Chat now with support
Chat with Support

Change Auditor 7.0.3 - Office 365 and Azure Active Directory User Guide

Creating custom Azure Active Directory searches

3
Click New to enable the Search Properties tabs across the bottom of the Searches page.
4
On the Info tab, enter a name and description for the search.
5
On the What tab, expand Add and click Subsystem | Azure Active Directory.
NOTE: You can use Add with Events | Subsystem | Azure Active Directory to select an existing event from the database and use its properties as a filter for a new search.
6
Select All Events.
4
Select the Layout tab and choose the Azure Active Directory information to include.
5
Click OK to save your selection and close the dialog.
3
Click New to enable the Search Properties tabs across the bottom of the Searches page.
4
On the Info tab, enter a name and description for the search.
5
On the What tab, expand Add. Select Event Class.
6
Group by the Facility column.
7
Select the Layout tab and choose the Azure Active Directory information to include.
3
Click New to enable the Search Properties tabs across the bottom of the Searches page.
5
On the What tab, expand Add and click Subsystem | Azure Active Directory.
NOTE: You can use Add with Events | Subsystem | Azure Active Directory to select an existing event from the database and use its properties as a filter for a new search.
6
Select Selected Events to configure the search.
Select the Category filter to specify the event category to include in the search. Select a comparison operator (Like or Not like) and enter a category name. For example, if you are interested only in activities related to self-service password resets, you would choose the “Self-service Password Management” category.
Select the Activity Type filter to specify the activity to include in the search. Select a comparison operator (Like or Not like) and enter an activity type. For example, to only show user related activities you would select “User” as the activity type.
Select the Activity Name filter to specify the activity to include in the search. (For sign-in risk events, this will show the detected activity that occurred on the risk event.) Select a comparison operator (Like or Not like) and enter an activity name (character string and the * wildcard character). For example: Like *delete* will search for events where Activity contains ‘delete’. For a list of all available activities, see the Microsoft article “Audit activity reports in the Azure Active Directory portal”.
Select the Activity Details filter to include activity details in the search. (For sign-in risk events use the status of the risk event, such as Resolved). Select a comparison operator (Like or Not like) and enter a full or partial string (character string and the * wildcard character). For example, the 'Self-serve password reset flow activity progress' activity provides several different details including: User started the mobile SMS verification option, User started the e-mail verification option, or User successfully reset password. You can leave this filter blank to return events for all activities or narrow the search based on the activity details.
Select the Target filter to specify the target (primary and secondary targets) to include in the search. (For sign-in risk events, the field searches for the risk event type such as Sign-in from anonymous IP address). Select a comparison operator (Like or Not like) and enter a full or partial name (character string and the * wildcard character). The Target filter searches across the following properties: Object Name (Cloud Target Name), Target Display Name, On-Premises Target, Subject Name, Subject Display Name, and On-Premises Subject.
7
Click Add to add the expression to the selection list.
9
Select the Layout tab and choose the Azure Active Directory information to include.

Displaying additional Azure Active Directory information

When auditing Azure Active Directory, you can add columns to display extra information through the search Layout tab:

Azure - Activity Type

Activity Type

The activity resource type.

Azure - Activity Name/Operation

Activity Name/Operation

The activity that was performed as part of the event.

Azure - Activity Details

Activity Details

Additional information about audited activity. For example, for ‘Self-serve password reset flow activity progress’ it shows what step the user is performing.

For sign-in risk events, this shows the status of the risk event, such as "Closed (resolved)".

Azure - Category

Category

The activity category, such as Terms of use, Core Directory, Application Proxy, Account Provisioning, Invited Users, etc.

Azure - Sign-in City

City

The city from which the user signed in or attempted to sign in to an application.

Azure - Sign-in State

State

The state from which the user signed in or attempted to sign in to an application.

Azure - Sign-in Country

Country

The country from which the user signed in or attempted to sign in to an application.

 

 

Additional information for synchronized environments

When auditing Office 365 and Azure Active Directory in a synchronized environment, you can add columns to display extra mapping information through the search Layout tab:

Azure - Activity Origin

Activity Origin

‘Cloud’ indicates that the event activity was performed directly in the cloud.

‘AD’ indicates that the event activity was originally performed on-premises and was synchronized to the cloud.

Azure - On-premises User

On-premises User

Domain and sAMAccountName of the on-premises user that corresponds to the cloud user that initiated the event.

Azure - On-premises Target

On-premises Target

Domain and sAMAccountName of the on-premises object that corresponds to the cloud object that was the target of the event.

Azure - Target Sync Type

Target Sync Type

‘In Cloud’ indicates that the target object exists only in the cloud

‘Synced from AD’ indicates that the target object was synchronized from Active Directory.

Azure - Target Display Name

Target Display Name

Display the on-premises object display name for synchronized environments or the cloud object display name only for cloud-only objects.

Azure - Tenant Initial Domain

Tenant Initial Domain

Default Azure Active Directory domain name.

Azure - Tenant Display Name

Tenant Display Name

Tenant display name.

Azure - Subject Sync Type

Subject Sync Type

‘SyncedFromAD’ indicates that the subject object was synchronized from Active Directory.

‘In Cloud’ indicates that the subject object exists only in the cloud.

Azure - Subject Display Name

Subject Display Name

Displays the Active Directory on-premises name if a hybrid object and the Azure name if a cloud object.

Azure - On-premises Subject

On-premises Subject

Domain and sAMAccountName of the on-premises object that corresponds to the cloud object that was the subject of the event.

Subject Name

Subject Name

Azure object name regardless of whether a cloud or hybrid object.

In addition to the search columns, the ‘Who’ field shows the mapping information in the event details pane. In cloud only deployments, this field displays the cloud user that initiated the event. If it is a synchronized deployment, the associated on-premises user is displayed after the cloud user in square brackets.

Working with generic Office 365 and Azure Active Directory events

The Azure Active Directory audit reports and the Office 365 audit logs are continuously evolving. To ensure that Change Auditor is synchronized with these updates, generic events have been introduced. Each Azure AD and Office 365 facility in Change Auditor has one generic event defined.

The generic event is generated each time an activity occurs that does not have a corresponding event defined in Change Auditor. For example, “Azure Active Directory - User event” is generated when activities such as “Reset password (self-service)” or “Unlock user account” are performed in Azure Active Directory. Activity information is populated in additional columns and the description for the event (What statement) is dynamically constructed based upon the Azure AD/Office 365 activity and target object name.

When working with these events, you can add additional columns to the search layout to view information about the activity.

Azure - Activity Name/Operation

Activity Name/Operation

Represents the activity that was performed as part of the event.

For sign-in risk events, this shows the risk event type.

Azure - Activity Details

Activity Details

Provides additional information about audited activity.

For example:

For a complete list of the activities available see the Microsoft support article “Audit activity reports in the Azure Active Directory portal” and “Search the audit log in the Office 365 Security & Compliance Center”.

Related Documents