m365-azure-ad-logs
Fetch Azure active directory logs using Office 365 Management API
o365-azure-ad-logs [profile=PROFILE] [duration=NUM{mon|w|d|h|m|s}] [from=yyyyMMddHHmmss] [to=yyyyMMddHHmmss]
- profile=PROFILE
- Office 365 connect profile name
- duration=NUM{mon|w|d|h|m|s}
- Scan only recent data. You should use s(second), m(minute), h(hour), d(day), mon(month) time unit. For example, '10s' means data from 10 seconds earlier.
- from=yyyyMMddHHmmss
- Start time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
- to=yyyyMMddHHmmss
- End time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
Output Fields
| Field | Type | Name | Description |
|---|---|---|---|
| _time | Date | Time | |
| profile | String | Connect profile | The identifier of Office 365 connect profile |
| workload | String | Workload | e.g. AzureActiveDirectory |
| client_ip | IP address | Client IP | |
| actor_ip | IP address | Actor IP | |
| user_id | String | User ID | e.g. xeraph@logpresso.com |
| operation | String | Operation | e.g. UserLoggedIn, UserLoginFailed, Add service principal., Update user., Update device. |
| logon_error | String | Logon error | e.g. InvalidUserNameOrPassword, PasswordResetRegistrationRequiredInterrupt, AuthenticationFailedSasError, InvalidPasswordExpiredPassword, InvalidReplyTo, SsoArtifactRevoked, UserStrongAuthClientAuthNRequiredInterrupt |
| object_id | String | Object ID | e.g. 00000002-0000-0000-c000-000000000000 |
| result_status | String | Result status | e.g. Success, Failed |
| record_type | Integer | Record type | e.g. 8 (Update), 15 (Login) |
| user_type | Integer | User type | e.g. 0 (User), 4 (Service) |
| user_key | String | User key | GUID, Email address or Not Available |
| version | Integer | Version | e.g. 1 |
| id | String | ID | GUID format |
| org_id | String | Tenant ID | |
| app_id | String | App ID | |
| azure_ad_event_type | String | Azure AD event type | e.g. 1 |
| actor_context_id | String | Actor context ID | GUID format |
| target_context_id | String | Target context ID | GUID format |
| inter_systems_id | String | Inter systems ID | GUID format |
| intra_system_id | String | Intra systems ID | GUID format |
| support_ticket_id | String | Support ticket ID | |
| actor | List | Actor | Elements with id and type properties |
| target | List | Target | Elements with id and type properties |
| modified_properties | List | Modified properties | Elements with name, old_value, and new_value properties |
| extended_properties | List | Extended properties | Elements with name and value properties |
| device_properties | List | Device properties | Elements with name and value properties |