解释 Azure Monitor 中的 Azure AD 审核日志架构(预览版)Interpret the Azure AD audit logs schema in Azure Monitor (preview)

本文介绍 Azure Monitor 中的 Azure Active Directory (Azure AD) 审核日志架构。This article describes the Azure Active Directory (Azure AD) audit log schema in Azure Monitor. 每个单独的日志项目都存储为文本,格式为 JSON blob,如以下两个示例所示:Each individual log entry is stored as text and formatted as a JSON blob, as shown in the following two examples:

{ 
    "records": [ 
    { 
        "time": "2018-03-17T00:14:31.2585575Z", 
        "operationName": "Change password (self-service)",
        "operationVersion": "1.0",
        "category": "Audit", 
        "tenantId": "bf85dc9d-cb43-44a4-80c4-469e8c58249e", 
        "resultType": "Success", 
        "resultSignature": "-1", 
        "resultDescription": "None", 
        "durationMs": "-1", 
        "correlationId": "60d5e89a-b890-413f-9e25-a047734afe9f", 
        "identity": "sreens@wingtiptoysonline.com", 
        "Level": "Informational", 
        "location": "WUS", 
        "properties": { 
            "identityType": "UPN", 
            "operationType": "Update", 
            "additionalDetails": "None", 
            "additionalTargets": "", 
            "targetUpdatedProperties": "", 
            "targetResourceType": "UPN__TenantContextID__PUID__ObjectID__ObjectClass", 
            "targetResourceName": "sreens@wingtiptoysonline.com__bf85dc9d-cb43-44a4-80c4-469e8c58249e__1003BFFD9FEB17DB__7a408bdd-7d97-4574-8511-dd747b56465d__User", 
            "auditEventCategory": "UserManagement" 
        } 
    } 
    ] 
} 

{ 
    "records": [ 
    { 
        "time": "2018-03-18T19:47:43.0368859Z", 
        "operationName": "Update service principal.", 
        "operationVersion": "1.0", 
        "category": "Audit", 
        "tenantId": "bf85dc9d-cb43-44a4-80c4-469e8c58249e", 
        "resultType": "Success", 
        "resultSignature": "-1", 
        "durationMs": "-1", 
        "callerIpAddress": "<null>", 
        "correlationId": "14916c7a-5a7d-44e8-9b06-74b49efb08ee", 
        "identity": "NA", 
        "Level": "Informational", 
        "properties": { 
            "identityType": "NA", 
            "operationType": "Update", 
            "additionalDetails": {}, 
            "additionalTargets": "", 
            "targetUpdatedProperties": [ 
            { 
                "Name": "Included Updated Properties", 
                "OldValue": null, 
                "NewValue": "" 
            }, 
            { 
                "Name": "TargetId.ServicePrincipalNames", 
                "OldValue": null, 
                "NewValue": "http://adapplicationregistry.partner.onmschina.cn/salesforce.com/primary;cd3ed3de-93ee-400b-8b19-b61ef44a0f29" 
            } 
            ], 
        "targetResourceType": "Other__ObjectID__ObjectClass__Name__AppId__SPN", 
        "targetResourceName": "ServicePrincipal_ea70a262-4da3-440a-b396-9734ddfd9df2__ea70a262-4da3-440a-b396-9734ddfd9df2__ServicePrincipal__Salesforce__cd3ed3de-93ee-400b-8b19-b61ef44a0f29__http://adapplicationregistry.partner.onmschina.cn/salesforce.com/primary;cd3ed3de-93ee-400b-8b19-b61ef44a0f29", 
        "auditEventCategory": "ApplicationManagement" 
      } 
    } 
    ] 
} 

