules #

View all rules referencing this event →

Elastic #

References #

Add group

#
Provider
Entra-AuditLogs

Description

A new group was created.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

References #

Add member to group

#
Provider
Entra-AuditLogs

Description

A principal was added as a member of a group (including role-assignable groups).

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
displayNameeqGroup.DisplayName2 ruleskusto

Detection Rules #

View all rules referencing this event →

Kusto #

References #

Add member to role

#
Provider
Entra-AuditLogs

Description

A principal was added as a permanent member of a directory role (privileged role assignment).

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
CategoryeqRoleManagement5 ruleskusto, sigma
typeeqUser5 ruleskusto
OperationNamecontainsadd member to role outside of pim2 ruleskusto
OperationNameeqAdd member to role2 ruleskusto
OperationNameinAdd member to role4 ruleskusto
OperationNameinAdd eligible member to role2 ruleskusto
GroupNameinPrivilegedRoleAdmins3 ruleskusto
GroupNameinTenantAdmins3 ruleskusto
GroupNameinUserAccountAdmins3 ruleskusto
GroupNameinPrivilegedAuthenticationAdmins2 ruleskusto
displayNameeqRole.WellKnownObjectName3 ruleskusto
IdentityneMS-PIM2 ruleskusto
IdentityneMS-PIM-Fairfax2 ruleskusto
azure_ad::logged_by_serviceeqCore Directory2 ruleskusto, sigma
RoleNamecontainsadmin1 rulekusto

Detection Rules #

View all rules referencing this event →

Elastic #

  • Entra ID Global Administrator Role Assigned source high: In Microsoft Entra ID, permissions to manage resources are assigned using roles. The Global Administrator is a role that enables users to have access to all administrative features in Microsoft Entra ID and services that use Microsoft Entra ID identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources. They can also elevate privilege to User Access Administrator to pivot into Azure resources.

Kusto #

Show 3 more (6 total)

YARA-L #

References #

Add member to role completed (PIM activation)

#
Provider
Entra-AuditLogs

Description

A PIM-eligible role activation completed, granting the role for the activation window.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Detection Rules #

View all rules referencing this event →

Kusto #

References #

Add member to role in PIM completed (timebound)

#
Provider
Entra-AuditLogs

Description

A time-bound PIM role assignment completed.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
azure.auditlogs.properties.categoryeqRoleManagement1 ruleelastic

Detection Rules #

View all rules referencing this event →

Elastic #

References #

Add member to role in PIM requested (permanent)

#
Provider
Entra-AuditLogs

Description

A permanent PIM role assignment was requested.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
CategoryeqRoleManagement1 rulekusto, sigma
GroupNameinPrivilegedRoleAdmins1 rulekusto
GroupNameinTenantAdmins1 rulekusto
GroupNameinUserAccountAdmins1 rulekusto
OperationNameinAdd member to role1 rulekusto
displayNameeqRole.WellKnownObjectName1 rulekusto

Detection Rules #

View all rules referencing this event →

Kusto #

References #

Add member to role outside of PIM (permanent)

#
Provider
Entra-AuditLogs

Description

A permanent directory-role assignment was made directly, bypassing PIM (no just-in-time activation).

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Detection Rules #

View all rules referencing this event →

YARA-L #

References #

Add member to role request denied (PIM activation)

#
Provider
Entra-AuditLogs

Description

A PIM role activation request was denied.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
azure_ad::activity_display_nameeqAdd member to role request denied (PIM activation)2 ruleskusto
typeeqRole2 ruleskusto
useris_not_null2 ruleselastic, kusto, splunk

Detection Rules #

View all rules referencing this event →

Kusto #

References #

Add named location

#
Provider
Entra-AuditLogs

Description

A named location (IP range) was created for Conditional Access.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
displayNameeqGroup.DisplayName1 rulekusto

Detection Rules #

View all rules referencing this event →

Kusto #

References #

Add OAuth2PermissionGrant

#
Provider
Entra-AuditLogs

Description

An OAuth2 delegated permission grant was created.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
CategoryeqApplicationManagement3 ruleskusto
GrantConsentTypeneAllPrincipals3 ruleskusto
OperationNameeqAdd OAuth2PermissionGrant3 ruleskusto
OperationNameeqAdd delegated permission grant3 ruleskusto
OperationNameeqAdd service principal3 ruleskusto
OperationNameeqConsent to application3 ruleskusto
azure_ad::logged_by_serviceeqCore Directory3 ruleskusto, sigma
azure_ad::modified_properties_newcontainsaddresstype3 ruleskusto
azure_ad::modified_properties_newgt03 ruleskusto
displayNameeqAppAddress3 ruleskusto
displayNameeqConsentAction.Permissions3 ruleskusto
displayNameis_not_null3 ruleskusto
typeeqServicePrincipal3 ruleskusto
ConsentFullcontainsfiles.read2 ruleskusto
ConsentFullcontainsfiles.read.all2 ruleskusto

Detection Rules #

View all rules referencing this event →

Kusto #

References #

Add owner to application

#
Provider
Entra-AuditLogs

Description

An owner was added to an application registration.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
CategoryeqApplicationManagement1 rulekusto

Detection Rules #

View all rules referencing this event →

Elastic #

  • Entra ID User Added as Registered Application Owner source low: Identifies when a user is added as an owner for an Azure application. An adversary may add a user account as an owner for an Azure application in order to grant additional permissions and modify the application's configuration using another account.

