Ingest Microsoft Azure activity logs

Supported in:

This document describes the steps required to ingest Microsoft Azure activity logs (AZURE_ACTIVITY) into Google Security Operations.

Configure a Storage Account

Complete the following steps to configure a Storage account:

  1. In the Azure console, search for Storage accounts.
  2. Click Create.
  3. Select the Subscription, Resource Group, region, performance (recommend Standard), and Redundancy (recommend GRS or LRS) needed for the account, enter a name for the new Storage Account.
  4. Click Review + create, review the overview of the account and click Create.
  5. On the Storage Account Overview page, select Access keys from the left navigation of the window.
  6. Click Show keys and make a note of the shared key for the storage account.
  7. Select Endpoints from the left navigation of the window.
  8. Make a note of the Blob service endpoint. (https://<storageaccountname>.blob.core.windows.net/)

Configure Azure activity logging

Complete the following steps to configure Azure activity logging:

  1. In the Azure console, search for Monitor.
  2. Click the Activity log link in the left navigation of the page.
  3. Click the Export Activity Logs at the top of the window.
  4. Click Add diagnostic Setting.
  5. Select all the categories you wish to export to Google Security Operations.
  6. Under Destination details select Archive to a storage account.
  7. Select the subscription and storage account you created in the previous step.
  8. Click Save.

Configure a feed in Google Security Operations to ingest the Azure logs

Complete the following steps to configure a feed in Google Security Operations to ingest the Azure logs:

  1. Go to SIEM Settings > Feeds.
  2. Click Add New.
  3. Enter a unique name for the Field Name.
  4. Select Microsoft Azure Blob Storage as the Source Type.
  5. Select Microsoft Azure Activity as the Log Type.
  6. Click Next.
  7. Configure the following mandatory input parameters:
    • Azure URI: enter the Blob Service endpoint value you recorded earlier, suffixed with insights-activity-logs (for example, https://acme-azure-chronicle.blob.core.windows.net/insights-activity-logs)
    • URI is a: select Directory which includes subdirectories.
    • Source Deletion Option: specify whether to delete files and directories after transferring.
    • Shared key: enter the shared key value you captured earlier.
  8. Click Next and then click Submit.

Field mapping reference

This parser code first initializes a large number of fields to empty strings, then performs a series of string manipulations and JSON parsing operations to extract relevant information from the Azure Activity log message. Finally, it maps the extracted data to the Unified Data Model (UDM) fields, categorizing the event type and enriching it with additional details like severity, principal information, and network data.

