Collect Microsoft Azure AD logs

Supported in:

This document describes how you can collect Microsoft Azure Active Directory (AD) logs by setting up a Google Security Operations feed.

Azure Active Directory (AZURE_AD) is now called Microsoft Entra ID. Azure AD audit logs (AZURE_AD_AUDIT) are now Microsoft Entra ID audit logs.

For more information, see Data ingestion to Google Security Operations.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the following ingestion labels: AZURE_AD_AUDIT, AZURE_AD_CONTEXT, and AZURE_AD.

Before you begin

To complete the tasks on this page, ensure that you have the following:

  • An Azure subscription that you can sign in to.
  • A global administrator or Azure AD administrator role.
  • An Azure AD (tenant) in Azure.

Configure Azure AD

  1. Sign in to the Azure portal.
  2. Go to Home > App registration, select a registered application or register an application if you haven't created an application yet.
  3. To register an application, in the App registration section, click New registration.
  4. In the Name field, provide the display name for your application.
  5. In the Supported account types section, select the required option to specify who can use the application or access the API.
  6. Click Register.
  7. Go to the Overview page and copy the application (client) ID and the directory (tenant) ID, which are required to configure the Google Security Operations feed.
  8. Click API permissions.
  9. Click Add a permission, and then select Microsoft Graph in the new pane.
  10. Click Application permissions.
  11. Select AuditLog.Read.All, Directory.Read.All, and SecurityEvents.Read.All permissions. Ensure that the permissions are Application permissions and not Delegated permissions.
  12. Click Grant admin consent for default directory. Applications are authorized to call APIs when they are granted permissions by users or administrators as part of the consent process.
  13. Go to Settings > Manage.
  14. Click Certificates and secrets.
  15. Click New client secret. In the Value field, the client secret appears.
  16. Copy the client secret value. The value is displayed only at the time of creation and it is required for the Azure app registration and to configure the Google Security Operations feed.

Configure a feed in Google Security Operations to ingest Azure AD logs

  1. From the Google Security Operations menu, select Settings.
  2. Click Feeds.
  3. Click Add new.
  4. Select Third party API as the Source type.
  5. To create a feed for Azure AD, select AZURE_AD as the Log type.
  6. Click Next.
  7. Configure the following input parameters:
    • OAUTH client ID: specify the client ID that you obtained previously.
    • OAUTH client secret: specify the client secret that you obtained previously.
    • Tenant ID: specify the tenant ID that you obtained previously.
  8. Click Next and then click Submit.
  9. After you complete the steps to create a feed for Azure AD, repeat the steps to create a separate feed for each of the following log types: AZURE_AD_AUDIT and AZURE_AD_CONTEXT.

For more information about Google Security Operations feeds, see Google Security Operations feeds documentation. For information about requirements for each feed type, see Feed configuration by type. If you encounter issues when you create feeds, contact Google Security Operations support.

Field mapping reference

This parser code transforms raw Azure AD logs in JSON format into a unified data model (UDM). It first normalizes the data by removing unnecessary fields and then extracts relevant information like user details, timestamps, and event specifics, mapping them to corresponding UDM fields for consistent representation and analysis.

