Collect Microsoft Azure AD Audit logs
This document describes how you can collect Microsoft Azure Active Directory (AD) logs by setting up a Google Security Operations feed.
Azure Active Directory (AZURE_AD
) is now called Microsoft Entra ID. Azure AD audit logs
(AZURE_AD_AUDIT
) are now Microsoft Entra ID audit logs.
For more information, see Data ingestion to Google Security Operations.
An ingestion label identifies the parser which normalizes raw log data to structured UDM format.
Before you begin
To complete the tasks on this page, ensure that you have the following:
- An Azure subscription that you can sign in to.
- A global administrator or Azure AD administrator role.
- An Azure AD (tenant) in Azure.
Configure Azure AD
- Sign in to the Azure portal.
- Go to Home > App registration, select a registered application or register an application if you haven't created an application yet.
- To register an application, in the App registration section, click New registration.
- In the Name field, provide the display name for your application.
- In the Supported account types section, select the required option to specify who can use the application or access the API.
- Click Register.
- Go to the Overview page and copy the application (client) ID and the directory (tenant) ID, which are required to configure the Google Security Operations feed.
- Click API permissions.
- Click Add a permission, and then select Microsoft Graph in the new pane.
- Click Application permissions.
- Select AuditLog.Read.All, Directory.Read.All, and SecurityEvents.Read.All permissions. Ensure that the permissions are Application permissions and not Delegated permissions.
- Click Grant admin consent for default directory. Applications are authorized to call APIs when they are granted permissions by users or administrators as part of the consent process.
- Go to Settings > Manage.
- Click Certificates and secrets.
- Click New client secret. In the Value field, the client secret appears.
- Copy the client secret value. The value is displayed only at the time of creation and it is required for the Azure app registration and to configure the Google Security Operations feed.
Configure a feed in Google Security Operations to ingest Azure AD Audit logs
- Select SIEM Settings > Feeds.
- Click Add new.
- Enter a unique name for the Feed name.
- Select Third party API as the Source type.
- Select Azure AD Directory Audit as the Log type.
- Click Next.
- Configure the following mandatory input parameters:
- OAUTH client ID: specify the client ID that you obtained previously.
- OAUTH client secret: specify the client secret that you obtained previously.
- Tenant ID: specify the tenant ID that you obtained previously.
- Click Next and then click Submit.
For more information about Google Security Operations feeds, see Google Security Operations feeds documentation. For information about requirements for each feed type, see Feed configuration by type. If you encounter issues when you create feeds, contact Google Security Operations support.
Field mapping reference
This parser processes Azure AD Directory Audit logs in JSON format. It extracts relevant fields, transforms them into a unified data model (UDM), and enriches the data with additional context like user details, IP addresses, and security outcomes. The parser also categorizes events based on their characteristics, mapping them to specific UDM event types for easier analysis.
UDM Mapping Table
Log Field | UDM Mapping | Logic |
---|---|---|
activityDateTime | read_only_udm.metadata.event_timestamp | Direct mapping from the raw log field "activityDateTime". |
activityDisplayName | read_only_udm.metadata.product_event_type | Direct mapping from the raw log field "activityDisplayName". |
additionalDetails.ApplicationId | read_only_udm.additional.fields | Direct mapping from the raw log field "additionalDetails", where key is "ApplicationId". |
additionalDetails.Client | read_only_udm.network.http.user_agent | Direct mapping from the raw log field "additionalDetails", where key is "Client". |
additionalDetails.ClientIpAddress | read_only_udm.principal.ip, read_only_udm.principal.asset.ip | Direct mapping from the raw log field "additionalDetails", where key is "ClientIpAddress". |
additionalDetails.DomainName | read_only_udm.target.hostname, read_only_udm.target.asset.hostname | Direct mapping from the raw log field "additionalDetails", where key is "DomainName". |
additionalDetails.EmailAddress | read_only_udm.target.user.email_addresses | Direct mapping from the raw log field "additionalDetails", where key is "EmailAddress". |
additionalDetails.GrantType | read_only_udm.additional.fields | Direct mapping from the raw log field "additionalDetails", where key is "GrantType". |
additionalDetails.LocalAccountUsername | read_only_udm.additional.fields | Direct mapping from the raw log field "additionalDetails", where key is "LocalAccountUsername". |
