Collect Microsoft Azure AD logs
This document describes how you can collect Microsoft Azure Active Directory (AD) logs by setting up a Google Security Operations feed.
Azure Active Directory (AZURE_AD
) is now called Microsoft Entra ID. Azure AD audit logs
(AZURE_AD_AUDIT
) are now Microsoft Entra ID audit logs.
For more information, see Data ingestion to Google Security Operations.
An ingestion label identifies the parser which normalizes raw log data
to structured UDM format. The information in this document applies to the parser
with the following ingestion labels: AZURE_AD_AUDIT
, AZURE_AD_CONTEXT
,
and AZURE_AD
.
Before you begin
To complete the tasks on this page, ensure that you have the following:
- An Azure subscription that you can sign in to.
- A global administrator or Azure AD administrator role.
- An Azure AD (tenant) in Azure.
Configure Azure AD
- Sign in to the Azure portal.
- Go to Home > App registration, select a registered application or register an application if you haven't created an application yet.
- To register an application, in the App registration section, click New registration.
- In the Name field, provide the display name for your application.
- In the Supported account types section, select the required option to specify who can use the application or access the API.
- Click Register.
- Go to the Overview page and copy the application (client) ID and the directory (tenant) ID, which are required to configure the Google Security Operations feed.
- Click API permissions.
- Click Add a permission, and then select Microsoft Graph in the new pane.
- Click Application permissions.
- Select AuditLog.Read.All, Directory.Read.All, and SecurityEvents.Read.All permissions. Ensure that the permissions are Application permissions and not Delegated permissions.
- Click Grant admin consent for default directory. Applications are authorized to call APIs when they are granted permissions by users or administrators as part of the consent process.
- Go to Settings > Manage.
- Click Certificates and secrets.
- Click New client secret. In the Value field, the client secret appears.
- Copy the client secret value. The value is displayed only at the time of creation and it is required for the Azure app registration and to configure the Google Security Operations feed.
Configure a feed in Google Security Operations to ingest Azure AD logs
- From the Google Security Operations menu, select Settings.
- Click Feeds.
- Click Add new.
- Select Third party API as the Source type.
- To create a feed for Azure AD, select AZURE_AD as the Log type.
- Click Next.
- Configure the following input parameters:
- OAUTH client ID: specify the client ID that you obtained previously.
- OAUTH client secret: specify the client secret that you obtained previously.
- Tenant ID: specify the tenant ID that you obtained previously.
- Click Next and then click Submit.
- After you complete the steps to create a feed for Azure AD, repeat the steps
to create a separate feed for each of the following log types:
AZURE_AD_AUDIT
andAZURE_AD_CONTEXT
.
For more information about Google Security Operations feeds, see Google Security Operations feeds documentation. For information about requirements for each feed type, see Feed configuration by type. If you encounter issues when you create feeds, contact Google Security Operations support.
Field mapping reference
This parser code transforms raw Azure AD logs in JSON format into a unified data model (UDM). It first normalizes the data by removing unnecessary fields and then extracts relevant information like user details, timestamps, and event specifics, mapping them to corresponding UDM fields for consistent representation and analysis.
UDM mapping Table
Log Field | UDM Mapping | Logic |
---|---|---|
activityDateTime | read_only_udm.metadata.event_timestamp.seconds | The value is extracted from the activityDateTime field and converted to seconds since epoch. |
activityDisplayName | read_only_udm.security_result.summary | The value is directly mapped from the activityDisplayName field. |
additionalDetails.0.value | read_only_udm.network.http.user_agent | The value is directly mapped from the additionalDetails.0.value field. |
additionalDetails.1.key | read_only_udm.target.resource.attribute.labels.key | The value is directly mapped from the additionalDetails.1.key field. |
additionalDetails.1.value | read_only_udm.target.resource.attribute.labels.value | The value is directly mapped from the additionalDetails.1.value field. |
am_category | read_only_udm.metadata.description | The value is directly mapped from the am_category field. |
am_tenantId | read_only_udm.metadata.product_deployment_id | The value is directly mapped from the am_tenantId field. |
appDisplayName | read_only_udm.target.application | The value is directly mapped from the appDisplayName field. If appDisplayName is empty, the value is taken from resourceDisplayName . |
appId | read_only_udm.target.resource.attribute.labels.value | The value is directly mapped from the appId field. |
