data_sources/azure_active_directory_invite_external_user.yml

name: Azure Active Directory Invite external user
id: d3818bd5-f283-4518-8b67-df19240c3e40
version: 1
date: '2024-07-18'
author: Patrick Bareiss, Splunk
description: Data source object for Azure Active Directory Invite external user
source: Azure AD
sourcetype: azure:monitor:aad
separator: operationName
supported_TA:
- name: Splunk Add-on for Microsoft Cloud Services
  url: https://splunkbase.splunk.com/app/3110
  version: 5.4.1
fields:
- _time
- Level
- callerIpAddress
- category
- correlationId
- date_hour
- date_mday
- date_minute
- date_month
- date_second
- date_wday
- date_year
- date_zone
- durationMs
- host
- index
- linecount
- operationName
- operationVersion
- properties.activityDateTime
- properties.activityDisplayName
- properties.additionalDetails{}.key
- properties.additionalDetails{}.value
- properties.category
- properties.correlationId
- properties.id
- properties.initiatedBy.user.displayName
- properties.initiatedBy.user.id
- properties.initiatedBy.user.ipAddress
- properties.initiatedBy.user.userPrincipalName
- properties.loggedByService
- properties.operationType
- properties.result
- properties.resultReason
- properties.targetResources{}.displayName
- properties.targetResources{}.id
- properties.targetResources{}.type
- properties.targetResources{}.userPrincipalName
- properties.userAgent
- punct
- resourceId
- resultSignature
- source
- sourcetype
- splunk_server
- tenantId
- time
- timeendpos
- timestartpos
example_log: '{"time": "2023-07-13T00:29:59.5100003Z", "resourceId": "/tenants/fc69e276-e9e8-4af9-9002-1e410d77244e/providers/Microsoft.aadiam",
  "operationName": "Invite external user", "operationVersion": "1.0", "category":
  "AuditLogs", "tenantId": "fc69e276-e9e8-4af9-9002-1e410d77244e", "resultSignature":
  "None", "durationMs": 0, "callerIpAddress": "40.126.4.40", "correlationId": "e7d580a6-eaac-4f82-843c-40b0b5f3cf99",
  "Level": 4, "properties": {"id": "Invited Users_e7d580a6-eaac-4f82-843c-40b0b5f3cf99_YNUMP_7291793",
  "category": "UserManagement", "correlationId": "e7d580a6-eaac-4f82-843c-40b0b5f3cf99",
  "result": "success", "resultReason": null, "activityDisplayName": "Invite external
  user", "activityDateTime": "2023-07-13T00:29:59.5100003+00:00", "loggedByService":
  "Invited Users", "operationType": "Add", "userAgent": null, "initiatedBy": {"user":
  {"id": "728989f4-eb3d-45c2-8741-2f2af4e485ce", "displayName": null, "userPrincipalName":
  "oopsr@splunkresearch.com", "ipAddress": "40.126.4.40", "roles": []}}, "targetResources":
  [{"id": "f416526a-17ee-4129-8ca9-f5ee55f69f34", "displayName": "oops", "type": "User",
  "userPrincipalName": "oops360_gmail.com#EXT#@strtadminsplunkresearch.onmicrosoft.com",
  "modifiedProperties": [], "administrativeUnits": []}], "additionalDetails": [{"key":
  "oid", "value": "728989f4-eb3d-45c2-8741-2f2af4e485ce"}, {"key": "tid", "value":
  "fc69e276-e9e8-4af9-9002-1e410d77244e"}, {"key": "ipaddr", "value": "2601:646:a000:200:c4db:f288:7e28:21b3"},
  {"key": "wids", "value": "62e90394-69f5-4237-9190-012177145e10"}, {"key": "InvitationId",
  "value": "65c7d12f-c6f3-44f0-8fad-4f57a1020484"}, {"key": "invitedUserEmailAddress",
  "value": "oops360@gmail.com"}]}}'