Link Search Menu Expand Document Documentation Menu

You're viewing version 2.17 of the OpenSearch documentation. This version is no longer maintained. For the latest version, see the current documentation. For information about OpenSearch version maintenance, see Release Schedule and Maintenance Policy.

AD LDAP

The ad_ldap log type tracks Active Directory logs, such as:

  • Lightweight Directory Access Protocol (LDAP) queries.
  • Errors from the LDAP server.
  • Timeout events.
  • Unsecured LDAP binds.

The following code snippet contains all raw_field and ecs mappings for this log type:

 "mappings": [
   {
      "raw_field":"TargetUserName",
      "ecs":"azure.signinlogs.properties.user_id"
    },
    {
      "raw_field":"creationTime",
      "ecs":"timestamp"
    },
    {
      "raw_field":"Category",
      "ecs":"azure.activitylogs.category"
    },
    {
      "raw_field":"OperationName",
      "ecs":"azure.platformlogs.operation_name"
    },
    {
      "raw_field":"ModifiedProperties_NewValue",
      "ecs":"modified_properties.new_value"
    },
    {
      "raw_field":"ResourceProviderValue",
      "ecs":"azure.resource.provider"
    },
    {
      "raw_field":"conditionalAccessStatus",
      "ecs":"azure.signinlogs.properties.conditional_access_status"
    },
    {
      "raw_field":"SearchFilter",
      "ecs":"SearchFilter"
    },
    {
      "raw_field":"Operation",
      "ecs":"azure.platformlogs.operation_name"
    },
    {
      "raw_field":"ResultType",
      "ecs":"azure.platformlogs.result_type"
    },
    {
      "raw_field":"DeviceDetail_isCompliant",
      "ecs":"azure.signinlogs.properties.device_detail.is_compliant"
    },
    {
      "raw_field":"ResourceDisplayName",
      "ecs":"resource_display_name"
    },
    {
      "raw_field":"AuthenticationRequirement",
      "ecs":"azure.signinlogs.properties.authentication_requirement"
    },
    {
      "raw_field":"TargetResources",
      "ecs":"target_resources"
    },
    {
      "raw_field":"Workload",
      "ecs":"workload"
    },
    {
      "raw_field":"DeviceDetail.deviceId",
      "ecs":"azure.signinlogs.properties.device_detail.device_id"
    },
    {
      "raw_field":"OperationNameValue",
      "ecs":"azure.platformlogs.operation_name"
    },
    {
      "raw_field":"ResourceId",
      "ecs":"azure.signinlogs.properties.resource_id"
    },
    {
      "raw_field":"ResultDescription",
      "ecs":"azure.signinlogs.result_description"
    },
    {
      "raw_field":"EventID",
      "ecs":"EventID"
    },
    {
      "raw_field":"NetworkLocationDetails",
      "ecs":"azure.signinlogs.properties.network_location_details"
    },
    {
      "raw_field":"CategoryValue",
      "ecs":"azure.activitylogs.category"
    },
    {
      "raw_field":"ActivityDisplayName",
      "ecs":"azure.auditlogs.properties.activity_display_name"
    }
  ]
350 characters left

Have a question? .

Want to contribute? or .