appliedConditionalAccessPolicies.displayName | read_only_udm.about.user.user_display_name | The value is directly mapped from the appliedConditionalAccessPolicies.displayName field. |
appliedConditionalAccessPolicies.enforcedGrantControls | read_only_udm.security_result.rule_labels.value | The value is directly mapped from the appliedConditionalAccessPolicies.enforcedGrantControls field. |
appliedConditionalAccessPolicies.enforcedSessionControls | read_only_udm.security_result.rule_labels.value | The value is directly mapped from the appliedConditionalAccessPolicies.enforcedSessionControls field. |
appliedConditionalAccessPolicies.id | read_only_udm.about.user.userid | The value is directly mapped from the appliedConditionalAccessPolicies.id field. |
appliedConditionalAccessPolicies.result | read_only_udm.about.labels.value | The value is directly mapped from the appliedConditionalAccessPolicies.result field. |
authenticationDetails.authenticationMethod | read_only_udm.security_result.detection_fields.value | The value is directly mapped from the authenticationDetails.authenticationMethod field. |
authenticationDetails.authenticationMethodDetail | read_only_udm.security_result.detection_fields.value | The value is directly mapped from the authenticationDetails.authenticationMethodDetail field. |
authenticationDetails.authenticationStepDateTime | read_only_udm.security_result.detection_fields.value | The value is directly mapped from the authenticationDetails.authenticationStepDateTime field. |
authenticationDetails.authenticationStepRequirement | read_only_udm.security_result.detection_fields.value | The value is directly mapped from the authenticationDetails.authenticationStepRequirement field. |
authenticationDetails.authenticationStepResultDetail | read_only_udm.security_result.detection_fields.value | The value is directly mapped from the authenticationDetails.authenticationStepResultDetail field. |
authenticationProcessingDetails.key | read_only_udm.additional.fields.key | The value is directly mapped from the authenticationProcessingDetails.key field, prefixed with "authenticationProcessingDetails - ". |
authenticationProcessingDetails.value | read_only_udm.additional.fields.value.string_value | The value is directly mapped from the authenticationProcessingDetails.value field. |
callerIpAddress | read_only_udm.principal.ip | The value is directly mapped from the callerIpAddress field. |
callerIpAddress | read_only_udm.principal.asset.ip | The value is directly mapped from the callerIpAddress field. |
category | read_only_udm.metadata.description | The value is directly mapped from the category field. |
clientAppUsed | read_only_udm.principal.application | The value is directly mapped from the clientAppUsed field. |
conditionalAccessStatus | read_only_udm.additional.fields.value.string_value | The value is directly mapped from the conditionalAccessStatus field. |
correlationId | read_only_udm.network.session_id | The value is directly mapped from the correlationId field. |
correlationId | read_only_udm.security_result.detection_fields.value | The value is directly mapped from the correlationId field. |
createdDateTime | read_only_udm.metadata.event_timestamp.seconds | The value is extracted from the createdDateTime field and converted to seconds since epoch. |
deviceDetail.browser | read_only_udm.network.http.user_agent | The value is directly mapped from the deviceDetail.browser field. |
deviceDetail.deviceId | read_only_udm.principal.asset.asset_id | The value is directly mapped from the deviceDetail.deviceId field, prefixed with "Device ID:". |
deviceDetail.deviceId | read_only_udm.principal.asset_id | The value is directly mapped from the deviceDetail.deviceId field, prefixed with "Device ID:". |
deviceDetail.displayName | read_only_udm.principal.asset.hostname | The value is directly mapped from the deviceDetail.displayName field. |
deviceDetail.isCompliant | read_only_udm.principal.asset.attribute.labels.value | The value is directly mapped from the deviceDetail.isCompliant field. |
deviceDetail.isManaged | read_only_udm.principal.asset.attribute.labels.value | The value is directly mapped from the deviceDetail.isManaged field. |
deviceDetail.operatingSystem | read_only_udm.principal.platform_version | The value is directly mapped from the deviceDetail.operatingSystem field. |
deviceDetail.trustType | read_only_udm.principal.asset.attribute.labels.value | The value is directly mapped from the deviceDetail.trustType field. |
durationMs | read_only_udm.additional.fields.value.string_value | The value is directly mapped from the durationMs field. |
errorCode | read_only_udm.security_result.rule_id | The value is directly mapped from the errorCode field. |
identity | read_only_udm.target.user.user_display_name | The value is directly mapped from the identity field if it is different from userId and does not match an email address pattern. |