UDM Mapping Table

Log Field UDM Mapping Logic
category read_only_udm.security_result.category_details Directly mapped from the "category" field in the raw log.
callerIpAddress read_only_udm.principal.asset.ip, read_only_udm.principal.ip Directly mapped from the "callerIpAddress" field in the raw log.
correlationId read_only_udm.security_result.detection_fields.correlationId Directly mapped from the "correlationId" field in the raw log.
data.callerIpAddress read_only_udm.principal.asset.ip, read_only_udm.principal.ip Directly mapped from the "callerIpAddress" field within the "data" object in the raw log.
data.correlationId read_only_udm.security_result.detection_fields.correlationId Directly mapped from the "correlationId" field within the "data" object in the raw log.
data.DeploymentUnit read_only_udm.target.resource.name Directly mapped from the "DeploymentUnit" field within the "data" object in the raw log.
data.details read_only_udm.metadata.description Directly mapped from the "details" field within the "data" object in the raw log, only if the "details" field is not "Unknown".
data.entity read_only_udm.additional.fields.entity Directly mapped from the "entity" field within the "data" object in the raw log.
data.EventName read_only_udm.metadata.product_event_type Directly mapped from the "EventName" field within the "data" object in the raw log.
data.hierarchy read_only_udm.additional.fields.hierarchy Directly mapped from the "hierarchy" field within the "data" object in the raw log.
data.identity.authorization.action read_only_udm.security_result.detection_fields.action Directly mapped from the "action" field within the "authorization" object of the "identity" object in the raw log.
data.identity.authorization.evidence.principalId read_only_udm.principal.user.product_object_id, read_only_udm.principal.resource.product_object_id, read_only_udm.principal.group.product_object_id Directly mapped from the "principalId" field within the "evidence" object of the "authorization" object of the "identity" object in the raw log. The specific UDM field it maps to depends on the value of the "principalType" field. If "principalType" is "User" or "ServicePrincipal", it maps to principal.user.product_object_id. If "principalType" is "Group", it maps to principal.group.product_object_id. If "principalType" is "ServicePrincipal", it maps to principal.resource.product_object_id.
data.identity.authorization.evidence.principalType read_only_udm.principal.resource.resource_subtype Directly mapped from the "principalType" field within the "evidence" object of the "authorization" object of the "identity" object in the raw log.
data.identity.authorization.evidence.role read_only_udm.principal.user.role_name Directly mapped from the "role" field within the "evidence" object of the "authorization" object of the "identity" object in the raw log.
data.identity.authorization.evidence.roleAssignmentId read_only_udm.principal.resource.attribute.labels.roleAssignmentId Directly mapped from the "roleAssignmentId" field within the "evidence" object of the "authorization" object of the "identity" object in the raw log.
data.identity.authorization.evidence.roleAssignmentScope read_only_udm.principal.resource.attribute.labels.roleAssignmentScope Directly mapped from the "roleAssignmentScope" field within the "evidence" object of the "authorization" object of the "identity" object in the raw log.
data.identity.authorization.evidence.roleDefinitionId read_only_udm.principal.resource.attribute.labels.roleDefinitionId Directly mapped from the "roleDefinitionId" field within the "evidence" object of the "authorization" object of the "identity" object in the raw log.
data.identity.authorization.scope read_only_udm.security_result.detection_fields.scope Directly mapped from the "scope" field within the "authorization" object of the "identity" object in the raw log.
data.identity.claims.aio read_only_udm.security_result.detection_fields.aio Directly mapped from the "aio" field within the "claims" object of the "identity" object in the raw log.
data.identity.claims.appid read_only_udm.security_result.detection_fields.appid Directly mapped from the "appid" field within the "claims" object of the "identity" object in the raw log.
data.identity.claims.appidacr read_only_udm.security_result.detection_fields.appidacr Directly mapped from the "appidacr" field within the "claims" object of the "identity" object in the raw log.
data.identity.claims.aud read_only_udm.security_result.detection_fields.aud Directly mapped from the "aud" field within the "claims" object of the "identity" object in the raw log.
data.identity.claims.exp read_only_udm.security_result.detection_fields.exp Directly mapped from the "exp" field within the "claims" object of the "identity" object in the raw log.
data.identity.claims.http://schemas.microsoft.com/identity/claims/identityprovider read_only_udm.security_result.detection_fields.identityprovider Directly mapped from the "http://schemas.microsoft.com/identity/claims/identityprovider" field within the "claims" object of the "identity" object in the raw log.
data.identity.claims.http://schemas.microsoft.com/identity/claims/objectidentifier read_only_udm.security_result.detection_fields.objectidentifier Directly mapped from the "http://schemas.microsoft.com/identity/claims/objectidentifier" field within the "claims" object of the "identity" object in the raw log.
data.identity.claims.http://schemas.microsoft.com/identity/claims/tenantid read_only_udm.security_result.detection_fields.tenantid Directly mapped from the "http://schemas.microsoft.com/identity/claims/tenantid" field within the "claims" object of the "identity" object in the raw log.
data.identity.claims.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier read_only_udm.security_result.detection_fields.nameidentifier Directly mapped from the "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" field within the "claims" object of the "identity" object in the raw log.