UDM mapping Table

Log Field UDM Mapping Logic
activityDateTime read_only_udm.metadata.event_timestamp.seconds The value is extracted from the activityDateTime field and converted to seconds since epoch.
activityDisplayName read_only_udm.security_result.summary The value is directly mapped from the activityDisplayName field.
additionalDetails.0.value read_only_udm.network.http.user_agent The value is directly mapped from the additionalDetails.0.value field.
additionalDetails.1.key read_only_udm.target.resource.attribute.labels.key The value is directly mapped from the additionalDetails.1.key field.
additionalDetails.1.value read_only_udm.target.resource.attribute.labels.value The value is directly mapped from the additionalDetails.1.value field.
am_category read_only_udm.metadata.description The value is directly mapped from the am_category field.
am_tenantId read_only_udm.metadata.product_deployment_id The value is directly mapped from the am_tenantId field.
appDisplayName read_only_udm.target.application The value is directly mapped from the appDisplayName field. If appDisplayName is empty, the value is taken from resourceDisplayName.
appId read_only_udm.target.resource.attribute.labels.value The value is directly mapped from the appId field.
appliedConditionalAccessPolicies.displayName read_only_udm.about.user.user_display_name The value is directly mapped from the appliedConditionalAccessPolicies.displayName field.
appliedConditionalAccessPolicies.enforcedGrantControls read_only_udm.security_result.rule_labels.value The value is directly mapped from the appliedConditionalAccessPolicies.enforcedGrantControls field.
appliedConditionalAccessPolicies.enforcedSessionControls read_only_udm.security_result.rule_labels.value The value is directly mapped from the appliedConditionalAccessPolicies.enforcedSessionControls field.
appliedConditionalAccessPolicies.id read_only_udm.about.user.userid The value is directly mapped from the appliedConditionalAccessPolicies.id field.
appliedConditionalAccessPolicies.result read_only_udm.about.labels.value The value is directly mapped from the appliedConditionalAccessPolicies.result field.
authenticationDetails.authenticationMethod read_only_udm.security_result.detection_fields.value The value is directly mapped from the authenticationDetails.authenticationMethod field.
authenticationDetails.authenticationMethodDetail read_only_udm.security_result.detection_fields.value The value is directly mapped from the authenticationDetails.authenticationMethodDetail field.
authenticationDetails.authenticationStepDateTime read_only_udm.security_result.detection_fields.value The value is directly mapped from the authenticationDetails.authenticationStepDateTime field.
authenticationDetails.authenticationStepRequirement read_only_udm.security_result.detection_fields.value The value is directly mapped from the authenticationDetails.authenticationStepRequirement field.
authenticationDetails.authenticationStepResultDetail read_only_udm.security_result.detection_fields.value The value is directly mapped from the authenticationDetails.authenticationStepResultDetail field.
authenticationProcessingDetails.key read_only_udm.additional.fields.key The value is directly mapped from the authenticationProcessingDetails.key field, prefixed with "authenticationProcessingDetails - ".
authenticationProcessingDetails.value read_only_udm.additional.fields.value.string_value The value is directly mapped from the authenticationProcessingDetails.value field.
callerIpAddress read_only_udm.principal.ip The value is directly mapped from the callerIpAddress field.
callerIpAddress read_only_udm.principal.asset.ip The value is directly mapped from the callerIpAddress field.
category read_only_udm.metadata.description The value is directly mapped from the category field.
clientAppUsed read_only_udm.principal.application The value is directly mapped from the clientAppUsed field.
conditionalAccessStatus read_only_udm.additional.fields.value.string_value The value is directly mapped from the conditionalAccessStatus field.
correlationId read_only_udm.network.session_id The value is directly mapped from the correlationId field.
correlationId read_only_udm.security_result.detection_fields.value The value is directly mapped from the correlationId field.
createdDateTime read_only_udm.metadata.event_timestamp.seconds The value is extracted from the createdDateTime field and converted to seconds since epoch.
deviceDetail.browser read_only_udm.network.http.user_agent The value is directly mapped from the deviceDetail.browser field.
deviceDetail.deviceId read_only_udm.principal.asset.asset_id The value is directly mapped from the deviceDetail.deviceId field, prefixed with "Device ID:".
deviceDetail.deviceId read_only_udm.principal.asset_id The value is directly mapped from the deviceDetail.deviceId field, prefixed with "Device ID:".
deviceDetail.displayName read_only_udm.principal.asset.hostname The value is directly mapped from the deviceDetail.displayName field.
deviceDetail.isCompliant read_only_udm.principal.asset.attribute.labels.value The value is directly mapped from the deviceDetail.isCompliant field.
deviceDetail.isManaged read_only_udm.principal.asset.attribute.labels.value The value is directly mapped from the deviceDetail.isManaged field.