initiatedBy.user.displayName | read_only_udm.principal.user.user_display_name | The value is directly mapped from the initiatedBy.user.displayName field. |
initiatedBy.user.id | read_only_udm.principal.user.userid | The value is directly mapped from the initiatedBy.user.id field. |
initiatedBy.user.ipAddress | read_only_udm.principal.ip | The value is directly mapped from the initiatedBy.user.ipAddress field. |
initiatedBy.user.ipAddress | read_only_udm.principal.asset.ip | The value is directly mapped from the initiatedBy.user.ipAddress field. |
initiatedBy.user.userPrincipalName | read_only_udm.principal.user.email_addresses | The value is directly mapped from the initiatedBy.user.userPrincipalName field if it matches an email address pattern. |
ipAddress | read_only_udm.principal.ip | The value is extracted from the ipAddress field using a grok pattern to extract the IP address. |
ipAddress | read_only_udm.principal.asset.ip | The value is extracted from the ipAddress field using a grok pattern to extract the IP address. |
isInteractive | read_only_udm.extensions.auth.mechanism | The value is mapped to "INTERACTIVE" if isInteractive is "true", otherwise it is mapped to "MECHANISM_OTHER". |
isInteractive | read_only_udm.security_result.detection_fields.value | The value is directly mapped from the isInteractive field. |
level | read_only_udm.security_result.severity | The value is mapped from the level field based on the following logic: * "Information", "Informational", "0", "4" are mapped to "INFORMATIONAL". * "Warning", "1", "3" are mapped to "MEDIUM". * "Error", "2" are mapped to "ERROR". * "Critical", "CRITICAL", "critical" are mapped to "CRITICAL". |
level | read_only_udm.security_result.severity_details | The value is directly mapped from the level field. |
location.city | read_only_udm.principal.location.city | The value is directly mapped from the location.city field. |
location.countryOrRegion | read_only_udm.principal.location.country_or_region | The value is directly mapped from the location.countryOrRegion field. |
location.geoCoordinates.latitude | read_only_udm.principal.location.region_coordinates.latitude | The value is directly mapped from the location.geoCoordinates.latitude field and converted to a float. |
location.geoCoordinates.latitude | read_only_udm.principal.location.region_latitude | The value is directly mapped from the location.geoCoordinates.latitude field and converted to a float. |
location.geoCoordinates.longitude | read_only_udm.principal.location.region_coordinates.longitude | The value is directly mapped from the location.geoCoordinates.longitude field and converted to a float. |
location.geoCoordinates.longitude | read_only_udm.principal.location.region_longitude | The value is directly mapped from the location.geoCoordinates.longitude field and converted to a float. |
location.state | read_only_udm.principal.location.state | The value is directly mapped from the location.state field. |
networkLocationDetails.networkNames | read_only_udm.additional.fields.value.string_value | The value is generated by concatenating all values from the networkLocationDetails.networkNames array, separated by commas. |
networkLocationDetails.networkType | read_only_udm.additional.fields.value.string_value | The value is directly mapped from the networkLocationDetails.networkType field. |
networkLocationDetails.networkType | read_only_udm.security_result.detection_fields.value | The value is directly mapped from the networkLocationDetails.networkType field. |
operationName | read_only_udm.metadata.event_type | The value is mapped to "USER_LOGIN" if operationName is "Sign-in activity", "USER_CHANGE_PERMISSIONS" if operationName is "Add member to group", and "USER_RESOURCE_UPDATE_PERMISSIONS" if operationName is "Add app role assignment to service principal". Otherwise, the value is determined based on the presence of other fields: * "USER_LOGIN" if has_target_user is "true". * "USER_UNCATEGORIZED" if has_principal_user is "true". * "STATUS_UPDATE" if has_principal is "true". * "GENERIC_EVENT" otherwise. |
operationType | read_only_udm.security_result.action_details | The value is directly mapped from the operationType field. |
properties.activity | read_only_udm.security_result.summary | The value is directly mapped from the properties.activity field. |
properties.activityDateTime | read_only_udm.metadata.event_timestamp.seconds | The value is extracted from the properties.activityDateTime field and converted to seconds since epoch. |
properties.additionalInfo | read_only_udm.network.http.user_agent | The value is extracted from the properties.additionalInfo field by parsing the JSON string and extracting the value corresponding to the key "userAgent". |
properties.additionalInfo | read_only_udm.target.url | The value is extracted from the properties.additionalInfo field by parsing the JSON string and extracting the value corresponding to the key "alertUrl". |
properties.appId | read_only_udm.target.resource.attribute.labels.value | The value is directly mapped from the properties.appId field. |