Kusto #

References #

Add owner to group

#
Provider
Entra-AuditLogs

Description

An owner was added to a group.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
displayNameeqGroup.DisplayName1 rulekusto

Detection Rules #

View all rules referencing this event →

Kusto #

References #

Add owner to service principal

#
Provider
Entra-AuditLogs

Description

An owner was added to a service principal.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Detection Rules #

View all rules referencing this event →

Elastic #

  • Entra ID User Added as Service Principal Owner source low: Identifies when a user is added as an owner for an Azure service principal. The service principal object defines what the application can do in the specific tenant, who can access the application, and what resources the app can access. A service principal object is created when an application is given permission to access resources in a tenant. An adversary may add a user account as an owner for a service principal and use that account in order to define what an application can do in the Azure AD tenant.

References #

Add registered owner to device

#
Provider
Entra-AuditLogs

Description

A registered owner was added to a device.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Detection Rules #

View all rules referencing this event →

Elastic #

  • Entra ID Unusual Cloud Device Registration source medium: Detects a sequence of events in Microsoft Entra ID indicative of suspicious cloud-based device registration via automated tooling like ROADtools or similar frameworks. This behavior involves adding a device via the Device Registration Service, followed by the assignment of registered users and owners — a pattern consistent with techniques used to establish persistence or acquire a Primary Refresh Token (PRT). ROADtools and similar tooling leave distinct telemetry signatures such as the Microsoft.OData.Client user agent. These sequences are uncommon in typical user behavior and may reflect abuse of device trust for session hijacking or silent token replay.↳ also matches Add device, Add registered users to device

References #

Add registered users to device

#
Provider
Entra-AuditLogs

Description

Registered users were added to a device.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Detection Rules #

View all rules referencing this event →

Elastic #

  • Entra ID Unusual Cloud Device Registration source medium: Detects a sequence of events in Microsoft Entra ID indicative of suspicious cloud-based device registration via automated tooling like ROADtools or similar frameworks. This behavior involves adding a device via the Device Registration Service, followed by the assignment of registered users and owners — a pattern consistent with techniques used to establish persistence or acquire a Primary Refresh Token (PRT). ROADtools and similar tooling leave distinct telemetry signatures such as the Microsoft.OData.Client user agent. These sequences are uncommon in typical user behavior and may reflect abuse of device trust for session hijacking or silent token replay.↳ also matches Add device, Add registered owner to device

References #

Add role definition

#
Provider
Entra-AuditLogs

Description

A custom directory role definition was created.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

References #

Add service principal

#
Provider
Entra-AuditLogs

Description

A service principal (enterprise application instance) was created.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
CategoryeqApplicationManagement3 ruleskusto
GrantConsentTypeneAllPrincipals3 ruleskusto
OperationNameeqAdd OAuth2PermissionGrant3 ruleskusto
OperationNameeqAdd delegated permission grant3 ruleskusto
OperationNameeqAdd service principal3 ruleskusto
OperationNameeqConsent to application3 ruleskusto
azure_ad::logged_by_serviceeqCore Directory3 ruleskusto, sigma
azure_ad::modified_properties_newcontainsaddresstype3 ruleskusto
azure_ad::modified_properties_newgt03 ruleskusto
displayNameeqAppAddress3 ruleskusto
displayNameeqConsentAction.Permissions3 ruleskusto
displayNameis_not_null3 ruleskusto
typeeqServicePrincipal3 ruleskusto
ConsentFullcontainsfiles.read2 ruleskusto
ConsentFullcontainsfiles.read.all2 ruleskusto

Detection Rules #

View all rules referencing this event →

Elastic #

  • Entra ID Service Principal Created source low: Identifies when a new service principal is added in Microsoft Entra ID. An application, hosted service, or automated tool that accesses or modifies resources needs an identity created. This identity is known as a service principal. For security reasons, it's always recommended to use service principals with automated tools rather than allowing them to log in with a user identity.

Kusto #

Show 1 more (4 total)

References #

Add service principal credentials

#
Provider
Entra-AuditLogs

Description

Credentials were added to a service principal (common persistence technique).