deviceDetail.operatingSystem read_only_udm.principal.platform_version The value is directly mapped from the deviceDetail.operatingSystem field.
deviceDetail.trustType read_only_udm.principal.asset.attribute.labels.value The value is directly mapped from the deviceDetail.trustType field.
durationMs read_only_udm.additional.fields.value.string_value The value is directly mapped from the durationMs field.
errorCode read_only_udm.security_result.rule_id The value is directly mapped from the errorCode field.
identity read_only_udm.target.user.user_display_name The value is directly mapped from the identity field if it is different from userId and does not match an email address pattern.
initiatedBy.user.displayName read_only_udm.principal.user.user_display_name The value is directly mapped from the initiatedBy.user.displayName field.
initiatedBy.user.id read_only_udm.principal.user.userid The value is directly mapped from the initiatedBy.user.id field.
initiatedBy.user.ipAddress read_only_udm.principal.ip The value is directly mapped from the initiatedBy.user.ipAddress field.
initiatedBy.user.ipAddress read_only_udm.principal.asset.ip The value is directly mapped from the initiatedBy.user.ipAddress field.
initiatedBy.user.userPrincipalName read_only_udm.principal.user.email_addresses The value is directly mapped from the initiatedBy.user.userPrincipalName field if it matches an email address pattern.
ipAddress read_only_udm.principal.ip The value is extracted from the ipAddress field using a grok pattern to extract the IP address.
ipAddress read_only_udm.principal.asset.ip The value is extracted from the ipAddress field using a grok pattern to extract the IP address.
isInteractive read_only_udm.extensions.auth.mechanism The value is mapped to "INTERACTIVE" if isInteractive is "true", otherwise it is mapped to "MECHANISM_OTHER".
isInteractive read_only_udm.security_result.detection_fields.value The value is directly mapped from the isInteractive field.
level read_only_udm.security_result.severity The value is mapped from the level field based on the following logic: * "Information", "Informational", "0", "4" are mapped to "INFORMATIONAL". * "Warning", "1", "3" are mapped to "MEDIUM". * "Error", "2" are mapped to "ERROR". * "Critical", "CRITICAL", "critical" are mapped to "CRITICAL".
level read_only_udm.security_result.severity_details The value is directly mapped from the level field.
location.city read_only_udm.principal.location.city The value is directly mapped from the location.city field.
location.countryOrRegion read_only_udm.principal.location.country_or_region The value is directly mapped from the location.countryOrRegion field.
location.geoCoordinates.latitude read_only_udm.principal.location.region_coordinates.latitude The value is directly mapped from the location.geoCoordinates.latitude field and converted to a float.
location.geoCoordinates.latitude read_only_udm.principal.location.region_latitude The value is directly mapped from the location.geoCoordinates.latitude field and converted to a float.
location.geoCoordinates.longitude read_only_udm.principal.location.region_coordinates.longitude The value is directly mapped from the location.geoCoordinates.longitude field and converted to a float.
location.geoCoordinates.longitude read_only_udm.principal.location.region_longitude The value is directly mapped from the location.geoCoordinates.longitude field and converted to a float.
location.state read_only_udm.principal.location.state The value is directly mapped from the location.state field.
networkLocationDetails.networkNames read_only_udm.additional.fields.value.string_value The value is generated by concatenating all values from the networkLocationDetails.networkNames array, separated by commas.
networkLocationDetails.networkType read_only_udm.additional.fields.value.string_value The value is directly mapped from the networkLocationDetails.networkType field.
networkLocationDetails.networkType read_only_udm.security_result.detection_fields.value The value is directly mapped from the networkLocationDetails.networkType field.
operationName read_only_udm.metadata.event_type The value is mapped to "USER_LOGIN" if operationName is "Sign-in activity", "USER_CHANGE_PERMISSIONS" if operationName is "Add member to group", and "USER_RESOURCE_UPDATE_PERMISSIONS" if operationName is "Add app role assignment to service principal". Otherwise, the value is determined based on the presence of other fields: * "USER_LOGIN" if has_target_user is "true". * "USER_UNCATEGORIZED" if has_principal_user is "true". * "STATUS_UPDATE" if has_principal is "true". * "GENERIC_EVENT" otherwise.
operationType read_only_udm.security_result.action_details The value is directly mapped from the operationType field.
properties.activity read_only_udm.security_result.summary The value is directly mapped from the properties.activity field.
properties.activityDateTime read_only_udm.metadata.event_timestamp.seconds The value is extracted from the properties.activityDateTime field and converted to seconds since epoch.
properties.additionalInfo read_only_udm.network.http.user_agent The value is extracted from the properties.additionalInfo field by parsing the JSON string and extracting the value corresponding to the key "userAgent".