properties.appDisplayName | read_only_udm.target.application | The value is directly mapped from the properties.appDisplayName field. |
properties.appliedConditionalAccessPolicies.displayName | read_only_udm.security_result.rule_name | The value is directly mapped from the properties.appliedConditionalAccessPolicies.displayName field. |
properties.appliedConditionalAccessPolicies.id | read_only_udm.security_result.rule_id | The value is directly mapped from the properties.appliedConditionalAccessPolicies.id field. |
properties.appliedConditionalAccessPolicies.result | read_only_udm.security_result.detection_fields.value | The value is directly mapped from the properties.appliedConditionalAccessPolicies.result field. |
properties.authenticationDetails.authenticationMethod | read_only_udm.security_result.detection_fields.value | The value is directly mapped from the properties.authenticationDetails.authenticationMethod field. |
properties.authenticationDetails.authenticationMethodDetail | read_only_udm.security_result.detection_fields.value | The value is directly mapped from the properties.authenticationDetails.authenticationMethodDetail field. |
properties.authenticationDetails.authenticationStepDateTime | read_only_udm.security_result.detection_fields.value | The value is directly mapped from the properties.authenticationDetails.authenticationStepDateTime field. |
properties.authenticationDetails.authenticationStepRequirement | read_only_udm.security_result.detection_fields.value | The value is directly mapped from the properties.authenticationDetails.authenticationStepRequirement field. |
properties.authenticationDetails.authenticationStepResultDetail | read_only_udm.security_result.detection_fields.value | The value is directly mapped from the properties.authenticationDetails.authenticationStepResultDetail field. |
properties.authenticationProcessingDetails.key | read_only_udm.additional.fields.key | The value is directly mapped from the properties.authenticationProcessingDetails.key field, prefixed with "properties authenticationProcessingDetails - ". |
properties.authenticationProcessingDetails.value | read_only_udm.additional.fields.value.string_value | The value is directly mapped from the properties.authenticationProcessingDetails.value field. |
properties.authenticationRequirement | read_only_udm.additional.fields.value.string_value | The value is directly mapped from the properties.authenticationRequirement field. |
properties.authenticationRequirementPolicies.detail | read_only_udm.security_result.detection_fields.value | The value is directly mapped from the properties.authenticationRequirementPolicies.detail field. |
properties.authenticationRequirementPolicies.requirementProvider | read_only_udm.security_result.detection_fields.value | The value is directly mapped from the properties.authenticationRequirementPolicies.requirementProvider field. |
properties.clientAppUsed | read_only_udm.principal.application | The value is directly mapped from the properties.clientAppUsed field. |
properties.conditionalAccessStatus | read_only_udm.additional.fields.value.string_value | The value is directly mapped from the properties.conditionalAccessStatus field. |
properties.createdDateTime | read_only_udm.metadata.event_timestamp.seconds | The value is extracted from the properties.createdDateTime field and converted to seconds since epoch. |
properties.crossTenantAccessType | read_only_udm.additional.fields.value.string_value | The value is directly mapped from the properties.crossTenantAccessType field. |
properties.detectedDateTime | read_only_udm.additional.fields.value.string_value | The value is directly mapped from the properties.detectedDateTime field. |
properties.detectionTimingType | read_only_udm.additional.fields.value.string_value | The value is directly mapped from the properties.detectionTimingType field. |
properties.homeTenantId | read_only_udm.additional.fields.value.string_value | The value is directly mapped from the properties.homeTenantId field. |
properties.id | read_only_udm.metadata.product_log_id | The value is directly mapped from the properties.id field. |
properties.initiatedBy.user.displayName | read_only_udm.principal.user.user_display_name | The value is directly mapped from the properties.initiatedBy.user.displayName field. |
properties.initiatedBy.user.id | read_only_udm.principal.user.windows_sid | The value is directly mapped from the properties.initiatedBy.user.id field. |
properties.initiatedBy.user.ipAddress | read_only_udm.principal.ip | The value is directly mapped from the properties.initiatedBy.user.ipAddress field. |
properties.initiatedBy.user.ipAddress | read_only_udm.principal.asset.ip | The value is directly mapped from the properties.initiatedBy.user.ipAddress field. |
properties.initiatedBy.user.userPrincipalName | read_only_udm.principal.user.userid | The value is directly mapped from the properties.initiatedBy.user.userPrincipalName field if it does not match an email address pattern. |
