AD LDAP

The ad_ldap log type tracks Active Directory logs, such as:

  • Lightweight Directory Access Protocol (LDAP) queries.
  • Errors from the LDAP server.
  • Timeout events.
  • Unsecured LDAP binds.

The following code snippet contains all raw_field and ecs mappings for this log type:

  1. "mappings": [
  2. {
  3. "raw_field":"TargetUserName",
  4. "ecs":"azure.signinlogs.properties.user_id"
  5. },
  6. {
  7. "raw_field":"creationTime",
  8. "ecs":"timestamp"
  9. },
  10. {
  11. "raw_field":"Category",
  12. "ecs":"azure.activitylogs.category"
  13. },
  14. {
  15. "raw_field":"OperationName",
  16. "ecs":"azure.platformlogs.operation_name"
  17. },
  18. {
  19. "raw_field":"ModifiedProperties_NewValue",
  20. "ecs":"modified_properties.new_value"
  21. },
  22. {
  23. "raw_field":"ResourceProviderValue",
  24. "ecs":"azure.resource.provider"
  25. },
  26. {
  27. "raw_field":"conditionalAccessStatus",
  28. "ecs":"azure.signinlogs.properties.conditional_access_status"
  29. },
  30. {
  31. "raw_field":"SearchFilter",
  32. "ecs":"SearchFilter"
  33. },
  34. {
  35. "raw_field":"Operation",
  36. "ecs":"azure.platformlogs.operation_name"
  37. },
  38. {
  39. "raw_field":"ResultType",
  40. "ecs":"azure.platformlogs.result_type"
  41. },
  42. {
  43. "raw_field":"DeviceDetail_isCompliant",
  44. "ecs":"azure.signinlogs.properties.device_detail.is_compliant"
  45. },
  46. {
  47. "raw_field":"ResourceDisplayName",
  48. "ecs":"resource_display_name"
  49. },
  50. {
  51. "raw_field":"AuthenticationRequirement",
  52. "ecs":"azure.signinlogs.properties.authentication_requirement"
  53. },
  54. {
  55. "raw_field":"TargetResources",
  56. "ecs":"target_resources"
  57. },
  58. {
  59. "raw_field":"Workload",
  60. "ecs":"workload"
  61. },
  62. {
  63. "raw_field":"DeviceDetail.deviceId",
  64. "ecs":"azure.signinlogs.properties.device_detail.device_id"
  65. },
  66. {
  67. "raw_field":"OperationNameValue",
  68. "ecs":"azure.platformlogs.operation_name"
  69. },
  70. {
  71. "raw_field":"ResourceId",
  72. "ecs":"azure.signinlogs.properties.resource_id"
  73. },
  74. {
  75. "raw_field":"ResultDescription",
  76. "ecs":"azure.signinlogs.result_description"
  77. },
  78. {
  79. "raw_field":"EventID",
  80. "ecs":"EventID"
  81. },
  82. {
  83. "raw_field":"NetworkLocationDetails",
  84. "ecs":"azure.signinlogs.properties.network_location_details"
  85. },
  86. {
  87. "raw_field":"CategoryValue",
  88. "ecs":"azure.activitylogs.category"
  89. },
  90. {
  91. "raw_field":"ActivityDisplayName",
  92. "ecs":"azure.auditlogs.properties.activity_display_name"
  93. }
  94. ]