data.identity.claims.iat read_only_udm.security_result.detection_fields.iat Directly mapped from the "iat" field within the "claims" object of the "identity" object in the raw log.
data.identity.claims.iss read_only_udm.security_result.detection_fields.iss Directly mapped from the "iss" field within the "claims" object of the "identity" object in the raw log.
data.identity.claims.nbf read_only_udm.security_result.detection_fields.nbf Directly mapped from the "nbf" field within the "claims" object of the "identity" object in the raw log.
data.identity.claims.rh read_only_udm.security_result.detection_fields.rh Directly mapped from the "rh" field within the "claims" object of the "identity" object in the raw log.
data.identity.claims.uti read_only_udm.security_result.detection_fields.uti Directly mapped from the "uti" field within the "claims" object of the "identity" object in the raw log.
data.identity.claims.ver read_only_udm.security_result.detection_fields.ver Directly mapped from the "ver" field within the "claims" object of the "identity" object in the raw log.
data.identity.claims.xms_tcdt read_only_udm.security_result.detection_fields.xms_tcdt Directly mapped from the "xms_tcdt" field within the "claims" object of the "identity" object in the raw log.
data.identity.UserName read_only_udm.principal.user.user_display_name Directly mapped from the "UserName" field within the "identity" object in the raw log.
data.level read_only_udm.security_result.severity, read_only_udm.security_result.severity_details Directly mapped from the "level" field within the "data" object in the raw log. The "level" field is also used to determine the value of the severity field. If "level" is "Information" or "Informational", severity is set to "INFORMATIONAL". If "level" is "Warning", severity is set to "MEDIUM". If "level" is "Error", severity is set to "ERROR". If "level" is "Critical", severity is set to "CRITICAL".
data.location read_only_udm.target.location.name Directly mapped from the "location" field within the "data" object in the raw log.
data.operationName read_only_udm.metadata.product_event_type Directly mapped from the "operationName" field within the "data" object in the raw log.
data.properties.EventChannel read_only_udm.additional.fields.properties EventChannel Directly mapped from the "EventChannel" field within the "properties" object of the "data" object in the raw log.
data.properties.EventSource read_only_udm.additional.fields.properties EventSource Directly mapped from the "EventSource" field within the "properties" object of the "data" object in the raw log.
data.properties.EventId read_only_udm.metadata.product_log_id Directly mapped from the "EventId" field within the "properties" object of the "data" object in the raw log.
data.properties.eventProperties.cause read_only_udm.security_result.detection_fields.cause Directly mapped from the "cause" field within the "eventProperties" object of the "properties" object of the "data" object in the raw log.
data.properties.eventProperties.clientIPAddress read_only_udm.principal.asset.ip, read_only_udm.principal.ip Directly mapped from the "clientIPAddress" field within the "eventProperties" object of the "properties" object of the "data" object in the raw log.
data.properties.eventProperties.compromisedHost read_only_udm.principal.asset.hostname, read_only_udm.principal.hostname Directly mapped from the "compromisedHost" field within the "eventProperties" object of the "properties" object of the "data" object in the raw log.
data.properties.eventProperties.currentHealthStatus read_only_udm.security_result.detection_fields.currentHealthStatus Directly mapped from the "currentHealthStatus" field within the "eventProperties" object of the "properties" object of the "data" object in the raw log.
data.properties.eventProperties.previousHealthStatus read_only_udm.security_result.detection_fields.previousHealthStatus Directly mapped from the "previousHealthStatus" field within the "eventProperties" object of the "properties" object of the "data" object in the raw log.
data.properties.eventProperties.type read_only_udm.security_result.detection_fields.type Directly mapped from the "type" field within the "eventProperties" object of the "properties" object of the "data" object in the raw log.
data.properties.eventProperties.User read_only_udm.principal.user.userid Directly mapped from the "User" field within the "eventProperties" object of the "properties" object of the "data" object in the raw log.
data.properties.eventProperties.userName read_only_udm.principal.user.user_display_name Directly mapped from the "userName" field within the "eventProperties" object of the "properties" object of the "data" object in the raw log, after removing the "SECURE\" prefix.
data.properties.ipAddress read_only_udm.principal.asset.ip, read_only_udm.principal.ip Directly mapped from the "ipAddress" field within the "properties" object of the "data" object in the raw log.
data.properties.legacyChannels read_only_udm.security_result.detection_fields.legacyChannels Directly mapped from the "legacyChannels" field within the "properties" object of the "data" object in the raw log.
data.properties.legacyEventDataId read_only_udm.security_result.detection_fields.legacyEventDataId Directly mapped from the "legacyEventDataId" field within the "properties" object of the "data" object in the raw log.
data.properties.legacyResourceId read_only_udm.security_result.detection_fields.legacyResourceId Directly mapped from the "legacyResourceId" field within the "properties" object of the "data" object in the raw log.
data.properties.legacyResourceGroup read_only_udm.security_result.detection_fields.legacyResourceGroup Directly mapped from the "legacyResourceGroup" field within the "properties" object of the "data" object in the raw log.