properties.initiatedBy.user.userPrincipalName | read_only_udm.principal.user.email_addresses | The value is directly mapped from the properties.initiatedBy.user.userPrincipalName field if it matches an email address pattern. |
properties.ipAddress | read_only_udm.principal.ip | The value is extracted from the properties.ipAddress field using a grok pattern to extract the IP address. |
properties.ipAddress | read_only_udm.principal.asset.ip | The value is extracted from the properties.ipAddress field using a grok pattern to extract the IP address. |
properties.isGuest | read_only_udm.additional.fields.value.string_value | The value is directly mapped from the properties.isGuest field. |
properties.isDeleted | read_only_udm.additional.fields.value.string_value | The value is directly mapped from the properties.isDeleted field. |
properties.isProcessing | read_only_udm.additional.fields.value.string_value | The value is directly mapped from the properties.isProcessing field. |
properties.lastUpdatedDateTime | read_only_udm.additional.fields.value.string_value | The value is directly mapped from the properties.lastUpdatedDateTime field. |
properties.location.city | read_only_udm.principal.location.city | The value is directly mapped from the properties.location.city field. |
properties.location.countryOrRegion | read_only_udm.principal.location.country_or_region | The value is directly mapped from the properties.location.countryOrRegion field. |
properties.location.geoCoordinates.latitude | read_only_udm.principal.location.region_coordinates.latitude | The value is directly mapped from the properties.location.geoCoordinates.latitude field and converted to a float. |
properties.location.geoCoordinates.latitude | read_only_udm.principal.location.region_latitude | The value is directly mapped from the properties.location.geoCoordinates.latitude field and converted to a float. |
properties.location.geoCoordinates.longitude | read_only_udm.principal.location.region_coordinates.longitude | The value is directly mapped from the properties.location.geoCoordinates.longitude field and converted to a float. |
properties.location.geoCoordinates.longitude | read_only_udm.principal.location.region_longitude | The value is directly mapped from the properties.location.geoCoordinates.longitude field and converted to a float. |
properties.location.state | read_only_udm.principal.location.state | The value is directly mapped from the properties.location.state field. |
properties.networkLocationDetails.networkNames | read_only_udm.additional.fields.value.string_value | The value is generated by concatenating all values from the properties.networkLocationDetails.networkNames array, separated by commas. |
properties.networkLocationDetails.networkType | read_only_udm.additional.fields.value.string_value | The value is directly mapped from the properties.networkLocationDetails.networkType field. |
properties.networkLocationDetails.networkType | read_only_udm.security_result.detection_fields.value | The value is directly mapped from the properties.networkLocationDetails.networkType field. |
properties.resourceServicePrincipalId | read_only_udm.target.resource.attribute.labels.value | The value is directly mapped from the properties.resourceServicePrincipalId field. |
properties.riskDetail | read_only_udm.additional.fields.value.string_value | The value is directly mapped from the properties.riskDetail field. |
properties.riskEventType | read_only_udm.additional.fields.value.string_value | The value is directly mapped from the properties.riskEventType field. |
properties.riskLastUpdatedDateTime | read_only_udm.additional.fields.value.string_value | The value is directly mapped from the properties.riskLastUpdatedDateTime field. |
properties.riskLevel | read_only_udm.additional.fields.value.string_value | The value is directly mapped from the properties.riskLevel field. |
properties.riskLevelDuringSignIn | read_only_udm.additional.fields.value.string_value | The value is directly mapped from the properties.riskLevelDuringSignIn field. |
properties.riskState | read_only_udm.additional.fields.value.string_value | The value is directly mapped from the properties.riskState field. |
properties.riskType | read_only_udm.additional.fields.value.string_value | The value is directly mapped from the properties.riskType field. |
properties.source | read_only_udm.additional.fields.value.string_value | The value is directly mapped from the properties.source field. |
properties.targetResources.0.id | read_only_udm.target.user.product_object_id | The value is directly mapped from the properties.targetResources.0.id field. |
properties.targetResources.modifiedProperties.0.newValue | read_only_udm.target.group.product_object_id | The value is directly mapped from the properties.targetResources.modifiedProperties.0.newValue field. |
properties.tokenIssuerType | read_only_udm.additional.fields.value.string_value | The value is directly mapped from the properties.tokenIssuerType field. |