additionalDetails.PhoneNumber | read_only_udm.target.user.phone_numbers | Direct mapping from the raw log field "additionalDetails", where key is "PhoneNumber". |
additionalDetails.PolicyId | read_only_udm.security_result.rule_name | Direct mapping from the raw log field "additionalDetails", where key is "PolicyId". |
additionalDetails.Scopes | read_only_udm.additional.fields | Direct mapping from the raw log field "additionalDetails", where key is "Scopes". |
additionalDetails.TenantId | read_only_udm.additional.fields | Direct mapping from the raw log field "additionalDetails", where key is "TenantId". |
additionalDetails.VerificationMethod | read_only_udm.additional.fields | Direct mapping from the raw log field "additionalDetails", where key is "VerificationMethod". |
appId | read_only_udm.target.process.pid | Direct mapping from the raw log field "appId". |
appliedConditionalAccessPolicies | read_only_udm.about | The "displayName" field is mapped to "read_only_udm.about.user.user_display_name" and the "id" field is mapped to "read_only_udm.about.user.userid". The "result" field is mapped to "read_only_udm.about.labels", with the key set to "Result". |
category | read_only_udm.additional.fields, read_only_udm.security_result.category_details | Direct mapping from the raw log field "category". The key for "read_only_udm.additional.fields" is set to "log_category". |
callerIpAddress | read_only_udm.principal.ip, read_only_udm.principal.asset.ip | Direct mapping from the raw log field "callerIpAddress". |
clientAppUsed | read_only_udm.principal.application | Direct mapping from the raw log field "clientAppUsed". |
correlationId | read_only_udm.network.session_id | Direct mapping from the raw log field "correlationId". |
id | read_only_udm.metadata.product_log_id | Direct mapping from the raw log field "id". |
identity | read_only_udm.target.user.userid | Direct mapping from the raw log field "identity". |
initiatedBy.app.appId | read_only_udm.principal.resource.attribute.labels | Direct mapping from the raw log field "initiatedBy.app.appId". The key for "read_only_udm.principal.resource.attribute.labels" is set to "App Id". |
initiatedBy.app.displayName | read_only_udm.principal.application | Direct mapping from the raw log field "initiatedBy.app.displayName". |
initiatedBy.app.servicePrincipalId | read_only_udm.principal.user.product_object_id | Direct mapping from the raw log field "initiatedBy.app.servicePrincipalId". |
initiatedBy.app.servicePrincipalName | read_only_udm.principal.user.userid | Direct mapping from the raw log field "initiatedBy.app.servicePrincipalName". |
initiatedBy.user.displayName | read_only_udm.principal.user.user_display_name, read_only_udm.principal.user.email_addresses | If the value contains "@" then it is parsed as an email address and mapped to "read_only_udm.principal.user.email_addresses". Otherwise, it is mapped to "read_only_udm.principal.user.user_display_name". |
initiatedBy.user.id | read_only_udm.principal.user.product_object_id | Direct mapping from the raw log field "initiatedBy.user.id". |
initiatedBy.user.ipAddress | read_only_udm.principal.ip, read_only_udm.principal.asset.ip | Direct mapping from the raw log field "initiatedBy.user.ipAddress". |
initiatedBy.user.userPrincipalName | read_only_udm.principal.user.userid, read_only_udm.principal.user.email_addresses, read_only_udm.principal.administrative_domain, read_only_udm.principal.resource.attribute.labels | If the value contains "@" then it is parsed as an email address and mapped to "read_only_udm.principal.user.email_addresses". Otherwise, it is mapped to "read_only_udm.principal.user.userid". The domain part of the email address is mapped to "read_only_udm.principal.administrative_domain". The full value is also mapped to "read_only_udm.principal.resource.attribute.labels" with the key set to "User Principal Name". |
ipAddress | read_only_udm.principal.ip, read_only_udm.principal.asset.ip | Direct mapping from the raw log field "ipAddress". |
Level | read_only_udm.security_result.severity, read_only_udm.security_result.severity_details | The value is converted to a string and mapped to "read_only_udm.security_result.severity_details". The "read_only_udm.security_result.severity" field is set to "INFORMATIONAL". |
location.city | read_only_udm.principal.location.city | Direct mapping from the raw log field "location.city". |
location.countryOrRegion | read_only_udm.principal.location.country_or_region | Direct mapping from the raw log field "location.countryOrRegion". |
location.geoCoordinates.latitude | read_only_udm.principal.location.region_latitude | Direct mapping from the raw log field "location.geoCoordinates.latitude". |
location.geoCoordinates.longitude | read_only_udm.principal.location.region_longitude | Direct mapping from the raw log field "location.geoCoordinates.longitude". |
location.state | read_only_udm.principal.location.state | Direct mapping from the raw log field "location.state". |