properties.additionalInfo read_only_udm.target.url The value is extracted from the properties.additionalInfo field by parsing the JSON string and extracting the value corresponding to the key "alertUrl".
properties.appId read_only_udm.target.resource.attribute.labels.value The value is directly mapped from the properties.appId field.
properties.appDisplayName read_only_udm.target.application The value is directly mapped from the properties.appDisplayName field.
properties.appliedConditionalAccessPolicies.displayName read_only_udm.security_result.rule_name The value is directly mapped from the properties.appliedConditionalAccessPolicies.displayName field.
properties.appliedConditionalAccessPolicies.id read_only_udm.security_result.rule_id The value is directly mapped from the properties.appliedConditionalAccessPolicies.id field.
properties.appliedConditionalAccessPolicies.result read_only_udm.security_result.detection_fields.value The value is directly mapped from the properties.appliedConditionalAccessPolicies.result field.
properties.authenticationDetails.authenticationMethod read_only_udm.security_result.detection_fields.value The value is directly mapped from the properties.authenticationDetails.authenticationMethod field.
properties.authenticationDetails.authenticationMethodDetail read_only_udm.security_result.detection_fields.value The value is directly mapped from the properties.authenticationDetails.authenticationMethodDetail field.
properties.authenticationDetails.authenticationStepDateTime read_only_udm.security_result.detection_fields.value The value is directly mapped from the properties.authenticationDetails.authenticationStepDateTime field.
properties.authenticationDetails.authenticationStepRequirement read_only_udm.security_result.detection_fields.value The value is directly mapped from the properties.authenticationDetails.authenticationStepRequirement field.
properties.authenticationDetails.authenticationStepResultDetail read_only_udm.security_result.detection_fields.value The value is directly mapped from the properties.authenticationDetails.authenticationStepResultDetail field.
properties.authenticationProcessingDetails.key read_only_udm.additional.fields.key The value is directly mapped from the properties.authenticationProcessingDetails.key field, prefixed with "properties authenticationProcessingDetails - ".
properties.authenticationProcessingDetails.value read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.authenticationProcessingDetails.value field.
properties.authenticationRequirement read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.authenticationRequirement field.
properties.authenticationRequirementPolicies.detail read_only_udm.security_result.detection_fields.value The value is directly mapped from the properties.authenticationRequirementPolicies.detail field.
properties.authenticationRequirementPolicies.requirementProvider read_only_udm.security_result.detection_fields.value The value is directly mapped from the properties.authenticationRequirementPolicies.requirementProvider field.
properties.clientAppUsed read_only_udm.principal.application The value is directly mapped from the properties.clientAppUsed field.
properties.conditionalAccessStatus read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.conditionalAccessStatus field.
properties.createdDateTime read_only_udm.metadata.event_timestamp.seconds The value is extracted from the properties.createdDateTime field and converted to seconds since epoch.
properties.crossTenantAccessType read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.crossTenantAccessType field.
properties.detectedDateTime read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.detectedDateTime field.
properties.detectionTimingType read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.detectionTimingType field.
properties.homeTenantId read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.homeTenantId field.
properties.id read_only_udm.metadata.product_log_id The value is directly mapped from the properties.id field.
properties.initiatedBy.user.displayName read_only_udm.principal.user.user_display_name The value is directly mapped from the properties.initiatedBy.user.displayName field.
properties.initiatedBy.user.id read_only_udm.principal.user.windows_sid The value is directly mapped from the properties.initiatedBy.user.id field.
properties.initiatedBy.user.ipAddress read_only_udm.principal.ip The value is directly mapped from the properties.initiatedBy.user.ipAddress field.
properties.initiatedBy.user.ipAddress read_only_udm.principal.asset.ip The value is directly mapped from the properties.initiatedBy.user.ipAddress field.
properties.initiatedBy.user.userPrincipalName read_only_udm.principal.user.userid The value is directly mapped from the properties.initiatedBy.user.userPrincipalName field if it does not match an email address pattern.
properties.initiatedBy.user.userPrincipalName read_only_udm.principal.user.email_addresses The value is directly mapped from the properties.initiatedBy.user.userPrincipalName field if it matches an email address pattern.
properties.ipAddress read_only_udm.principal.ip The value is extracted from the properties.ipAddress field using a grok pattern to extract the IP address.
properties.ipAddress read_only_udm.principal.asset.ip The value is extracted from the properties.ipAddress field using a grok pattern to extract the IP address.