data.properties.legacyResourceProviderName read_only_udm.security_result.detection_fields.legacyResourceProviderName Directly mapped from the "legacyResourceProviderName" field within the "properties" object of the "data" object in the raw log.
data.properties.legacyResourceType read_only_udm.security_result.detection_fields.legacyResourceType Directly mapped from the "legacyResourceType" field within the "properties" object of the "data" object in the raw log.
data.properties.legacySubscriptionId read_only_udm.security_result.detection_fields.legacySubscriptionId Directly mapped from the "legacySubscriptionId" field within the "properties" object of the "data" object in the raw log.
data.properties.operationId read_only_udm.security_result.detection_fields.operationId Directly mapped from the "operationId" field within the "properties" object of the "data" object in the raw log.
data.properties.result read_only_udm.security_result.action_details Directly mapped from the "result" field within the "properties" object of the "data" object in the raw log.
data.properties.statusCode read_only_udm.network.http.response_code Directly mapped from the "statusCode" field within the "properties" object of the "data" object in the raw log.
data.properties.suspiciousCommandLine read_only_udm.target.process.command_line Directly mapped from the "suspiciousCommandLine" field within the "properties" object of the "data" object in the raw log.
data.properties.suspiciousProcess read_only_udm.target.process.file.full_path Directly mapped from the "suspiciousProcess" field within the "properties" object of the "data" object in the raw log.
data.properties.suspiciousProcessId read_only_udm.target.process.pid Directly mapped from the "suspiciousProcessId" field within the "properties" object of the "data" object in the raw log.
data.properties.tlsVersion read_only_udm.network.tls.version Directly mapped from the "tlsVersion" field within the "properties" object of the "data" object in the raw log.
data.properties.userAgent read_only_udm.network.http.user_agent, read_only_udm.network.http.parsed_user_agent Directly mapped from the "userAgent" field within the "properties" object of the "data" object in the raw log.
data.properties.userAgentHeader read_only_udm.network.http.user_agent, read_only_udm.network.http.parsed_user_agent Directly mapped from the "userAgentHeader" field within the "properties" object of the "data" object in the raw log.
data.properties.userId read_only_udm.target.user.product_object_id Directly mapped from the "userId" field within the "properties" object of the "data" object in the raw log.
data.ReleaseVersion read_only_udm.metadata.product_version Directly mapped from the "ReleaseVersion" field within the "data" object in the raw log.
data.resourceId read_only_udm.target.resource.name Directly mapped from the "resourceId" field within the "data" object in the raw log.
data.resourceType read_only_udm.additional.fields.resourceType Directly mapped from the "resourceType" field within the "data" object in the raw log.
data.resultDescription read_only_udm.metadata.description Directly mapped from the "resultDescription" field within the "data" object in the raw log.
data.resultSignature read_only_udm.additional.fields.resultSignature Directly mapped from the "resultSignature" field within the "data" object in the raw log.
data.resultType read_only_udm.security_result.action_details, read_only_udm.additional.fields.resultType Directly mapped from the "resultType" field within the "data" object in the raw log.
data.RoleLocation read_only_udm.target.location.name Directly mapped from the "RoleLocation" field within the "data" object in the raw log.
data.time read_only_udm.metadata.event_timestamp The "time" field within the "data" object in the raw log is parsed to extract the timestamp, which is then mapped to event_timestamp.
data.uri read_only_udm.network.http.referral_url Directly mapped from the "uri" field within the "data" object in the raw log.
read_only_udm.extensions.auth.mechanism INTERACTIVE Set to "INTERACTIVE" if the "isInteractive" field within the "properties" object of the "data" object in the raw log is "true". Otherwise, it is set to "MECHANISM_OTHER".
read_only_udm.extensions.auth.type MACHINE Set to "MACHINE" if the "category" field in the raw log is "NonInteractiveUserSignInLogs", "ManagedIdentitySignInLogs", or "ServicePrincipalSignInLogs".
read_only_udm.metadata.log_type AZURE_ACTIVITY Hardcoded to "AZURE_ACTIVITY".
read_only_udm.metadata.vendor_name Microsoft Hardcoded to "Microsoft".
read_only_udm.principal.platform WINDOWS, MAC, LINUX, ANDROID Determined based on the value of the "properties.test.deviceDetail.operatingSystem" field. If it contains "Win", platform is set to "WINDOWS". If it contains "Mac", platform is set to "MAC". If it contains "Lin", platform is set to "LINUX". If it contains "Android", platform is set to "ANDROID".
read_only_udm.principal.resource.type SERVICE_ACCOUNT, UNSPECIFIED Determined based on the value of the "identity.authorization.evidence.principalType" field. If it is "ServicePrincipal", type is set to "SERVICE_ACCOUNT". Otherwise, it is set to "UNSPECIFIED".
read_only_udm.security_result.action ALLOW, BLOCK, UNKNOWN_ACTION Determined based on the values of the "resultType", "status_errorcode", and "statusText" fields. If "resultType" is one of "Success", "success", "Succeeded", "Started", "Resolved", "Active", "Updated", "Start", "Accept", "Accepted", "0", or if "status_errorcode" is 0, or if "statusText" is "Success", action is set to "ALLOW". If "resultType" is one of "Failure", "Failed", or if "status_errorcode" is not empty, or if "resultType" is not empty, action is set to "BLOCK". Otherwise, it is set to "UNKNOWN_ACTION".
read_only_udm.target.cloud.environment MICROSOFT_AZURE Hardcoded to "MICROSOFT_AZURE".

