|
Measures reported by AzrADAuditTest
Azure Active Directory provides Audit Logs, where changes/updates to the configuration of users, groups, and applications are logged. With the audit logs in Azure AD, administrators get access to records of system activities for compliance.
The success of such updates is key to maintaining the integrity of resources (eg., users, groups, applications, policies etc.) managed by Azure AD. If attempts to make these changes fail/timeout frequently, then outdated objects/information will be managed by Azure AD. For instance, if an important group policy update fails, then it can poke some serious security holes in your Azure cloud organization. To avoid this, administrators should be instantly alerted if configuration changes/critical activities performed on Azure AD, fail. This is exactly what the AzrADAuditTest does!
This test auto-discovers the different categories of activities performed on Azure AD, using the messages logged in Azure AD audit logs. The test then scans each category of messages logged for failures, and reports the count and details of such failures. Using this information, administrators can promptly capture and effectively resolve failures that are encountered when making business-critical changes to the Azure organization.
Outputs of the test : One set of results for each type/category of change activity performed on the Azure AD tenant being monitored. A set of results is also reported for a ‘Summary’ descriptor.
The measures made by this test are as follows:
| Measurement |
Description |
Measurement Unit |
Interpretation |
| Success_count |
Indicates the number of successful activities of this category performed on Azure AD.
For the Summary descriptor, this measure reports an aggregate of all successful activities, across categories. |
Number |
Use the detailed diagnosis of this measure to know which activity was performed, when, who initiated it, and which property was modified as a result. |
| Failure_count |
Indicates the number of activities of this type that failed.
For the Summary descriptor, this measure reports an aggregate of all failed activities, across categories. |
Number |
Ideally, the value of this measure should be 0. A non-zero value implies that an activity / an update has failed. Using the detailed diagnosis of this measure, you can figure out when the failure occurred, what activity/change was attempted, who attempted it, and the reason for the failure. This information will greatly support the troubleshooting efforts of administrators. |
| Timeout_count |
Indicates the number of activities of this category that timed out.
For the Summary descriptor, this measure reports an aggregate of all activities that timed out, across categories. |
Number |
Use the detailed diagnosis of this measure to know which activity was timed out, who initiated it, and which property was modified as a result. |
| Unknown_future_count |
Indicates the number of activities of this category that are logged as 'Unknown' in the Azure AD audit logs.
For the Summary descriptor, this measure reports an aggregate of all ‘Unknown’ activities, across categories. |
Number |
Ideally, the value of this measure should be 0. If this measure reports a non-zero value, then use the detailed diagnosis of this measure to determine what are the 'Unknown' activities. |
| Other_status_count |
Indicates the number of ‘other’ activities - i.e., activities that cannot be classified as successful, failed, timed out, or unknown - logged in the audit logs for this category.
For the Summary descriptor, this measure reports an aggregate of ‘other’ activities, across categories. |
Number |
Use the detailed diagnosis of this measure to know which are these activities, when they were performed, and who initiated them. |
|