properties.isGuest read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.isGuest field.
properties.isDeleted read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.isDeleted field.
properties.isProcessing read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.isProcessing field.
properties.lastUpdatedDateTime read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.lastUpdatedDateTime field.
properties.location.city read_only_udm.principal.location.city The value is directly mapped from the properties.location.city field.
properties.location.countryOrRegion read_only_udm.principal.location.country_or_region The value is directly mapped from the properties.location.countryOrRegion field.
properties.location.geoCoordinates.latitude read_only_udm.principal.location.region_coordinates.latitude The value is directly mapped from the properties.location.geoCoordinates.latitude field and converted to a float.
properties.location.geoCoordinates.latitude read_only_udm.principal.location.region_latitude The value is directly mapped from the properties.location.geoCoordinates.latitude field and converted to a float.
properties.location.geoCoordinates.longitude read_only_udm.principal.location.region_coordinates.longitude The value is directly mapped from the properties.location.geoCoordinates.longitude field and converted to a float.
properties.location.geoCoordinates.longitude read_only_udm.principal.location.region_longitude The value is directly mapped from the properties.location.geoCoordinates.longitude field and converted to a float.
properties.location.state read_only_udm.principal.location.state The value is directly mapped from the properties.location.state field.
properties.networkLocationDetails.networkNames read_only_udm.additional.fields.value.string_value The value is generated by concatenating all values from the properties.networkLocationDetails.networkNames array, separated by commas.
properties.networkLocationDetails.networkType read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.networkLocationDetails.networkType field.
properties.networkLocationDetails.networkType read_only_udm.security_result.detection_fields.value The value is directly mapped from the properties.networkLocationDetails.networkType field.
properties.resourceServicePrincipalId read_only_udm.target.resource.attribute.labels.value The value is directly mapped from the properties.resourceServicePrincipalId field.
properties.riskDetail read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.riskDetail field.
properties.riskEventType read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.riskEventType field.
properties.riskLastUpdatedDateTime read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.riskLastUpdatedDateTime field.
properties.riskLevel read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.riskLevel field.
properties.riskLevelDuringSignIn read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.riskLevelDuringSignIn field.
properties.riskState read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.riskState field.
properties.riskType read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.riskType field.
properties.source read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.source field.
properties.targetResources.0.id read_only_udm.target.user.product_object_id The value is directly mapped from the properties.targetResources.0.id field.
properties.targetResources.modifiedProperties.0.newValue read_only_udm.target.group.product_object_id The value is directly mapped from the properties.targetResources.modifiedProperties.0.newValue field.
properties.tokenIssuerType read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.tokenIssuerType field.
properties.userAgent read_only_udm.network.http.parsed_user_agent The value is directly mapped from the properties.userAgent field and converted to a parsed user agent object.
properties.userAgent read_only_udm.network.http.user_agent The value is directly mapped from the properties.userAgent field.
properties.userId read_only_udm.target.user.product_object_id The value is directly mapped from the properties.userId field.
properties.userPrincipalName read_only_udm.target.user.userid The value is directly mapped from the properties.userPrincipalName field if it does not match an email address pattern.
properties.userPrincipalName read_only_udm.target.user.email_addresses The value is directly mapped from the properties.userPrincipalName field if it matches an email address pattern.
result read_only_udm.security_result.action The value is mapped to "ALLOW" if result is "success".
result read_only_udm.security_result.action_details The value is directly mapped from the result field if result is "success".
resultDescription read_only_udm.security_result.description The value is directly mapped from the resultDescription field.
resultSignature read_only_udm.additional.fields.value.string_value The value is directly mapped from the resultSignature field.
resultType read_only_udm.security_result.action The value is mapped to "ALLOW" if resultType is "0".
resultType read_only_udm.security_result.rule_id The value is directly mapped from the resultType field if it is not empty and not "0".