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
OperationNameeqConsent to application1 rulekusto
displayNameeqConsentAction.Permissions1 rulekusto
displayNameeqIncluded Updated Properties1 rulekusto
displayNameeqKeyDescription1 rulekusto
displayNameeqTargetId.ServicePrincipalNames1 rulekusto
typeeqServicePrincipal1 rulekusto

Detection Rules #

View all rules referencing this event →

Elastic #

  • Entra ID Service Principal Credentials Created by Unusual User source medium: Identifies when new Service Principal credentials have been added in Microsoft Entra ID. In most organizations, credentials will be added to service principals infrequently. Hijacking an application (by adding a rogue secret or certificate) with granted permissions will allow the attacker to access data that is normally protected by MFA requirements.

Kusto #

References #

Add unverified domain

#
Provider
Entra-AuditLogs

Description

An unverified custom domain was added to the tenant.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
Resulteqsuccess2 ruleskusto
ResultTypeeq01 rulekusto, sigma
azure.auditlogs.properties.categoryeqDirectoryManagement1 ruleelastic

Detection Rules #

View all rules referencing this event →

Elastic #

  • Entra ID Custom Domain Added or Verified source low: Detects when a custom domain is added or verified in an Entra ID tenant. Adding and verifying a custom domain are precursor steps to configuring domain federation, which can be abused by adversaries to route authentication through an attacker-controlled identity provider (Golden SAML). In most organizations, custom domains are added infrequently and these events should be investigated to ensure they are part of a legitimate administrative workflow.↳ also matches Verify domain

Kusto #

  • Possible SignIn from Azure Backdoor source medium: Identifies when a user adds an unverified domain as an authentication method, followed by a sign-in from a user the newly added domain. Threat actors may add custom domains to create a backdoor to your tenant. It's important to monitor whenever custom domains are added to the tenant.
  • New onmicrosoft domain added to tenant source medium: This detection looks for new onmicrosoft domains being added to a tenant. An attacker who compromises a tenant may register a new onmicrosoft domain in order to masquerade as a service provider for launching phishing campaigns. Domain additions are not a common occurrence and users should validate that the domain was added by a legitimate user, with a legitimate purpose.↳ also matches Add verified domain

References #

Add user

#
Provider
Entra-AuditLogs

Description

A new user account was created in the directory.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
OperationNameeqAdd user4 ruleskusto
OperationNameeqDelete user2 ruleskusto
Resulteqsuccess3 ruleskusto

Detection Rules #

View all rules referencing this event →

Kusto #

Show 2 more (5 total)

YARA-L #

References #

Add verified domain

#
Provider
Entra-AuditLogs

Description

A verified custom domain was added to the tenant.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Detection Rules #

View all rules referencing this event →

Kusto #

  • New onmicrosoft domain added to tenant source medium: This detection looks for new onmicrosoft domains being added to a tenant. An attacker who compromises a tenant may register a new onmicrosoft domain in order to masquerade as a service provider for launching phishing campaigns. Domain additions are not a common occurrence and users should validate that the domain was added by a legitimate user, with a legitimate purpose.↳ also matches Add unverified domain

References #

Admin deleted security info

#
Provider
Entra-AuditLogs

Description

An admin removed a user's security info.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
CategoryeqUserManagement3 ruleskusto, sigma
azure_ad::activity_display_nameinAdmin deleted security info2 ruleskusto
azure_ad::activity_display_nameinAdmin registered security info2 ruleskusto
azure_ad::activity_display_nameinAdmin updated security info2 ruleskusto
azure_ad::activity_display_nameinUser changed default security info2 ruleskusto
azure_ad::activity_display_nameinUser deleted security info2 ruleskusto
azure_ad::activity_display_nameinUser registered security info2 ruleskusto
azure_ad::activity_display_nameinUser reviewed security info2 ruleskusto
typeeqUser2 ruleskusto
azure_ad::target_user_upneqVIPUsers1 rulekusto

Detection Rules #

View all rules referencing this event →

Kusto #

References #

Admin registered security info

#
Provider
Entra-AuditLogs

Description

An admin registered security info on behalf of a user (e.g. Temporary Access Pass).

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
CategoryeqUserManagement3 ruleskusto, sigma
azure_ad::activity_display_nameinAdmin deleted security info2 ruleskusto
azure_ad::activity_display_nameinAdmin registered security info2 ruleskusto
azure_ad::activity_display_nameinAdmin updated security info2 ruleskusto
azure_ad::activity_display_nameinUser changed default security info2 ruleskusto
azure_ad::activity_display_nameinUser deleted security info2 ruleskusto
azure_ad::activity_display_nameinUser registered security info2 ruleskusto
azure_ad::activity_display_nameinUser reviewed security info2 ruleskusto
typeeqUser2 ruleskusto
azure_ad::target_user_upneqVIPUsers1 rulekusto
azure_ad::target_user_upneqadmin_users1 rulekusto

Detection Rules #

View all rules referencing this event →

Kusto #

Show 1 more (4 total)