Changes

2024-07-10

  • If "identity.authorization.evidence.principalType" is equal to "Group", then mapped "identity.authorization.evidence.principalId" to "principal.group.product_object_id".
  • If "identity.authorization.evidence.principalType" is equal to "User" or "ServicePrincipal", then mapped "identity.authorization.evidence.principalId" to "principal.user.product_object_id".
  • Added gsub to change field "properties" to "properties.test" and removed the field starting with only "properties".

2024-07-08

  • Mapped "properties.compromisedEntity", "properties.attackedResourceType", and "properties.intent" to "target.resource.attribute.labels".
  • Mapped "properties.severity" to "security_result.severity".

2024-06-18

  • When "principal.user.userid" is not present, then changed mapping for "metadata.event_type" from "USER_RESOURCE_ACCESS" to "GENERIC_EVENT".

2024-06-18

  • Mapped "operationVersion" to "metadata.product_version".
  • Mapped "properties.authenticationRequirementPolicies.requirementProvider" and "properties.authenticationRequirementPolicies.detail" to "security_result.detection_fields".
  • Mapped "properties.authenticationDetails.StatusSequence", "properties.correlationId", "properties.uniqueTokenIdentifier" and "properties.authenticationDetails.RequestSequence" to "security_result.detection_fields".
  • Mapped "properties.appDisplayName" to "target.application".
  • Mapped "properties.conditionalAccessStatus", "properties.appliedConditionalAccessPolicies", "properties.authenticationContextClassReferences", "properties.signInTokenProtectionStatus", "properties.originalRequestId", "properties.authenticationProcessingDetails", "properties.clientCredentialType", "properties.processingTimeInMilliseconds", "properties.riskDetail", "properties.riskLevelAggregated", "properties.riskLevelDuringSignIn", "properties.riskState" and "properties.originalTransferMethod" to "additional.fields".
  • Mapped "properties.riskEventTypes", "properties.riskEventTypes_v2", "properties.homeTenantId", "properties.autonomousSystemNumber", "properties.autonomousSystemNumber" and "properties.privateLinkDetails" to "additional.fields".
  • Mapped "properties.resourceId", "properties.resourceTenantId" and "properties.resourceServicePrincipalId" to "target.resource.attribute.labels".
  • Mapped "properties.userType" to "principal.user.attribute.roles".
  • Mapped "properties.userPrincipalName" to "principal.user.email_addresses".
  • Mapped "properties.clientAppUsed" to "principal.application".
  • Mapped "properties.deviceDetail.deviceId" to "principal.asset.asset_id" and "principal.asset_id".
  • Mapped "properties.appId" to "target.resource.attribute.labels".
  • Mapped "properties.status.additionalDetails" to "security_result.description".
  • Mapped "properties.responseBody.name" to "security_result.rule_name".
  • Mapped "properties.responseBody.properties.sourcePortRanges" and "properties.responseBody.properties.destinationPortRanges" to "additional.fields".
  • When "properties.responseBody.properties.sourceAddressPrefixes" is a single ip address, then mapped it to "principal.ip".
  • When "properties.responseBody.properties.sourceAddressPrefixes" is a range of ip addresses, then mapped it to "additional.fields".
  • When "properties.responseBody.properties.sourceAddressPrefix" is a single ip address or ip address with port, then mapped it to "principal.ip" and "principal.port".
  • When "properties.responseBody.properties.sourceAddressPrefix" is a range of ip addresses, then mapped it to "additional.fields".
  • When "properties.responseBody.properties.destinationAddressPrefixes" is a single ip address, then mapped it to "target.ip".
  • When "properties.responseBody.properties.destinationAddressPrefixes" is a range of ip addresses, then mapped it to "additional.fields".
  • When "properties.responseBody.properties.destinationAddressPrefix" is a single ip address or ip address with port, then mapped it to "target.ip" and "target.port".
  • When "properties.responseBody.properties.destinationAddressPrefix" is a range of ip addresses, then mapped it to "additional.fields".
  • When "properties.responseBody.properties.sourcePortRange" is a single port, then mapped it to "principal.port".
  • When "properties.responseBody.properties.sourcePortRange" is a range of ports, then mapped it to "additional.fields".
  • When "properties.responseBody.properties.destinationPortRange" is a single port, then mapped it to "target.port".
  • When "properties.responseBody.properties.destinationPortRange" is a range of ports, then mapped it to "additional.fields".
  • Mapped "properties.id" and "properties.status.errorCode" to "security_result.detection_fields".
  • Mapped "properties.isInteractive" to "extensions.auth.mechanism".
  • When "properties.deviceDetail.operatingSystem" is "ANDROID", then mapped "principal.platform" to "ANDROID".

2024-06-03

  • Mapped "SUBSCRIPTIONS", "RESOURCEGROUPS", "STORAGEACCOUNTS", "PROVIDERS" and "SNAPSHOTS" from "resourceId" to "target.resource.attribute.labels".

