AD LDAP

The ad_ldap log type tracks Active Directory logs, such as:

  • Lightweight Directory Access Protocol (LDAP) queries.
  • Errors from the LDAP server.
  • Timeout events.
  • Unsecured LDAP binds.

The following code snippet contains all raw_field and ecs mappings for this log type:

  1.  "mappings": [
  2.    {
  3.       "raw_field":"TargetUserName",
  4.       "ecs":"azure.signinlogs.properties.user_id"
  5.     },
  6.     {
  7.       "raw_field":"creationTime",
  8.       "ecs":"timestamp"
  9.     },
  10.     {
  11.       "raw_field":"Category",
  12.       "ecs":"azure.activitylogs.category"
  13.     },
  14.     {
  15.       "raw_field":"OperationName",
  16.       "ecs":"azure.platformlogs.operation_name"
  17.     },
  18.     {
  19.       "raw_field":"ModifiedProperties_NewValue",
  20.       "ecs":"modified_properties.new_value"
  21.     },
  22.     {
  23.       "raw_field":"ResourceProviderValue",
  24.       "ecs":"azure.resource.provider"
  25.     },
  26.     {
  27.       "raw_field":"conditionalAccessStatus",
  28.       "ecs":"azure.signinlogs.properties.conditional_access_status"
  29.     },
  30.     {
  31.       "raw_field":"SearchFilter",
  32.       "ecs":"SearchFilter"
  33.     },
  34.     {
  35.       "raw_field":"Operation",
  36.       "ecs":"azure.platformlogs.operation_name"
  37.     },
  38.     {
  39.       "raw_field":"ResultType",
  40.       "ecs":"azure.platformlogs.result_type"
  41.     },
  42.     {
  43.       "raw_field":"DeviceDetail_isCompliant",
  44.       "ecs":"azure.signinlogs.properties.device_detail.is_compliant"
  45.     },
  46.     {
  47.       "raw_field":"ResourceDisplayName",
  48.       "ecs":"resource_display_name"
  49.     },
  50.     {
  51.       "raw_field":"AuthenticationRequirement",
  52.       "ecs":"azure.signinlogs.properties.authentication_requirement"
  53.     },
  54.     {
  55.       "raw_field":"TargetResources",
  56.       "ecs":"target_resources"
  57.     },
  58.     {
  59.       "raw_field":"Workload",
  60.       "ecs":"workload"
  61.     },
  62.     {
  63.       "raw_field":"DeviceDetail.deviceId",
  64.       "ecs":"azure.signinlogs.properties.device_detail.device_id"
  65.     },
  66.     {
  67.       "raw_field":"OperationNameValue",
  68.       "ecs":"azure.platformlogs.operation_name"
  69.     },
  70.     {
  71.       "raw_field":"ResourceId",
  72.       "ecs":"azure.signinlogs.properties.resource_id"
  73.     },
  74.     {
  75.       "raw_field":"ResultDescription",
  76.       "ecs":"azure.signinlogs.result_description"
  77.     },
  78.     {
  79.       "raw_field":"EventID",
  80.       "ecs":"EventID"
  81.     },
  82.     {
  83.       "raw_field":"NetworkLocationDetails",
  84.       "ecs":"azure.signinlogs.properties.network_location_details"
  85.     },
  86.     {
  87.       "raw_field":"CategoryValue",
  88.       "ecs":"azure.activitylogs.category"
  89.     },
  90.     {
  91.       "raw_field":"ActivityDisplayName",
  92.       "ecs":"azure.auditlogs.properties.activity_display_name"
  93.     }
  94.   ]