References #

Admin updated security info

#
Provider
Entra-AuditLogs

Description

An admin modified a user's security info.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
CategoryeqUserManagement3 ruleskusto, sigma
azure_ad::activity_display_nameinAdmin deleted security info2 ruleskusto
azure_ad::activity_display_nameinAdmin registered security info2 ruleskusto
azure_ad::activity_display_nameinAdmin updated security info2 ruleskusto
azure_ad::activity_display_nameinUser changed default security info2 ruleskusto
azure_ad::activity_display_nameinUser deleted security info2 ruleskusto
azure_ad::activity_display_nameinUser registered security info2 ruleskusto
azure_ad::activity_display_nameinUser reviewed security info2 ruleskusto
typeeqUser2 ruleskusto
azure_ad::target_user_upneqVIPUsers1 rulekusto

Detection Rules #

View all rules referencing this event →

Kusto #

References #

Assigns the caller to user access admin

#
Provider
Entra-AuditLogs

Description

A Global Administrator elevated access to User Access Administrator over Azure resources.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Detection Rules #

View all rules referencing this event →

Sigma #

  • Azure Subscription Permission Elevation Via AuditLogs source high: Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.

References #

Authentication Methods Policy Update

#
Provider
Entra-AuditLogs

Description

The tenant authentication-methods policy was changed.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Detection Rules #

View all rules referencing this event →

Sigma #

References #

Bulk invite users - started (bulk)

#
Provider
Entra-AuditLogs

Description

A bulk guest-invite operation was started.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Detection Rules #

View all rules referencing this event →

Kusto #

References #

Change user password

#
Provider
Entra-AuditLogs

Description

A user changed their own password.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

References #

Consent to application

#
Provider
Entra-AuditLogs

Delete application

#
Provider
Entra-AuditLogs

Description

An application registration was deleted.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Detection Rules #

View all rules referencing this event →

YARA-L #

References #

Delete conditional access policy

#
Provider
Entra-AuditLogs

Description

A Conditional Access policy was deleted.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
displayNameeqGroup.DisplayName1 rulekusto

Detection Rules #

View all rules referencing this event →

Kusto #

References #

Delete device

#
Provider
Entra-AuditLogs

Description

A device object was deleted.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

References #

Delete group

#
Provider
Entra-AuditLogs

Description

A group was deleted.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Detection Rules #

View all rules referencing this event →

YARA-L #

References #

Delete user

#
Provider
Entra-AuditLogs

Description

A user account was deleted.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
OperationNameeqDelete user3 ruleskusto
OperationNameeqAdd user2 ruleskusto
typeeqUser2 ruleskusto
ResultTypeeq01 rulekusto, sigma

Detection Rules #

View all rules referencing this event →

Kusto #

References #

Disable account

#
Provider
Entra-AuditLogs

Description

A user account was disabled.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

References #

Disable Strong Authentication

#
Provider
Entra-AuditLogs

Description

Strong authentication (MFA) was disabled for a user.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
azure.auditlogs.properties.additional_details.keyeqAuthenticationMethod1 ruleelastic

Detection Rules #

View all rules referencing this event →

Elastic #

Kusto #

References #

Enable account

#
Provider
Entra-AuditLogs

Description

A user account was enabled.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

References #

Hard Delete application

#
Provider
Entra-AuditLogs

Description

An application registration was permanently deleted (purged from the deleted-items store, not recoverable).

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Detection Rules #

View all rules referencing this event →

YARA-L #

References #

Invite external user

#
Provider
Entra-AuditLogs

Description

A guest (B2B) user was invited to the tenant.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
OperationNameeqInvite external user4 ruleskusto, sigma
Resulteqsuccess3 ruleskusto
CategoryeqUserManagement2 ruleskusto, sigma
CategoryeqRoleManagement1 rulekusto, sigma
AADOperationTypeinAssign1 rulekusto
AADOperationTypeinAssignEligibleRole1 rulekusto
InitiatorneMS-PIM1 rulekusto
InitiatorneMS-PIM-Fairfax1 rulekusto
RoleNamecontainsadmin1 rulekusto
azure_ad::activity_display_namecontainsadd eligible member to role1 rulekusto
azure_ad::activity_display_namecontainsadd member to role1 rulekusto
displayName_eqRole.DisplayName1 rulekusto

Detection Rules #

View all rules referencing this event →

Sigma #

Elastic #

  • Entra ID External Guest User Invited source low: Identifies an invitation to an external user in Azure Active Directory (AD). Azure AD is extended to include collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account. Unless there is a business need to provision guest access, it is best practice avoid creating guest users. Guest users could potentially be overlooked indefinitely leading to a potential vulnerability.