loggedByService | read_only_udm.additional.fields | Direct mapping from the raw log field "loggedByService". The key for "read_only_udm.additional.fields" is set to "loggedByService". |
operationName | read_only_udm.metadata.product_event_type | Direct mapping from the raw log field "operationName". |
operationType | read_only_udm.security_result.action_details | Direct mapping from the raw log field "operationType". |
properties.activityDateTime | read_only_udm.metadata.event_timestamp | Direct mapping from the raw log field "properties.activityDateTime". |
properties.activityDisplayName | read_only_udm.metadata.product_event_type | Direct mapping from the raw log field "properties.activityDisplayName". |
properties.appDisplayName | read_only_udm.target.application | Direct mapping from the raw log field "properties.appDisplayName". |
properties.category | read_only_udm.security_result.category_details | Direct mapping from the raw log field "properties.category". |
properties.id | read_only_udm.metadata.product_log_id | Direct mapping from the raw log field "properties.id". |
properties.initiatedBy.app.appId | read_only_udm.principal.resource.attribute.labels | Direct mapping from the raw log field "properties.initiatedBy.app.appId". The key for "read_only_udm.principal.resource.attribute.labels" is set to "App Id". |
properties.initiatedBy.app.displayName | read_only_udm.principal.application | Direct mapping from the raw log field "properties.initiatedBy.app.displayName". |
properties.initiatedBy.app.servicePrincipalId | read_only_udm.principal.user.product_object_id | Direct mapping from the raw log field "properties.initiatedBy.app.servicePrincipalId". |
properties.initiatedBy.app.servicePrincipalName | read_only_udm.principal.user.userid | Direct mapping from the raw log field "properties.initiatedBy.app.servicePrincipalName". |
properties.initiatedBy.user.displayName | read_only_udm.principal.user.user_display_name, read_only_udm.principal.user.email_addresses | If the value contains "@" then it is parsed as an email address and mapped to "read_only_udm.principal.user.email_addresses". Otherwise, it is mapped to "read_only_udm.principal.user.user_display_name". |
properties.initiatedBy.user.id | read_only_udm.principal.user.product_object_id | Direct mapping from the raw log field "properties.initiatedBy.user.id". |
properties.initiatedBy.user.ipAddress | read_only_udm.principal.ip, read_only_udm.principal.asset.ip | Direct mapping from the raw log field "properties.initiatedBy.user.ipAddress". |
properties.initiatedBy.user.userPrincipalName | read_only_udm.principal.user.userid, read_only_udm.principal.user.email_addresses, read_only_udm.principal.administrative_domain, read_only_udm.principal.resource.attribute.labels | If the value contains "@" then it is parsed as an email address and mapped to "read_only_udm.principal.user.email_addresses". Otherwise, it is mapped to "read_only_udm.principal.user.userid". The domain part of the email address is mapped to "read_only_udm.principal.administrative_domain". The full value is also mapped to "read_only_udm.principal.resource.attribute.labels" with the key set to "User Principal Name". |
properties.loggedByService | read_only_udm.additional.fields | Direct mapping from the raw log field "properties.loggedByService". The key for "read_only_udm.additional.fields" is set to "loggedByService". |
properties.operationType | read_only_udm.security_result.action_details | Direct mapping from the raw log field "properties.operationType". |
properties.result | read_only_udm.security_result.summary | Direct mapping from the raw log field "properties.result". |
properties.resultReason | read_only_udm.security_result.description | Direct mapping from the raw log field "properties.resultReason". |
properties.userPrincipalName | read_only_udm.target.user.user_display_name | Direct mapping from the raw log field "properties.userPrincipalName". |
result | read_only_udm.security_result.summary, read_only_udm.security_result.action | Direct mapping from the raw log field "result". If the value is "success" then "read_only_udm.security_result.action" is set to "ALLOW". If the value is "failure" then "read_only_udm.security_result.action" is set to "BLOCK". |
resultDescription | read_only_udm.metadata.description, read_only_udm.security_result.description | Direct mapping from the raw log field "resultDescription". |
resultReason | read_only_udm.security_result.description | Direct mapping from the raw log field "resultReason". |
resultType | read_only_udm.security_result.rule_id, read_only_udm.security_result.summary, read_only_udm.security_result.action | Direct mapping from the raw log field "resultType". If the value is "0" then "read_only_udm.security_result.action" is set to "ALLOW" and "read_only_udm.security_result.summary" is set to "Successful login occurred". Otherwise, "read_only_udm.security_result.action" is set to "BLOCK", "read_only_udm.security_result.summary" is set to "Failed login occurred", "read_only_udm.security_result.description" is set to the value of "resultDescription", and "read_only_udm.security_result.severity" is set to "ERROR". |