resultType read_only_udm.security_result.summary The value is mapped to "Successful login occurred" if resultType is "0" and "Failed login occurred" otherwise.
resourceDisplayName read_only_udm.target.application The value is directly mapped from the resourceDisplayName field.
resourceDisplayName read_only_udm.target.resource.name The value is directly mapped from the resourceDisplayName field.
resourceId read_only_udm.target.resource.id The value is directly mapped from the resourceId field.
resourceId read_only_udm.target.resource.product_object_id The value is directly mapped from the resourceId field.
resourceServicePrincipalId read_only_udm.target.resource.attribute.labels.value The value is directly mapped from the resourceServicePrincipalId field.
riskDetail read_only_udm.additional.fields.value.string_value The value is directly mapped from the riskDetail field.
riskEventTypes read_only_udm.additional.fields.value.string_value The value is extracted from the riskEventTypes array and mapped to a string value in the additional.fields array.
riskEventTypes read_only_udm.additional.fields.value.list_value.values.string_value The value is directly mapped from each element of the riskEventTypes array.
riskEventTypes_v2 read_only_udm.additional.fields.value.list_value.values.string_value The value is directly mapped from each element of the riskEventTypes_v2 array.
riskLevelAggregated read_only_udm.additional.fields.value.string_value The value is directly mapped from the riskLevelAggregated field.
riskLevelDuringSignIn read_only_udm.additional.fields.value.string_value The value is directly mapped from the riskLevelDuringSignIn field.
riskState read_only_udm.additional.fields.value.string_value The value is directly mapped from the riskState field.
status.additionalDetails read_only_udm.security_result.description The value is directly mapped from the status.additionalDetails field.
status.errorCode read_only_udm.security_result.action The value is mapped to "ALLOW" if status.errorCode is "0".
status.errorCode read_only_udm.security_result.rule_id The value is directly mapped from the status.errorCode field if it is not empty.
status.errorCode read_only_udm.security_result.summary The value is mapped to "Successful login occurred" if status.errorCode is "0" and "Failed login occurred" otherwise.
status.failureReason read_only_udm.additional.fields.value.string_value The value is directly mapped from the status.failureReason field.
targetResources.displayName read_only_udm.target.resource.name The value is directly mapped from the targetResources.displayName field.
targetResources.id read_only_udm.target.resource.id The value is directly mapped from the targetResources.id field.
targetResources.id read_only_udm.target.resource.product_object_id The value is directly mapped from the targetResources.id field.
targetResources.modifiedProperties.displayName read_only_udm.target.resource.attribute.labels.key The value is directly mapped from the targetResources.modifiedProperties.displayName field.
targetResources.modifiedProperties.newValue read_only_udm.target.resource.attribute.labels.value The value is directly mapped from the targetResources.modifiedProperties.newValue field after removing double quotes.
targetResources.modifiedProperties.oldValue read_only_udm.target.resource.attribute.labels.value The value is directly mapped from the targetResources.modifiedProperties.oldValue field.
targetResources.type read_only_udm.target.resource.type The value is directly mapped from the targetResources.type field.
targetResources.userPrincipalName read_only_udm.target.user.user_display_name The value is directly mapped from the targetResources.userPrincipalName field.
tenantId read_only_udm.metadata.product_deployment_id The value is directly mapped from the tenantId field.
time read_only_udm.metadata.event_timestamp.seconds The value is extracted from the time field and converted to seconds since epoch.
userAgent read_only_udm.network.http.parsed_user_agent The value is directly mapped from the userAgent field and converted to a parsed user agent object.
userAgent read_only_udm.network.http.user_agent The value is directly mapped from the userAgent field.
userDisplayName read_only_udm.target.user.user_display_name The value is directly mapped from the userDisplayName field if it is different from userId and does not match an email address pattern.
userPrincipalName read_only_udm.principal.administrative_domain The domain part of the email address is extracted from the userPrincipalName field using a grok pattern and mapped to the principal.administrative_domain field.
userPrincipalName read_only_udm.target.user.email_addresses The value is directly mapped from the userPrincipalName field if it matches an email address pattern.
userPrincipalName read_only_udm.target.user.userid The value is directly mapped from the userPrincipalName field if it does not match an email address pattern.
userId read_only_udm.target.user.product_object_id The value is directly mapped from the userId field.
read_only_udm.metadata.log_type AZURE_AD This value is hardcoded in the parser.
read_only_udm.metadata.vendor_name Microsoft This value is hardcoded in the parser.
read_only_udm.metadata.product_name Azure AD This value is hardcoded in the parser.
read_only_udm.extensions.auth.type SSO This value is hardcoded in the parser.