properties.userAgent | read_only_udm.network.http.parsed_user_agent | The value is directly mapped from the properties.userAgent field and converted to a parsed user agent object. |
properties.userAgent | read_only_udm.network.http.user_agent | The value is directly mapped from the properties.userAgent field. |
properties.userId | read_only_udm.target.user.product_object_id | The value is directly mapped from the properties.userId field. |
properties.userPrincipalName | read_only_udm.target.user.userid | The value is directly mapped from the properties.userPrincipalName field if it does not match an email address pattern. |
properties.userPrincipalName | read_only_udm.target.user.email_addresses | The value is directly mapped from the properties.userPrincipalName field if it matches an email address pattern. |
result | read_only_udm.security_result.action | The value is mapped to "ALLOW" if result is "success". |
result | read_only_udm.security_result.action_details | The value is directly mapped from the result field if result is "success". |
resultDescription | read_only_udm.security_result.description | The value is directly mapped from the resultDescription field. |
resultSignature | read_only_udm.additional.fields.value.string_value | The value is directly mapped from the resultSignature field. |
resultType | read_only_udm.security_result.action | The value is mapped to "ALLOW" if resultType is "0". |
resultType | read_only_udm.security_result.rule_id | The value is directly mapped from the resultType field if it is not empty and not "0". |
resultType | read_only_udm.security_result.summary | The value is mapped to "Successful login occurred" if resultType is "0" and "Failed login occurred" otherwise. |
resourceDisplayName | read_only_udm.target.application | The value is directly mapped from the resourceDisplayName field. |
resourceDisplayName | read_only_udm.target.resource.name | The value is directly mapped from the resourceDisplayName field. |
resourceId | read_only_udm.target.resource.id | The value is directly mapped from the resourceId field. |
resourceId | read_only_udm.target.resource.product_object_id | The value is directly mapped from the resourceId field. |
resourceServicePrincipalId | read_only_udm.target.resource.attribute.labels.value | The value is directly mapped from the resourceServicePrincipalId field. |
riskDetail | read_only_udm.additional.fields.value.string_value | The value is directly mapped from the riskDetail field. |
riskEventTypes | read_only_udm.additional.fields.value.string_value | The value is extracted from the riskEventTypes array and mapped to a string value in the additional.fields array. |
riskEventTypes | read_only_udm.additional.fields.value.list_value.values.string_value | The value is directly mapped from each element of the riskEventTypes array. |
riskEventTypes_v2 | read_only_udm.additional.fields.value.list_value.values.string_value | The value is directly mapped from each element of the riskEventTypes_v2 array. |
riskLevelAggregated | read_only_udm.additional.fields.value.string_value | The value is directly mapped from the riskLevelAggregated field. |
riskLevelDuringSignIn | read_only_udm.additional.fields.value.string_value | The value is directly mapped from the riskLevelDuringSignIn field. |
riskState | read_only_udm.additional.fields.value.string_value | The value is directly mapped from the riskState field. |
status.additionalDetails | read_only_udm.security_result.description | The value is directly mapped from the status.additionalDetails field. |
status.errorCode | read_only_udm.security_result.action | The value is mapped to "ALLOW" if status.errorCode is "0". |
status.errorCode | read_only_udm.security_result.rule_id | The value is directly mapped from the status.errorCode field if it is not empty. |
status.errorCode | read_only_udm.security_result.summary | The value is mapped to "Successful login occurred" if status.errorCode is "0" and "Failed login occurred" otherwise. |
status.failureReason | read_only_udm.additional.fields.value.string_value | The value is directly mapped from the status.failureReason field. |
targetResources.displayName | read_only_udm.target.resource.name | The value is directly mapped from the targetResources.displayName field. |
targetResources.id | read_only_udm.target.resource.id | The value is directly mapped from the targetResources.id field. |
targetResources.id | read_only_udm.target.resource.product_object_id | The value is directly mapped from the targetResources.id field. |
targetResources.modifiedProperties.displayName | read_only_udm.target.resource.attribute.labels.key | The value is directly mapped from the targetResources.modifiedProperties.displayName field. |
targetResources.modifiedProperties.newValue | read_only_udm.target.resource.attribute.labels.value | The value is directly mapped from the targetResources.modifiedProperties.newValue field after removing double quotes. |