Kusto #

Show 1 more (4 total)

References #

Invite external user with reset invitation status

#
Provider
Entra-AuditLogs

Description

A guest user invitation was re-sent/reset.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Detection Rules #

View all rules referencing this event →

Kusto #

References #

Read BitLocker key

#
Provider
Entra-AuditLogs

Description

A BitLocker recovery key was read from the directory.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Detection Rules #

View all rules referencing this event →

Sigma #

References #

Redeem external user invite

#
Provider
Entra-AuditLogs

Description

A guest user redeemed their B2B invitation.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
AADOperationTypeinAssign1 rulekusto
AADOperationTypeinAssignEligibleRole1 rulekusto
CategoryeqRoleManagement1 rulekusto, sigma
InitiatorneMS-PIM1 rulekusto
InitiatorneMS-PIM-Fairfax1 rulekusto
OperationNameeqInvite external user1 rulekusto, sigma
RoleNamecontainsadmin1 rulekusto
azure_ad::activity_display_namecontainsadd eligible member to role1 rulekusto
azure_ad::activity_display_namecontainsadd member to role1 rulekusto
displayName_eqRole.DisplayName1 rulekusto

Detection Rules #

View all rules referencing this event →

Kusto #

  • New External User Granted Admin Role source medium: This query will detect instances where a newly invited external user is granted an administrative role. By default this query will alert on any granted administrative role, however this can be modified using the roles variable if false positives occur in your environment. The maximum delta between invite and escalation to admin is 60 minues, this can be configured using the deltaBetweenInviteEscalation variable.↳ also matches Invite external user

References #

Register device

#
Provider
Entra-AuditLogs

Description

A device was registered or joined to Entra ID.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
EventTypeeqRegister device2 ruleselastic

Detection Rules #

View all rules referencing this event →

Elastic #

  • Entra ID Register Device with Unusual User Agent (Azure AD Join) source medium: Detects successful Microsoft Entra ID audit events for Register device where additional details indicate an Azure AD join and the recorded user agent is not one of the common native registration clients (Dsreg, DeviceRegistrationClient, or Dalvik-based Android enrollment). Legitimate Windows and standard mobile enrollment flows often present predictable user-agent strings; unexpected clients may reflect scripted registration, third-party tooling, or adversary-driven device registration used for persistence or token abuse. Baseline approved provisioning tools and MDM integrations before tuning.
  • Entra ID Protection User Alert and Device Registration source high: Identifies sequence of events where a Microsoft Entra ID protection alert is followed by an attempt to register a new device by the same user principal. This behavior may indicate an adversary using a compromised account to register a device, potentially leading to unauthorized access to resources or persistence in the environment.

References #

Remove member from group

#
Provider
Entra-AuditLogs

Description

A principal was removed from a group.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
displayNameeqGroup.DisplayName1 rulekusto

Detection Rules #

View all rules referencing this event →

Kusto #

References #

Remove member from role

#
Provider
Entra-AuditLogs

Description

A principal was removed from a directory role.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

References #

Remove service principal

#
Provider
Entra-AuditLogs

Description

A service principal was removed.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
OperationNamecontainscertificates and secrets management1 rulekusto
OperationNamecontainsupdate application1 rulekusto
azure_ad::activity_display_nameeqAdd service principal1 ruleelastic, kusto

Detection Rules #

View all rules referencing this event →

Kusto #

References #

Remove service principal credentials

#
Provider
Entra-AuditLogs

Description

Credentials were removed from a service principal.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

References #

Reset user password

#
Provider
Entra-AuditLogs

Description

An administrator reset a user's password.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

References #

Restore application

#
Provider
Entra-AuditLogs

Description

A soft-deleted application registration was restored.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Detection Rules #

View all rules referencing this event →

YARA-L #

References #

Restore user

#
Provider
Entra-AuditLogs

Description

A soft-deleted user account was restored.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

References #

Risky user

#
Provider
Entra-AuditLogs

Description

A user was flagged as risky by Identity Protection.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Detection Rules #

View all rules referencing this event →

Elastic #

References #

Set Company Information

#
Provider
Entra-AuditLogs

Description

Tenant company branding/information was changed.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Detection Rules #

View all rules referencing this event →

Sigma #

References #

Set device registration policies

#
Provider
Entra-AuditLogs

Description

Device registration policies were changed.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
CategoryeqPolicy1 rulesigma

Detection Rules #

View all rules referencing this event →

Sigma #

References #

Set DirSyncEnabled flag

#
Provider
Entra-AuditLogs

Description

Directory synchronization was enabled or disabled for the tenant.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

References #

Set domain authentication

#
Provider
Entra-AuditLogs

Description

A domain's authentication type was changed (managed vs federated).

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
OperationNameeqSet domain authentication2 ruleskusto
OperationNameeqSet federation settings on domain2 ruleskusto
displayNameeqLiveType2 ruleskusto
keyeqUser-Agent2 ruleskusto
azure.auditlogs.properties.categoryeqDirectoryManagement1 ruleelastic

Detection Rules #

View all rules referencing this event →

Elastic #

  • Entra ID Domain Federation Configuration Change source high: Detects when domain federation settings are configured or modified in an Entra ID tenant via the Microsoft Graph API. Adversaries with Global Administrator or Domain Administrator privileges may add a custom domain, verify ownership, and configure it to federate authentication with an attacker-controlled identity provider. Once federated, the adversary can forge SAML or WS-Federation tokens to authenticate as any user under that domain, bypassing MFA and conditional access policies. This technique, commonly known as Golden SAML, was used by UNC2452 (APT29) during the SolarWinds campaign for persistent, stealthy access to victim tenants.↳ also matches Set federation settings on domain

Kusto #

References #

Set federation settings on domain

#
Provider
Entra-AuditLogs

Description

Federation settings on a domain were changed (federated-trust backdoor technique).