Changes

2024-07-05

  • Mapped "isInteractive" to "security_result.detection_fields".

2024-04-02

  • Mapped "properties.createdDateTime" to "metadata.event_timestamp".
  • Mapped "properties.resourceServicePrincipalId" and "resourceServicePrincipalId" to "target.resource.attribute.labels".
  • Mapped "properties.authenticationProcessingDetails", "authenticationProcessingDetails" and "properties.networkLocationDetails" mapped to "additional.fields".
  • Mapped "properties.userAgent" to "network.http.user_agent" and "network.http.parsed_user_agent".
  • Mapped "properties.authenticationRequirement" to "additional.fields".

2024-06-03

  • Changed mapping of "policies.displayName" from "about.user.user_display_name" to "security_result.rule_name".
  • Changed mapping of "policies.id" from "about.user.userid" to "security_result.rule_id".
  • Changed mapping of "policies.result" from "about.labels" to "security_result.detection_fields".

2024-05-29

  • When "status.errorCode" is "0", then set "security_result.action" to "ALLOW".

2024-05-13

Bug-Fix:

  • Mapped "userPrincipalName" to "target.user.userid".

2024-05-10

  • Mapped "networkLocationDetails.n.networkNames", "properties.networkLocationDetails.n.networkNames", "networkLocationDetails.n.networkType" and "properties.networkLocationDetails.n.networkType" to "additional.fields".
  • Mapped "properties.userAgent" and "userAgent" to "network.http.user_agent" and "network.http.parsed_user_agent".

2024-05-03

Bug-Fix:

  • Added "on_error" check before mapping "target.modifiedProperties.n.newValue".
  • Mapped "target.modifiedProperties.n.oldValue" and "target.modifiedProperties.n.displayName" to "target.resource.attribute.labels".
  • Mapped "activityDisplayName" to "security_result.summary".

2024-04-30

  • Mapped "properties.authenticationDetails", "properties.networkLocationDetails", "properties.authenticationRequirementPolicies", "networkLocationDetails" and "authenticationRequirementPolicies" to "security_result.detection_fields".

2024-04-02

  • Mapped "properties.authenticationRequirement" to "additional.fields".

2024-04-02

  • Mapped "authenticationRequirement" to "additional.fields".

2024-02-26

  • Mapped "appliedConditionalAccessPolicies" to "security_result".
  • Mapped "isInteractive" to "extensions.auth.mechanism".
  • Mapped "location.geoCoordinates.altitude" to "additional.fields".

2024-02-09

  • Mapped "authenticationDetails.authenticationMethod", "authenticationDetails.authenticationMethodDetail", "authenticationDetails.authenticationStepResultDetail", "authenticationDetails.authenticationStepDateTime", and "authenticationDetails.authenticationStepRequirement" to "security_result.detection_fields".
  • Mapped "authenticationDetails.succeeded" to "security_result.action".
  • Mapped "status.additionalDetails" to "security_result.description".

2024-01-11

  • Mapped "correlationId" to "security_result.detection_fields".