{
    "records": [
    {
        "time": "2018-12-10T00:03:46.6161822Z",
        "resourceId": "/tenants/7918d4b5-0442-4a97-be2d-36f9f9962ece/providers/Microsoft.aadiam",
        "operationName": "Update policy",
        "operationVersion": "1.0",
        "category": "AuditLogs",
        "tenantId": "7918d4b5-0442-4a97-be2d-36f9f9962ece",
        "resultSignature": "None",
        "durationMs": 0,
        "callerIpAddress": "<null>",
        "correlationId": "192298c1-0994-4dd6-b05a-a6c5984c31cb",
        "identity": "MS-PIM",
        "level": "Informational",
        "properties": {
            "id": "Directory_VNXV4_28148892",
            "category": "Policy",
            "correlationId": "192298c1-0994-4dd6-b05a-a6c5984c31cb",
            "result": 0,
            "resultReason": "",
            "activityDisplayName": "Update policy",
            "activityDateTime": "2018-12-10T00:03:46.6161822+00:00",
            "loggedByService": "Core Directory",
            "operationType": "Update",
            "initiatedBy": {},
            "targetResources": [
            {
                "id": "5e7a8ae7-165d-44a4-a4f4-6141f8c8ef40",
                "displayName": "Default Policy",
                "type": "Policy",
                "modifiedProperties": []
            }
            ],
            "additionalDetails": []
        }
    }
    ]
}

字段和属性说明Field and property descriptions

字段名Field name 说明Description
timetime 日期和时间 (UTC)。The date and time (UTC).
operationNameoperationName 操作的名称。The name of the operation.
operationVersionoperationVersion 客户端请求的 REST API 版本。The REST API version that's requested by the client.
categorycategory 目前,“审核”是唯一支持的值 。Currently, Audit is the only supported value.
tenantIdtenantId 与日志关联的租户 GUID。The tenant GUID that's associated with the logs.
resultTyperesultType 操作结果。The result of the operation. 结果可以是“成功”或“失败” 。The result can be Success or Failure.
resultSignatureresultSignature 此字段未映射,可以放心地忽略它。This field is unmapped, and you can safely ignore it.
resultDescriptionresultDescription 结果的附加说明(如果有)。An additional description of the result, where available.
durationMsdurationMs 此字段未映射,可以放心地忽略它。This field is unmapped, and you can safely ignore it.
callerIpAddresscallerIpAddress 发出请求的客户端的 IP 地址。The IP address of the client that made the request.
correlationIdcorrelationId 客户端所传递的可选 GUID。An optional GUID that's passed by the client. 它可以帮助将客户端操作与服务器端操作相关联,并且在跟踪跨服务的日志时非常有用。It can help correlate client-side operations with server-side operations and it's useful when you're tracking logs that span services.
identityidentity 发出请求时提供的令牌中的标识。The identity from the token that was presented when you made the request. 标识可以是用户帐户、系统帐户或服务主体。The identity can be a user account, system account, or service principal.
级别level 消息类型。The message type. 对于审核日志,此级别始终为“信息” 。For audit logs, the level is always Informational.
locationlocation 数据中心的位置。The location of the datacenter.
propertiesproperties 列出与审核日志相关的受支持属性。Lists the supported properties that are related to an audit log. 有关详细信息,请参阅下一个表格。For more information, see the next table.

属性名称Property name 说明Description
AuditEventCategoryAuditEventCategory 审核事件的类型。The type of audit event. 它可以是“用户管理”、“应用程序管理”或其他类型 。It can be User Management, Application Management, or another type.
标识类型Identity Type 类型可以是“应用程序”或“用户” 。The type can be Application or User.
操作类型Operation Type 类型可以是“添加”、“更新”、“删除” 。The type can be Add, Update, Delete. 或“其他” 。or Other.
目标资源类型Target Resource Type 指定已对其执行操作的目标资源类型。Specifies the target resource type that the operation was performed on. 类型可以是“应用程序”、“用户”、“角色”、“策略” The type can be Application, User, Role, Policy
目标资源名称Target Resource Name 目标资源的名称。The name of the target resource. 它可以是应用程序名称、角色名称、用户主体名称或服务主体名称。It can be an application name, a role name, a user principal name, or a service principal name.
additionalTargetsadditionalTargets 列出特定操作的任何其他属性。Lists any additional properties for specific operations. 例如,对于更新操作,旧值和新值在 targetUpdatedProperties 下列出 。For example, for an update operation, the old values and the new values are listed under targetUpdatedProperties.

后续步骤Next steps