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
OperationNameeqSet domain authentication2 ruleskusto
OperationNameeqSet federation settings on domain2 ruleskusto
displayNameeqLiveType2 ruleskusto
keyeqUser-Agent2 ruleskusto
azure.auditlogs.properties.categoryeqDirectoryManagement1 ruleelastic

Detection Rules #

View all rules referencing this event →

Sigma #

Elastic #

  • Entra ID Domain Federation Configuration Change source high: Detects when domain federation settings are configured or modified in an Entra ID tenant via the Microsoft Graph API. Adversaries with Global Administrator or Domain Administrator privileges may add a custom domain, verify ownership, and configure it to federate authentication with an attacker-controlled identity provider. Once federated, the adversary can forge SAML or WS-Federation tokens to authenticate as any user under that domain, bypassing MFA and conditional access policies. This technique, commonly known as Golden SAML, was used by UNC2452 (APT29) during the SolarWinds campaign for persistent, stealthy access to victim tenants.↳ also matches Set domain authentication

Kusto #

References #

Set force change user password

#
Provider
Entra-AuditLogs

Description

A user was flagged to change password at next sign-in.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

References #

Suspicious activity reported

#
Provider
Entra-AuditLogs

Description

Suspicious activity was reported for a user (e.g. MFA fraud report).

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
azure.auditlogs.properties.additional_details.keyeqAuthenticationMethod1 ruleelastic

Detection Rules #

View all rules referencing this event →

Elastic #

  • Entra ID User Reported Suspicious Activity source medium: Identifies suspicious activity reported by users in Microsoft Entra ID where users have reported suspicious activity related to their accounts, which may indicate potential compromise or unauthorized access attempts. Reported suspicious activity typically occurs during the authentication process and may involve various authentication methods, such as password resets, account recovery, or multi-factor authentication challenges. Adversaries may attempt to exploit user accounts by leveraging social engineering techniques or other methods to gain unauthorized access to sensitive information or resources.

References #

Update application

#
Provider
Entra-AuditLogs

Description

An application registration was modified.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
AddedUrlsgt02 ruleskusto
CategoryeqApplicationManagement2 ruleskusto
Detailsis_not_null2 ruleselastic, kusto, splunk
Keyis_not_null2 ruleskusto
OperationNameeqUpdate Application2 ruleskusto
Resulteqsuccess2 ruleskusto
displayNameeqAppAddress2 ruleskusto
Domainis_not_null1 rulekusto

Detection Rules #

View all rules referencing this event →

Elastic #

  • Entra ID Federated Identity Credential Issuer Modified source high: Detects when the issuer URL of a federated identity credential is changed on an Entra ID application. Adversaries may modify the issuer to point to an attacker-controlled identity provider, enabling them to authenticate as the application's service principal and gain persistent access to Azure resources. This technique allows bypassing traditional authentication controls by federating trust with a malicious external identity provider.

Kusto #

YARA-L #

References #

Update Application - Certificates and secrets management

#
Provider
Entra-AuditLogs

Description

Credentials (certificate or client secret) were added or changed on an application.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Detection Rules #

View all rules referencing this event →

Elastic #

  • Entra ID Application Credential Modified source medium: Identifies when a new credential is added to an application in Azure. An application may use a certificate or secret string to prove its identity when requesting a token. Multiple certificates and secrets can be added for an application and an adversary may abuse this by creating an additional authentication method to evade defenses or persist in an environment.

References #

Update conditional access policy

#
Provider
Entra-AuditLogs

Description

A Conditional Access policy was modified (tampering can weaken enforcement).

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
OperationNameeqUpdate conditional access policy6 ruleskusto
stateOldeqenabled2 ruleskusto
displayNameeqGroup.DisplayName1 rulekusto

Detection Rules #

View all rules referencing this event →

Elastic #

  • Entra ID Conditional Access Policy (CAP) Modified source medium: Identifies a modification to a conditional access policy (CAP) in Microsoft Entra ID. Adversaries may modify existing CAPs to loosen access controls and maintain persistence in the environment with a compromised identity or entity.