2023-11-20

  • Mapped "tenantId" to "metadata.product_deployment_id".
  • Mapped "Level" to "security_result.severity_details" and "security_result.severity".
  • Mapped "properties.userDisplayName" to "target.user.user_display_name".
  • Mapped "identity" to "target.user.user_display_name".
  • Mapped "properties.activityDateTime" to "metadata.event_timestamp".
  • Mapped "properties.activity" to "security_result.summary".
  • Mapped "resultSignature", "properties.riskLevel", "properties.isGuest", "properties.isDeleted", "properties.isProcessing",
  • "properties.riskLastUpdatedDateTime", "properties.riskType", "properties.riskEventType", "properties.riskState", "properties.riskDetail", "properties.source", "properties.detectionTimingType"
  • "properties.detectedDateTime", "properties.lastUpdatedDateTime", "properties.tokenIssuerType", "properties.homeTenantId", "properties.userType", "properties.crossTenantAccessType", "durationMs" to "additional.fields".
  • Mapped "resourceId" to "target.resource.product_object_id".
  • Mapped "properties.location.geoCoordinates.longitude" and "location.geoCoordinates.longitude" to "principal.location.region_coordinates.longitude".
  • Mapped "properties.location.geoCoordinates.latitude" and "location.geoCoordinates.latitude" to "principal.location.region_coordinates.latitude".

2023-07-12

  • Mapped "deviceDetail.isCompliant", "deviceDetail.isManaged", "deviceDetail.trustType" to "principal.asset.attribute.labels".
  • Mapped "deviceDetail.deviceId" to "principal.asset.asset_id".
  • Mapped "deviceDetail.browser" to "network.http.user_agent".
  • Mapped "deviceDetail.operatingSystem" to "principal.platform_version".
  • Mapped "status.failureReason" to "additional.fields".
  • Mapped "status.errorCode" to "security_result.rule_id".
  • Mapped "deviceDetail.displayName" to "principal.asset.hardware".

2023-03-14

  • Mapped "browser" to "principal.resource.attribute.labels".
  • Mapped "isCompliant", "isManaged", "trustType", to "principal.asset.attribute.labels".
  • Mapped "domain" form "userPrincipalName" to "principal.administrative_domain".

2022-12-16

  • Added conditional check for the field 'initiatedBy.user.userPrincipalName' and mapped to 'principal.user.email_addresses'.

2022-10-28

  • Mapped "additionalDetails.0.value" to "network.http.user_agent".
  • Mapped "additionalDetails.1.value" to "target.resource.attribute.labels".
  • Mapped "Id" to "metadata.product_log_id".
  • Mapped "initiatedBy.user.id" to "principal.user.userid".
  • Mapped "initiatedBy.user.displayName" to "principal.user.user_display_name".
  • Mapped "initiatedBy.user.ipAddress" to "principal.ip".
  • Mapped "initiatedBy.user.userPrincipalName" to "principal.user.email_addresses".
  • Mapped "operationType" to "security_result.action_details".
  • Mapped "target.displayName" to "target.resource.name".
  • Mapped "target.id" to "target.resource.id".
  • Mapped "target.type" to "target.resource.type".
  • Mapped "field.newValue" to "target.resource.product_object_id" if field.displayName is "AppRole.Id" else mapped "field.newValue" to "target.resource.attribute.labels".
  • Added check for errorCode.
  • Mapped "loggedByService" to "target.application".
  • Mapped "activityDisplayName" to "metadata.product_event_type".
  • Mapped "metadata.event_type" to "USER_RESOURCE_UPDATE_PERMISSIONS" where "activityDisplayName" is "Add app role assignment to service principal".

2022-08-25

  • If "properties.initiatedBy.user.userPrincipalName" matches "email regex pattern" then mapped to "principal.user.email_addresses" else mapped to "principal.user.userid".
  • If "properties.userPrincipalName" or "userPrincipalName" matches "email regex pattern" then mapped to "target.user.email_addresses" else mapped to "target.user.userid".

2022-08-11

  • Removed drop tag "TAG_MALFORMED_ENCODING".
  • Added "event_type" "GENERIC_EVENT".

2022-05-29

  • Enhancement - Modified the for loop for the field 'riskEventTypes_v2' mapped to 'additional.fields'.
  • Mapped the field 'level' to 'security_result.severity_details'.
  • Mapped the field 'properties.result' to 'security_result.action_details'.

2022-04-20

  • Bug-fix - Parsed the logs with event "appDisplayName": "NotApplicable".
  • Modified the for loop for the field 'riskEventTypes'.