2024-05-21

  • If "identity.authorization.evidence.principalType" is equal to "User", "Group", "Application", then map "principal.resource.type" to "UNSPECIFIED".
  • Mapped "identity.authorization.evidence.role" to "principal.user.role_name".
  • Mapped "identity.authorization.evidence.principalType" to "principal.resource.resource_subtype".
  • Mapped "identity.authorization.evidence.principalId" to "principal.user.product_object_id".
  • Mapped "identity.authorization.evidence.roleAssignmentId", "identity.authorization.evidence.roleAssignmentScope", "identity.authorization.evidence.roleDefinitionId" to "principal.resource.attribute.labels".

2024-05-03

  • When "category" is "SignInLogs", then mapped "properties.userDisplayName" to "principal.user.user_display_name".
  • Mapped "properties.requestbody.properties.priority" and "properties.response.properties.priority" to "security_result.detection_fields".
  • Mapped "properties.requestbody.properties.protocol" to "network.ip_protocol".
  • Mapped "properties.requestbody.properties.direction" to "network.direction".
  • Mapped "properties.response.properties.protocol" to "network.ip_protocol".
  • Mapped "properties.response.properties.direction" to "network.direction".
  • Mapped "properties.response.properties.destinationPortRange" to "target.port".

2024-04-26

  • Mapped "operationName.value" to "metadata.product_event_type".
  • Mapped "category.value" to "security_result.category_details".
  • Mapped "httpRequest.uri" to "network.http.referral_url".
  • Mapped "httpRequest.method" to "network.http.method".
  • Mapped "httpRequest.clientIpAddress" to "principal.ip" and "principal.asset.ip".
  • Mapped "eventDataId" to "security_result.detection_fields".
  • Mapped "httpRequest.clientRequestId" to "additional.fields".

2024-04-16

  • Added support to map "network.application_protocol" if "protocol" is known, else mapped "protocol" to "additional.fields".

2024-04-12

  • Mapped "properties.requestbody.properties.allowBlobPublicAccess" to "security_result.detection_fields".

2024-04-10

  • Mapped "resourceId" to "target.resource.name".
  • When "resourceId" is present, then mapped "targetResources.displayName", "identity", "Type", and "properties.resourceDisplayName" to "target.resource.attribute.labels".

2024-03-29

  • Mapped "ResourceGUID" to "target.resource.product_object_id".
  • Mapped "Type" to "target.resource.name".
  • Mapped "ClientCity" to "principal.location.city".
  • Mapped "ClientCountryOrRegion" to "principal.location.country_or_region".
  • Mapped "ClientIP" to "principal.ip" and "principal.asset.ip".
  • Mapped "ClientStateOrProvince" to "principal.location.state".
  • Mapped "ClientType" to "principal.resource.attribute.labels".
  • Mapped "IKey" to "target.resource.attribute.labels".
  • Mapped "_BilledSize" and "DurationMs" to "additional.fields".
  • Mapped "OperationId", "SDKVersion", and "ItemCount" to "properties.operationId".
  • Mapped "ParentId", "Properties.WebtestLocationId", "Properties.FullTestResultAvailable", "Properties.SourceId", "Properties._MS_altIds", "Properties.WebtestArmResourceName", "Properties.SyntheticMonitorId", and "Success" to "security_result.detection_fields".
  • Mapped "Message" to "metadata.description".
  • Mapped "Id" to "principal.resource.product_object_id".
  • Mapped "Name" to "principal.resource.name".

2024-03-25

  • When "category" is "ServicePrincipalSignInLogs" or "NonInteractiveUserSigninLogs" or "ManagedIdentitySignInLogs", then mapped "createdDateTime" to "metadata.event_timestamp".
  • Mapped "properties.authenticationDetails.authenticationStepDateTime", "properties.authenticationDetails.authenticationMethod", "properties.authenticationDetails.authenticationStepResultDetail", "properties.authenticationDetails.authenticationStepRequirement", "properties.id", and "properties.resourceServicePrincipalId" to "security_result.detection_fields".
  • Mapped "properties.authenticationDetails.succeeded" to "security_result.action_details".

2024-03-25

  • When "properties.requestbody.Properties.RoleDefinitionId" is not empty, then set "security_result.detection_fields.key" to "RequestBody roleDefinitionId".
  • Mapped "properties.roleDefinitionId", "properties.principalId", "properties.responseBody.properties.roleDefinitionId", and "properties.requestbody.Properties.PrincipalId" to "security_result.detection_fields".

2024-03-13

  • Mapped "properties.requestbody.properties.roleDefinitionId" and "properties.requestbody.properties.principalId" to "security_result.detection_fields".