Kusto #

Show 4 more (7 total)

References #

Update device

#
Provider
Entra-AuditLogs

Description

A device object was modified.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
displayNameeqIncluded Updated Properties1 rulekusto

Detection Rules #

View all rules referencing this event →

Kusto #

References #

Update group

#
Provider
Entra-AuditLogs

Description

A group's properties were modified.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Detection Rules #

View all rules referencing this event →

Kusto #

References #

Update named location

#
Provider
Entra-AuditLogs

Description

A named location was modified.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
displayNameeqGroup.DisplayName1 rulekusto

Detection Rules #

View all rules referencing this event →

Kusto #

References #

Update role definition

#
Provider
Entra-AuditLogs

Description

A custom directory role definition was modified.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

References #

Update role setting in PIM

#
Provider
Entra-AuditLogs

Description

PIM role settings (activation duration, approval, MFA requirement) were changed.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
CategoryeqRoleManagement1 rulekusto, sigma

Detection Rules #

View all rules referencing this event →

Elastic #

  • Entra ID Privileged Identity Management (PIM) Role Modified source medium: Azure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles such as Global Administrator and Application Administrator. An adversary may add a user to a PIM role in order to maintain persistence in their target's environment or modify a PIM role to weaken their target's security controls.

Kusto #

References #

Update StsRefreshTokenValidFrom Timestamp

#
Provider
Entra-AuditLogs

Description

A user's refresh tokens were invalidated (revoke sessions); also set silently by some attacks.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

References #

Update user

#
Provider
Entra-AuditLogs

Description

A user account attribute was modified.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
OperationNameeqUpdate user6 ruleskusto, sigma
Resulteqsuccess3 ruleskusto
CategoryeqUserManagement2 ruleskusto, sigma
Tacticscontainsexfiltration1 rulekusto
ValueeqFalse1 rulekusto
azure_ad::logged_by_serviceeqCore Directory1 rulekusto, sigma

Detection Rules #

View all rules referencing this event →

Sigma #

Kusto #

  • Suspicious linking of existing user to external User source medium: This query will detect when an attempt is made to update an existing user and link it to an guest or external identity. These activities are unusual and such linking of external identities should be investigated. In some cases you may see internal Entra ID sync accounts (Sync_) do this which may be benign
  • Suspicious modification of Global Administrator user properties source medium: This query will detect if user properties of Global Administrator are updated by an existing user. Usually only user administrator or other global administrator can update such properties. Investigate if such user change is an attempt to elevate an existing low privileged identity or rogue administrator activity
  • Dataverse - Guest user exfiltration following Power Platform defense impairment source high: Identifies a chain of events starting with disablement of Power Platform tenant isolation and removal of an environment's access security group. These events are correlated with Dataverse exfiltration alerts associated with the impacted environment and recently created Microsoft Entra guest users. Note: Activate other Dataverse analytics rules with the MITRE tactic 'Exfiltration' before enabling this rule.

References #

Update User Risk and MFA Registration Policy

#
Provider
Entra-AuditLogs

Description

The user-risk or MFA-registration policy was changed.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
CategoryeqPolicy1 rulesigma

Detection Rules #

View all rules referencing this event →

Sigma #

  • User Risk and MFA Registration Policy Updated source high: Detects changes and updates to the user risk and MFA registration policy. Attackers can modified the policies to Bypass MFA, weaken security thresholds, facilitate further attacks, maintain persistence.

References #

User changed default security info

#
Provider
Entra-AuditLogs

Description

A user changed their default authentication method.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
CategoryeqUserManagement3 ruleskusto, sigma
azure_ad::activity_display_nameinAdmin deleted security info2 ruleskusto
azure_ad::activity_display_nameinAdmin registered security info2 ruleskusto
azure_ad::activity_display_nameinAdmin updated security info2 ruleskusto
azure_ad::activity_display_nameinUser changed default security info2 ruleskusto
azure_ad::activity_display_nameinUser deleted security info2 ruleskusto
azure_ad::activity_display_nameinUser registered security info2 ruleskusto
azure_ad::activity_display_nameinUser reviewed security info2 ruleskusto
typeeqUser2 ruleskusto
azure_ad::target_user_upneqVIPUsers1 rulekusto

Detection Rules #

View all rules referencing this event →

Kusto #

References #

User deleted security info

#
Provider
Entra-AuditLogs

Description

A user removed one of their authentication methods.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
CategoryeqUserManagement3 ruleskusto, sigma
azure_ad::activity_display_nameinAdmin deleted security info2 ruleskusto
azure_ad::activity_display_nameinAdmin registered security info2 ruleskusto
azure_ad::activity_display_nameinAdmin updated security info2 ruleskusto
azure_ad::activity_display_nameinUser changed default security info2 ruleskusto
azure_ad::activity_display_nameinUser deleted security info2 ruleskusto
azure_ad::activity_display_nameinUser registered security info2 ruleskusto
azure_ad::activity_display_nameinUser reviewed security info2 ruleskusto
typeeqUser2 ruleskusto
azure.auditlogs.properties.additional_details.keyeqAuthenticationMethod1 ruleelastic
azure_ad::target_user_upneqVIPUsers1 rulekusto

Detection Rules #

View all rules referencing this event →

Elastic #

Kusto #

References #

User has elevated their access to User Access Administrator for their Azure Resources

#
Provider
Entra-AuditLogs

Description

A Global Administrator elevated access to manage all Azure subscriptions (root-scope RBAC).