targetResources.modifiedProperties.oldValue | read_only_udm.target.resource.attribute.labels.value | The value is directly mapped from the targetResources.modifiedProperties.oldValue field. |
targetResources.type | read_only_udm.target.resource.type | The value is directly mapped from the targetResources.type field. |
targetResources.userPrincipalName | read_only_udm.target.user.user_display_name | The value is directly mapped from the targetResources.userPrincipalName field. |
tenantId | read_only_udm.metadata.product_deployment_id | The value is directly mapped from the tenantId field. |
time | read_only_udm.metadata.event_timestamp.seconds | The value is extracted from the time field and converted to seconds since epoch. |
userAgent | read_only_udm.network.http.parsed_user_agent | The value is directly mapped from the userAgent field and converted to a parsed user agent object. |
userAgent | read_only_udm.network.http.user_agent | The value is directly mapped from the userAgent field. |
userDisplayName | read_only_udm.target.user.user_display_name | The value is directly mapped from the userDisplayName field if it is different from userId and does not match an email address pattern. |
userPrincipalName | read_only_udm.principal.administrative_domain | The domain part of the email address is extracted from the userPrincipalName field using a grok pattern and mapped to the principal.administrative_domain field. |
userPrincipalName | read_only_udm.target.user.email_addresses | The value is directly mapped from the userPrincipalName field if it matches an email address pattern. |
userPrincipalName | read_only_udm.target.user.userid | The value is directly mapped from the userPrincipalName field if it does not match an email address pattern. |
userId | read_only_udm.target.user.product_object_id | The value is directly mapped from the userId field. |
read_only_udm.metadata.log_type | AZURE_AD | This value is hardcoded in the parser. |
read_only_udm.metadata.vendor_name | Microsoft | This value is hardcoded in the parser. |
read_only_udm.metadata.product_name | Azure AD | This value is hardcoded in the parser. |
read_only_udm.extensions.auth.type | SSO | This value is hardcoded in the parser. |
Changes
2024-07-05
- Mapped "isInteractive" to "security_result.detection_fields".
2024-04-02
- Mapped "properties.createdDateTime" to "metadata.event_timestamp".
- Mapped "properties.resourceServicePrincipalId" and "resourceServicePrincipalId" to "target.resource.attribute.labels".
- Mapped "properties.authenticationProcessingDetails", "authenticationProcessingDetails" and "properties.networkLocationDetails" mapped to "additional.fields".
- Mapped "properties.userAgent" to "network.http.user_agent" and "network.http.parsed_user_agent".
- Mapped "properties.authenticationRequirement" to "additional.fields".
2024-06-03
- Changed mapping of "policies.displayName" from "about.user.user_display_name" to "security_result.rule_name".
- Changed mapping of "policies.id" from "about.user.userid" to "security_result.rule_id".
- Changed mapping of "policies.result" from "about.labels" to "security_result.detection_fields".
2024-05-29
- When "status.errorCode" is "0", then set "security_result.action" to "ALLOW".
2024-05-13
Bug-Fix:
- Mapped "userPrincipalName" to "target.user.userid".
2024-05-10
- Mapped "networkLocationDetails.n.networkNames", "properties.networkLocationDetails.n.networkNames", "networkLocationDetails.n.networkType" and "properties.networkLocationDetails.n.networkType" to "additional.fields".
- Mapped "properties.userAgent" and "userAgent" to "network.http.user_agent" and "network.http.parsed_user_agent".
2024-05-03
Bug-Fix:
- Added "on_error" check before mapping "target.modifiedProperties.n.newValue".
- Mapped "target.modifiedProperties.n.oldValue" and "target.modifiedProperties.n.displayName" to "target.resource.attribute.labels".
- Mapped "activityDisplayName" to "security_result.summary".
2024-04-30
- Mapped "properties.authenticationDetails", "properties.networkLocationDetails", "properties.authenticationRequirementPolicies", "networkLocationDetails" and "authenticationRequirementPolicies" to "security_result.detection_fields".
2024-04-02
- Mapped "properties.authenticationRequirement" to "additional.fields".
2024-04-02
- Mapped "authenticationRequirement" to "additional.fields".
2024-02-26
- Mapped "appliedConditionalAccessPolicies" to "security_result".
- Mapped "isInteractive" to "extensions.auth.mechanism".
- Mapped "location.geoCoordinates.altitude" to "additional.fields".
2024-02-09
- Mapped "authenticationDetails.authenticationMethod", "authenticationDetails.authenticationMethodDetail", "authenticationDetails.authenticationStepResultDetail", "authenticationDetails.authenticationStepDateTime", and "authenticationDetails.authenticationStepRequirement" to "security_result.detection_fields".
- Mapped "authenticationDetails.succeeded" to "security_result.action".
- Mapped "status.additionalDetails" to "security_result.description".
2024-01-11
- Mapped "correlationId" to "security_result.detection_fields".
