Microsoft Azure Active Directory sample event messages

Use these sample event messages as a way of verifying a successful integration with QRadar®.

The following table provides sample event messages for the Microsoft Azure Active Directory DSM:

Important: Due to formatting, paste the message formats into a text editor and then remove any carriage return or line feed characters.

Event name Low level category Sample log message

Add member to group-success

Group Member Added

Table 1. Microsoft Azure Active Directory sample event message supported by Microsoft Azure Active Directory
Event name	Low level category	Sample log message
Add member to group-success	Group Member Added	{"time":"2019-09-03T20:01:53.7619661Z","resourceId":"/tenants/1111a11a-111a-11a1-1111-111a1a2aa11a/providers/Microsoft.aadiam","operationName":"Add member to group","operationVersion":"1.0","category":"AuditLogs","tenantId":"1111a11a-111a-11a1-1111-111a1a2aa11a","resultSignature":"None","durationMs":0,"correlationId":"1111a11a-111a-11a1-1111-111a1a2aa11a","level":"Informational","properties":{"id":"Directory_AAA11_11111","category":"GroupManagement","correlationId":"111a11a-111a-11a1-1111-111a1a2aa11a","result":"success","resultReason":"","activityDisplayName":"Add member to group","activityDateTime":"2019-09-03T20:01:53.7619661+00:00","loggedByService":"Core Directory","operationType":"Assign","initiatedBy":{"user":{"id":"111a11a-111a-11a1-1111-111a1a2aa11a","displayName":null,"userPrincipalName":"username","ipAddress":null}},"targetResources":[{"id":"111a11a-111a-11a1-1111-111a1a2aa11a","displayName":null,"type":"User","userPrincipalName":"username","modifiedProperties":[{"displayName":"Group.ObjectID","oldValue":null,"newValue":"\"111a11a-111a-11a1-1111-111a1a2aa11a\""},{"displayName":"Group.DisplayName","oldValue":null,"newValue":"\"AD_Roadmap\""},{"displayName":"Group.WellKnownObjectName","oldValue":null,"newValue":null}]},{"id":"111a11a-111a-11a1-1111-111a1a2aa11a","displayName":null,"type":"Group","groupType":"azureAD","modifiedProperties":[]}],"additionalDetails":[]}}
Sign-in activity fail	User Login Failure	{"eventHubsAzureRecord":{"time":"2018-08-08T12:41:15.3163732Z","resourceId":"/tenants/g1111111-1aaa-11a1-1111-1111aa1a1111/providers/Microsoft.aadiam","operationName":"Sign-in activity","operationVersion":"1.0","category":"SignInLogs","tenantId":"h1111111-1aaa-11a1-1111-1111aa1a1111","resultType":"50074","resultSignature":"None","resultDescription":"User did not pass the MFA challenge.","durationMs":0,"callerIpAddress":"192.0.2.0","correlationId":"g1111111-1aaa-11a1-1111-1111aa1a1111","identity":"fname, lname","Level":4,"location":"NL","properties":{"id":"ia1111111-1aaa-11a1-1111-1111aa1a1111","createdDateTime":"2018-08-08T12:41:15.3163732+00:00","userDisplayName":"fname, lname","userPrincipalName":"user@example.com","userId":"j1111111-1aaa-11a1-1111-1111aa1a1111","appId":"k1111111-1aaa-11a1-1111-1111aa1a1111","appDisplayName":"Microsoft App Access Panel","ipAddress":"192.0.2.0","status":{"errorCode":50074,"failureReason":"User did not pass the MFA challenge.","additionalDetails":"MFA required in Azure AD"},"clientAppUsed":"Browser","deviceDetail":"...","location":"...","mfaDetail":{"authMethod":"Text message"},"correlationId":"l1111111-1aaa-11a1-1111-1111aa1a1111","conditionalAccessStatus":2,"conditionalAccessPolicies":"...","isRisky":false}}}

{"time":"2019-09-03T20:01:53.7619661Z","resourceId":"/tenants/1111a11a-111a-11a1-1111-111a1a2aa11a/providers/Microsoft.aadiam","operationName":"Add member to group","operationVersion":"1.0","category":"AuditLogs","tenantId":"1111a11a-111a-11a1-1111-111a1a2aa11a","resultSignature":"None","durationMs":0,"correlationId":"1111a11a-111a-11a1-1111-111a1a2aa11a","level":"Informational","properties":{"id":"Directory_AAA11_11111","category":"GroupManagement","correlationId":"111a11a-111a-11a1-1111-111a1a2aa11a","result":"success","resultReason":"","activityDisplayName":"Add member to group","activityDateTime":"2019-09-03T20:01:53.7619661+00:00","loggedByService":"Core Directory","operationType":"Assign","initiatedBy":{"user":{"id":"111a11a-111a-11a1-1111-111a1a2aa11a","displayName":null,"userPrincipalName":"username","ipAddress":null}},"targetResources":[{"id":"111a11a-111a-11a1-1111-111a1a2aa11a","displayName":null,"type":"User","userPrincipalName":"username","modifiedProperties":[{"displayName":"Group.ObjectID","oldValue":null,"newValue":"\"111a11a-111a-11a1-1111-111a1a2aa11a\""},{"displayName":"Group.DisplayName","oldValue":null,"newValue":"\"AD_Roadmap\""},{"displayName":"Group.WellKnownObjectName","oldValue":null,"newValue":null}]},{"id":"111a11a-111a-11a1-1111-111a1a2aa11a","displayName":null,"type":"Group","groupType":"azureAD","modifiedProperties":[]}],"additionalDetails":[]}}

Sign-in activity fail

User Login Failure

{"eventHubsAzureRecord":{"time":"2018-08-08T12:41:15.3163732Z","resourceId":"/tenants/g1111111-1aaa-11a1-1111-1111aa1a1111/providers/Microsoft.aadiam","operationName":"Sign-in activity","operationVersion":"1.0","category":"SignInLogs","tenantId":"h1111111-1aaa-11a1-1111-1111aa1a1111","resultType":"50074","resultSignature":"None","resultDescription":"User did not pass the MFA challenge.","durationMs":0,"callerIpAddress":"192.0.2.0","correlationId":"g1111111-1aaa-11a1-1111-1111aa1a1111","identity":"fname, lname","Level":4,"location":"NL","properties":{"id":"ia1111111-1aaa-11a1-1111-1111aa1a1111","createdDateTime":"2018-08-08T12:41:15.3163732+00:00","userDisplayName":"fname, lname","userPrincipalName":"user@example.com","userId":"j1111111-1aaa-11a1-1111-1111aa1a1111","appId":"k1111111-1aaa-11a1-1111-1111aa1a1111","appDisplayName":"Microsoft App Access Panel","ipAddress":"192.0.2.0","status":{"errorCode":50074,"failureReason":"User did not pass the MFA challenge.","additionalDetails":"MFA required in Azure AD"},"clientAppUsed":"Browser","deviceDetail":"...","location":"...","mfaDetail":{"authMethod":"Text message"},"correlationId":"l1111111-1aaa-11a1-1111-1111aa1a1111","conditionalAccessStatus":2,"conditionalAccessPolicies":"...","isRisky":false}}}