resourceDisplayName | read_only_udm.target.resource.name | Direct mapping from the raw log field "resourceDisplayName". |
resourceId | read_only_udm.additional.fields | Direct mapping from the raw log field "resourceId". The key for "read_only_udm.additional.fields" is set to "resourceId". |
riskDetail | read_only_udm.additional.fields | Direct mapping from the raw log field "riskDetail". The key for "read_only_udm.additional.fields" is set to "riskDetail". |
riskEventTypes | read_only_udm.additional.fields | Direct mapping from the raw log field "riskEventTypes". The key for "read_only_udm.additional.fields" is set to "riskEventTypes". |
riskEventTypes_v2 | read_only_udm.additional.fields | Direct mapping from the raw log field "riskEventTypes_v2". The key for "read_only_udm.additional.fields" is set to "riskEventTypes_v2". |
riskLevelAggregated | read_only_udm.additional.fields | Direct mapping from the raw log field "riskLevelAggregated". The key for "read_only_udm.additional.fields" is set to "riskLevelAggregated". |
riskLevelDuringSignIn | read_only_udm.additional.fields, read_only_udm.security_result.priority | Direct mapping from the raw log field "riskLevelDuringSignIn". The key for "read_only_udm.additional.fields" is set to "riskLevelDuringSignIn". If the value is "medium" then "read_only_udm.security_result.priority" is set to "MEDIUM_PRIORITY". |
riskState | read_only_udm.additional.fields | Direct mapping from the raw log field "riskState". The key for "read_only_udm.additional.fields" is set to "riskState". |
targetResources.0.displayName | read_only_udm.target.resource.name, read_only_udm.target.user.user_display_name, read_only_udm.target.group.group_display_name | If the value of "targetResources.0.type" is "User" or "ServicePrincipal", then the value is mapped to "read_only_udm.target.user.user_display_name". If the value of "targetResources.0.type" is "Group", then the value is mapped to "read_only_udm.target.group.group_display_name". Otherwise, the value is mapped to "read_only_udm.target.resource.name". |
targetResources.0.groupType | read_only_udm.target.group.attribute.labels | Direct mapping from the raw log field "targetResources.0.groupType". The key for "read_only_udm.target.group.attribute.labels" is set to "groupType". |
targetResources.0.id | read_only_udm.target.resource.product_object_id, read_only_udm.target.user.product_object_id, read_only_udm.target.group.product_object_id | If the value of "targetResources.0.type" is "User" or "ServicePrincipal", then the value is mapped to "read_only_udm.target.user.product_object_id". If the value of "targetResources.0.type" is "Group", then the value is mapped to "read_only_udm.target.group.product_object_id". Otherwise, the value is mapped to "read_only_udm.target.resource.product_object_id". |
targetResources.0.modifiedProperties.displayName | read_only_udm.additional.fields, read_only_udm.target.asset.asset_id, read_only_udm.target.user.title, read_only_udm.target.resource.attribute.roles, read_only_udm.target.user.user_display_name, read_only_udm.target.user.first_name, read_only_udm.target.user.last_name, read_only_udm.target.user.department, read_only_udm.target.user.office_address.name, read_only_udm.target.user.employee_id, read_only_udm.target.user.phone_numbers, read_only_udm.target.user.userid, read_only_udm.target.resource.attribute.labels, read_only_udm.src.resource.attribute.labels | The value is mapped to "read_only_udm.additional.fields" with the key set to "targetResources.modifiedProperties.displayname {index}". If the value is "TargetId.DeviceId", then the value of "targetResources.0.modifiedProperties.newValue" is mapped to "read_only_udm.target.asset.asset_id" with the prefix "Device ID:". If the value is "DisplayName" or "jobTitle", then the value of "targetResources.0.modifiedProperties.newValue" is mapped to "read_only_udm.target.user.title". If the value is "WellKnownObjectName", then the value of "targetResources.0.modifiedProperties.newValue" is mapped to "read_only_udm.target.resource.attribute.roles" with the key set to "name". If the value is "displayName" and "targetResources.0.displayName" is null, then the value of "targetResources.0.modifiedProperties.newValue" is mapped to "read_only_udm.target.user.user_display_name". If the value is "givenName", then the value of "targetResources.0.modifiedProperties.newValue" is mapped to "read_only_udm.target.user.first_name". If the value is "surname", then the value of "targetResources.0.modifiedProperties.newValue" is mapped to "read_only_udm.target.user.last_name". If the value is "department", then the value of "targetResources.0.modifiedProperties.newValue" is mapped to "read_only_udm.target.user.department". If the value is "physicalDeliveryOfficeName", then the value