Mappings: Microsoft Office 365 Active Directory Authentication Events
Input | Value |
---|---|
Vendor | Microsoft |
Product | Office 365 |
Log Format | JSON |
Event ID Regex Pattern | AzureActiveDirectoryStsLogon|15 |
Output | Value |
---|---|
Vendor | Microsoft |
Product | Office 365 |
Record Type | Authentication |
Cloud SIEM Schema Field | Original Record Key | Notes |
---|---|---|
action | Operation | |
application | Workload | |
cause | LogonError | |
device_ip | ActorIpAddress | |
logonType | RecordTypeString | |
normalizedAction | None | The static text logon is populated in this schema field. |
srcDevice_ip | ActorIpAddress | |
success | Operation | This is a lookup field. More info to come in the catalog later... |
timestamp | CreationTime | We expect the orginal record value of CreationTime is in the format yyyy-MM-dd'T'HH:mm:ss |
user_userId | Actor.1.ID | |
user_username | Actor.2.ID |