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
azure_ad::activity_display_nameeqUser has elevated their access to User Access Administrator for their Azure Resources2 ruleselastic, kusto

Detection Rules #

View all rules referencing this event →

Elastic #

  • Entra ID Elevated Access to User Access Administrator source high: Identifies when a user has elevated their access to User Access Administrator for their Azure Resources. The User Access Administrator role allows users to manage user access to Azure resources, including the ability to assign roles and permissions. Adversaries may target an Entra ID Global Administrator or other privileged role to elevate their access to User Access Administrator, which can lead to further privilege escalation and unauthorized access to sensitive resources. This is a New Terms rule that only signals if the user principal name has not been seen doing this activity in the last 14 days.

Kusto #

  • Azure RBAC (Elevate Access) source high: Detects when a Global Administrator elevates access to all subscriptions and management groups in a tenant. When a Global Administrator elevates access they are assigned the User Access Administrator role at root scope. This Microsoft Sentinel Analytic Rule monitors who has elevated access in your tenant so that admins can take appropriate action. Learn more

References #

User registered security info

#
Provider
Entra-AuditLogs

Description

A user registered an authentication method (MFA/SSPR security info).

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
CategoryeqUserManagement5 ruleskusto, sigma
azure_ad::activity_display_nameinAdmin deleted security info2 ruleskusto
azure_ad::activity_display_nameinAdmin registered security info2 ruleskusto
azure_ad::activity_display_nameinAdmin updated security info2 ruleskusto
azure_ad::activity_display_nameinUser changed default security info2 ruleskusto
azure_ad::activity_display_nameinUser deleted security info2 ruleskusto
azure_ad::activity_display_nameinUser registered security info2 ruleskusto
azure_ad::activity_display_nameinUser reviewed security info2 ruleskusto
azure_ad::logged_by_serviceeqAuthentication Methods2 ruleskusto, sigma
azure_ad::target_user_upneqVIPUsers2 ruleskusto
typeeqUser2 ruleskusto

Detection Rules #

View all rules referencing this event →

Sigma #

  • Change to Authentication Method source medium: Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.

Kusto #

Show 1 more (4 total)

References #

User reviewed security info

#
Provider
Entra-AuditLogs

Description

A user reviewed their registered security info.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
azure_ad::activity_display_nameinAdmin deleted security info2 ruleskusto
azure_ad::activity_display_nameinAdmin registered security info2 ruleskusto
azure_ad::activity_display_nameinAdmin updated security info2 ruleskusto
azure_ad::activity_display_nameinUser changed default security info2 ruleskusto
azure_ad::activity_display_nameinUser deleted security info2 ruleskusto
azure_ad::activity_display_nameinUser registered security info2 ruleskusto
azure_ad::activity_display_nameinUser reviewed security info2 ruleskusto
azure_ad::target_user_upneqVIPUsers1 rulekusto

Detection Rules #

View all rules referencing this event →

Kusto #

References #

User Risk Detection

#
Provider
Entra-AuditLogs

Description

Identity Protection raised a user-risk detection.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Detection Rules #

View all rules referencing this event →

Elastic #

References #

Verify domain

#
Provider
Entra-AuditLogs

Description

A custom domain was verified.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
azure.auditlogs.properties.categoryeqDirectoryManagement1 ruleelastic

Detection Rules #

View all rules referencing this event →

Elastic #

  • Entra ID Custom Domain Added or Verified source low: Detects when a custom domain is added or verified in an Entra ID tenant. Adding and verifying a custom domain are precursor steps to configuring domain federation, which can be abused by adversaries to route authentication through an attacker-controlled identity provider (Golden SAML). In most organizations, custom domains are added infrequently and these events should be investigated to ensure they are part of a legitimate administrative workflow.↳ also matches Add unverified domain

References #

Verify email verified domain

#
Provider
Entra-AuditLogs

Description

An email-verified domain was verified.

Fields #

NameDescription
OperationNameThe audit operation name (= activityDisplayName in the Graph directoryAudit resource). The per-record discriminator detection rules filter on.
ActivityDisplayNameHuman-readable operation name; carries the same value as OperationName in the AuditLogs table.
CategoryAudit category (RoleManagement, UserManagement, ApplicationManagement, GroupManagement, Policy, Device, KeyManagement, ...).
LoggedByServiceThe Entra service that logged the event (Core Directory, PIM, Authentication Methods, Conditional Access, Identity Protection, ...).
ResultOperation result: success, failure, or timeout.
ResultReasonFree-text description of the result or failure reason.
InitiatedByActor that triggered the operation: user UPN, service principal app id, or a Microsoft service string.
TargetResourcesJSON array of objects affected (users, groups, applications, service principals, policies, roles), with modifiedProperties.
AdditionalDetailsKey-value pairs carrying operation-specific context not in the top-level columns.
CorrelationIdGUID correlating related records emitted by the same request.
TimeGeneratedUTC timestamp when the event was recorded in Log Analytics.

References #