2023-11-20
- Mapped "tenantId" to "metadata.product_deployment_id".
- Mapped "Level" to "security_result.severity_details" and "security_result.severity".
- Mapped "properties.userDisplayName" to "target.user.user_display_name".
- Mapped "identity" to "target.user.user_display_name".
- Mapped "properties.activityDateTime" to "metadata.event_timestamp".
- Mapped "properties.activity" to "security_result.summary".
- Mapped "resultSignature", "properties.riskLevel", "properties.isGuest", "properties.isDeleted", "properties.isProcessing",
- "properties.riskLastUpdatedDateTime", "properties.riskType", "properties.riskEventType", "properties.riskState", "properties.riskDetail", "properties.source", "properties.detectionTimingType"
- "properties.detectedDateTime", "properties.lastUpdatedDateTime", "properties.tokenIssuerType", "properties.homeTenantId", "properties.userType", "properties.crossTenantAccessType", "durationMs" to "additional.fields".
- Mapped "resourceId" to "target.resource.product_object_id".
- Mapped "properties.location.geoCoordinates.longitude" and "location.geoCoordinates.longitude" to "principal.location.region_coordinates.longitude".
- Mapped "properties.location.geoCoordinates.latitude" and "location.geoCoordinates.latitude" to "principal.location.region_coordinates.latitude".
2023-07-12
- Mapped "deviceDetail.isCompliant", "deviceDetail.isManaged", "deviceDetail.trustType" to "principal.asset.attribute.labels".
- Mapped "deviceDetail.deviceId" to "principal.asset.asset_id".
- Mapped "deviceDetail.browser" to "network.http.user_agent".
- Mapped "deviceDetail.operatingSystem" to "principal.platform_version".
- Mapped "status.failureReason" to "additional.fields".
- Mapped "status.errorCode" to "security_result.rule_id".
- Mapped "deviceDetail.displayName" to "principal.asset.hardware".
2023-03-14
- Mapped "browser" to "principal.resource.attribute.labels".
- Mapped "isCompliant", "isManaged", "trustType", to "principal.asset.attribute.labels".
- Mapped "domain" form "userPrincipalName" to "principal.administrative_domain".
2022-12-16
- Added conditional check for the field 'initiatedBy.user.userPrincipalName' and mapped to 'principal.user.email_addresses'.
2022-10-28
- Mapped "additionalDetails.0.value" to "network.http.user_agent".
- Mapped "additionalDetails.1.value" to "target.resource.attribute.labels".
- Mapped "Id" to "metadata.product_log_id".
- Mapped "initiatedBy.user.id" to "principal.user.userid".
- Mapped "initiatedBy.user.displayName" to "principal.user.user_display_name".
- Mapped "initiatedBy.user.ipAddress" to "principal.ip".
- Mapped "initiatedBy.user.userPrincipalName" to "principal.user.email_addresses".
- Mapped "operationType" to "security_result.action_details".
- Mapped "target.displayName" to "target.resource.name".
- Mapped "target.id" to "target.resource.id".
- Mapped "target.type" to "target.resource.type".
- Mapped "field.newValue" to "target.resource.product_object_id" if field.displayName is "AppRole.Id" else mapped "field.newValue" to "target.resource.attribute.labels".
- Added check for errorCode.
- Mapped "loggedByService" to "target.application".
- Mapped "activityDisplayName" to "metadata.product_event_type".
- Mapped "metadata.event_type" to "USER_RESOURCE_UPDATE_PERMISSIONS" where "activityDisplayName" is "Add app role assignment to service principal".
2022-08-25
- If "properties.initiatedBy.user.userPrincipalName" matches "email regex pattern" then mapped to "principal.user.email_addresses" else mapped to "principal.user.userid".
- If "properties.userPrincipalName" or "userPrincipalName" matches "email regex pattern" then mapped to "target.user.email_addresses" else mapped to "target.user.userid".
2022-08-11
- Removed drop tag "TAG_MALFORMED_ENCODING".
- Added "event_type" "GENERIC_EVENT".
2022-05-29
- Enhancement - Modified the for loop for the field 'riskEventTypes_v2' mapped to 'additional.fields'.
- Mapped the field 'level' to 'security_result.severity_details'.
- Mapped the field 'properties.result' to 'security_result.action_details'.
2022-04-20
- Bug-fix - Parsed the logs with event "appDisplayName": "NotApplicable".
- Modified the for loop for the field 'riskEventTypes'.