2024-03-05

  • Mapped "resultType" to "security_result.action_details".
  • Mapped "properties.requestbody.Properties.PrincipalId" to "principal.user.userid".
  • When "resultType" is not empty, then mapped "properties.status.failureReason" to "security_result.detection_fields".
  • Mapped "properties.hardwareProfile.vmSize", "properties.provisioningState", "properties.requestbody.Properties.RoleDefinitionId" to "security_result.detection_fields".

2024-02-13

Bug-Fix:

  • When "identity.UserName" is email, then map to "principal.user.email_addresses", otherwise map it to "principal.user.user_display_name".

2024-02-12

  • Added support for JSON logs which are getting dropped.
  • Mapped "OperationNameValue" to "metadata.product_event_type".
  • Mapped "properties.eventDataId", "properties.subscriptionId", "properties.resourceGroup", and "properties.resourceProviderValue" to "security_result.detection_fields".
  • Mapped "Caller" to "principal.user.userid".
  • Mapped "ActivityStatusValue" to "security_result.action".

2024-02-01

  • Bug-Fix:
  • When "category" field is having "NonInteractiveUserSignInLogs" value or "OperationName" is "Sign-in activity", then changing "metadata.event_type" from "USER_LOGOUT" to "USER_LOGIN".
  • Mapped "properties.incomingTokenType" and "properties.deviceDetail.browser" to "additional.fields".
  • Mapped "properties.userAgent" to "network.http.user_agent".
  • When "properties.userAgent" value does not exist, then only mapped "properties.deviceDetail.browser" to "network.http.user_agent".
  • Mapped parsed "user_agent_field" to "network.http.parsed_user_agent".
  • Mapped "properties.eventProperties.clientIPAddress" and "callerIpAddress" to "principal.asset.ip".
  • Mapped "hostname", "rscname" and "properties.eventProperties.compromisedHost" to "principal.asset.hostname".

2024-01-07

  • Bug-Fix:
  • Added a Grok pattern to validate "callerIpAddress" as an IP address.
  • Mapped "properties.accountName" to "principal.user.userid".
  • Mapped "uri" to "network.http.refferal_url".
  • Mapped "properties.userAgentHeader" to "network.http.user_agent".
  • Mapped "properties.tlsVersion" to "network.tls.version".
  • Mapped "statusCode" to "network.http.response_code".
  • Mapped "protocol" to "network.application_protocol".
  • Mapped "properties.clientRequestId", "properties.etag", "properties.objectKey", "properties.responseMd5" and "resourceType" to "additional.fields".

2023-10-09

  • Added support to parse unparsed logs.
  • Renamed the following fields:
  • From "OperationName" to "operationName".
  • From "CorrelationId" to "correlationId".
  • From "Category" to "category".
  • From "ResourceId" to "resourceId".
  • From "ResultType" to "resultType".
  • Mapped "ProviderName", "ProviderGuid" to "security_result.detection_fields".
  • Mapped "ResultDescription" to "metadata.description".

2023-09-13

Enhancement -

  • Mapped "properties.eventCategory" to "security_result.detection_fields".
  • Mapped "opproperties.operationIderationName" to "security_result.detection_fields".
  • Mapped "properties.eventName" to "security_result.summary".
  • Mapped "properties.EventName" to "security_result.summary".
  • Mapped "properties.legacyResourceType" to "security_result.detection_fields".
  • Mapped "properties.CallerCredentialType" to "security_result.detection_fields".
  • Mapped "properties.EventChannel" to "security_result.detection_fields".
  • Mapped "properties.EventSource" to "security_result.detection_fields".
  • Mapped "properties.legacyResourceId" to "security_result.detection_fields".
  • Mapped "properties.eventProperties.User" to "principal.user.id" and "principal.user.email_addresses.
  • Mapped "properties.Caller" to "principal.user.id" and "principal.user.email_addresses.
  • Mapped "caller" to "principal.user.id" and "principal.user.email_addresses.
  • Mapped "properties.IpAddress" to "principal.ip".
  • Mapped "properties.Description_scrubbed" to "security_result.description".

2023-02-22

Enhancement -

  • Mapped "tenantId" to "metadata.product_deployment_id".
  • Mapped "operationName" to "metadata.product_event_type".
  • Mapped "category" to "security_result.category_details".
  • Mapped "callerIpAddress" to "principal.ip".
  • Mapped "identity" to "target.resource.name".
  • Mapped "result" to "security_result.action_details".
  • Mapped "properties.activityDisplayName" to "security_result.summary".
  • Mapped "location" to "principal.location.name".
  • Mapped "Level" to "security_result.severity_details".
  • Mapped "properties.initiatedBy.app.displayName" to "principal.application".
  • Mapped "properties.targetResources.displayName" to "target.resource.name".
  • Mapped "properties.targetResources.id" to "target.resource.product_object_id".
  • Mapped "properties.targetResources.modifiedProperties.displayName" to "target.user.attribute.labels".
  • Mapped "properties.additionalDetails" to "additional.fields".
  • Mapped "properties.loggedByService" to "target.application".
  • Mapped "properties.userId" to "target.user.product_object_id".
  • Mapped "properties.resourceDisplayName" to "target.resource.name".
  • Mapped "properties.location.city" to "principal.location.city".
  • Mapped "properties.location.state" to "principal.location.state".
  • Mapped "properties.location.countryOrRegion" to "principal.location.country_or_region".
  • Mapped "properties.ipAddress" to "principal.ip".
  • Mapped "properties.location.geoCoordinates.latitude" to "principal.location.region_latitude".
  • Mapped "properties.location.geoCoordinates.longitude" to "principal.location.region_longitude".
  • Mapped "properties.servicePrincipalId" to "principal.user.userid".
  • Mapped "properties.servicePrincipalName" to "principal.user.user_display_name".
  • Mapped "properties.tokenIssuerType", "properties.authenticationProcessingDetails.0.value", "properties.operationType", "properties.authenticationRequirement", "properties.deviceDetail.trustType to "additional.fields".
  • Mapped "resultDescription" to "metadata.description".
  • Mapped "properties.userDisplayName" to "target.user.user_display_name".
  • Mapped "properties.appDisplayName" to "target.application".
  • Mapped "properties.userType" to "principal.user.attribute.roles".
  • Mapped "properties.status.failureReason" to "security_result.action_details".
  • Mapped "properties.deviceDetail.operatingSystem" to "principal.platform_version".
  • Mapped "properties.deviceDetail.displayName" to "principal.asset.hardware".
  • Mapped "properties.deviceDetail.browser" to "network.http.user_agent".
  • Mapped "properties.userPrincipalName" to "principal.user.email_addresses".

2022-11-28

Enhancement -

  • Mapped the field 'correlationId' to 'security_result.detection_fields'.
  • Mapped the field 'level' to 'security_result.severity_details'.
  • Added following mapping for the category 'ResourceHealth' :
  • Mapped the field 'properties.legacyEventDataId' to 'security_result.detection_fields'.
  • Mapped the field 'properties.legacyChannels' to 'security_result.detection_fields'.
  • Mapped the field 'properties.legacySubscriptionId' to 'security_result.detection_fields'.
  • Mapped the field 'properties.legacyResourceGroup' to 'security_result.detection_fields'.
  • Mapped the field 'properties.legacyResourceProviderName' to 'security_result.detection_fields'.
  • Mapped the field 'properties.eventProperties.currentHealthStatus' to 'security_result.detection_fields'.
  • Mapped the field 'properties.eventProperties.previousHealthStatus' to 'security_result.detection_fields'.
  • Mapped the field 'properties.eventProperties.type' to 'security_result.detection_fields'.
  • Mapped the field 'properties.eventProperties.cause' to 'security_result.detection_fields'.

2022-09-26

Enhancement - Added fields.

  • Mapped "tenantId " to "metadata.product_deployment_id"

2022-06-20

Enhancement -

  • Added conditional check for "entity_properties".
  • when "category" is equal to "Security"
  • Mapped "properties.eventProperties.clientIPAddress" to "principal.ip".
  • Mapped "properties.eventProperties.accountSessionId" to "network.session_id".
  • Mapped "properties.eventProperties.suspiciousProcess" to "target.process.file.full_path".
  • Mapped "properties.eventProperties.suspiciousCommandLine" to "target.process.command_line".
  • Mapped "properties.eventProperties.suspiciousProcessId" to "target.process.pid".
  • Mapped "properties.eventProperties.compromisedHost" to "principal.hostname".
  • Mapped "resultDescription" to "metadata.description"
  • Mapped "properties.legacySubscriptionId" to "security_result.detection_fields".
  • Mapped "properties.legacyResourceProviderName" to "security_result.detection_fields".

2022-05-19

Enhancement - Added and modified multiple fields.

  • claims, Identity, aud, tenantid, principalId, action, appidacr, iat, exp, nbf, rh, uti, ver, xms_tcdt, principalType, roleAssignmentId, appid, aio, iss, nameidentifier, roleDefinitionId, scope mapped to security_result.detection_fields
  • resultSignature, resultType, hierarchy, resource_type, entity, mapped to additional.fields.
  • RoleLocation mapped to location.name.
  • category mapped to security_result.category_details.