of "targetResources.0.modifiedProperties.newValue" is mapped to "read_only_udm.target.user.office_address.name". If the value is "employeeId", then the value of "targetResources.0.modifiedProperties.newValue" is mapped to "read_only_udm.target.user.employee_id". If the value is "mobile", then the value of "targetResources.0.modifiedProperties.newValue" is mapped to "read_only_udm.target.user.phone_numbers". If the value is "MailNickname", then the value of "targetResources.0.modifiedProperties.newValue" is mapped to "read_only_udm.target.user.userid". Otherwise, the value of "targetResources.0.modifiedProperties.newValue" is mapped to "read_only_udm.target.resource.attribute.labels" with the key set to the value of "targetResources.0.modifiedProperties.displayName". The value of "targetResources.0.modifiedProperties.oldValue" is mapped to "read_only_udm.src.resource.attribute.labels" with the key set to the value of "targetResources.0.modifiedProperties.displayName". |
targetResources.0.modifiedProperties.newValue | read_only_udm.target.asset.asset_id, read_only_udm.target.user.title, read_only_udm.target.resource.attribute.roles, read_only_udm.target.user.user_display_name, read_only_udm.target.user.first_name, read_only_udm.target.user.last_name, read_only_udm.target.user.department, read_only_udm.target.user.office_address.name, read_only_udm.target.user.employee_id, read_only_udm.target.user.phone_numbers, read_only_udm.target.user.userid, read_only_udm.target.resource.attribute.labels, read_only_udm.additional.fields | If the value of "targetResources.0.modifiedProperties.displayName" is "TargetId.DeviceId", then the value is mapped to "read_only_udm.target.asset.asset_id" with the prefix "Device ID:". If the value of "targetResources.0.modifiedProperties.displayName" is "DisplayName" or "jobTitle", then the value is mapped to "read_only_udm.target.user.title". If the value of "targetResources.0.modifiedProperties.displayName" is "WellKnownObjectName", then the value is mapped to "read_only_udm.target.resource.attribute.roles" with the key set to "name". If the value of "targetResources.0.modifiedProperties.displayName" is "displayName" and "targetResources.0.displayName" is null, then the value is mapped to "read_only_udm.target.user.user_display_name". If the value of "targetResources.0.modifiedProperties.displayName" is "givenName", then the value is mapped to "read_only_udm.target.user.first_name". If the value of "targetResources.0.modifiedProperties.displayName" is "surname", then the value is mapped to "read_only_udm.target.user.last_name". If the value of "targetResources.0.modifiedProperties.displayName" is "department", then the value is mapped to "read_only_udm.target.user.department". If the value of "targetResources.0.modifiedProperties.displayName" is "physicalDeliveryOfficeName", then the value is mapped to "read_only_udm.target.user.office_address.name". If the value of "targetResources.0.modifiedProperties.displayName" is "employeeId", then the value is mapped to "read_only_udm.target.user.employee_id". If the value of "targetResources.0.modifiedProperties.displayName" is "mobile", then the value is mapped to "read_only_udm.target.user.phone_numbers". If the value of "targetResources.0.modifiedProperties.displayName" is "MailNickname", then the value is mapped to "read_only_udm.target.user.userid". Otherwise, the value is mapped to "read_only_udm.target.resource.attribute.labels" with the key set to the value of "targetResources.0.modifiedProperties.displayName". The value is also mapped to "read_only_udm.additional.fields" with the key set to "targetResources.modifiedProperties.newValue {index}". |
targetResources.0.modifiedProperties.oldValue | read_only_udm.src.resource.attribute.labels, read_only_udm.additional.fields | The value is mapped to "read_only_udm.src.resource.attribute.labels" with the key set to the value of "targetResources.0.modifiedProperties.displayName". The value is also mapped to "read_only_udm.additional.fields" with the key set to "targetResources.modifiedProperties.oldValue {index}". |
targetResources.0.type | read_only_udm.target.resource.resource_subtype, read_only_udm.target.resource.resource_type, read_only_udm.target.user.userid, read_only_udm.target.user.product_object_id, read_only_udm.target.user.user_display_name, read_only_udm.target.group.product_object_id, read_only_udm.target.group.group_display_name | Direct mapping from the raw log field "targetResources.0.type". If the value is "ServicePrincipal", then "read_only_udm.target.resource.resource_type" is set to "SERVICE_ACCOUNT". If the value is "Device", then "read_only_udm.target.resource.resource_type" is set to "DEVICE". Otherwise, "read_only_udm.target.resource.resource_type" is set to "UNSPECIFIED". If the value is "User" or "ServicePrincipal", then the value of "targetResources.0.userPrincipalName" is mapped to "read_only_udm.target.user.userid", the value of "targetResources.0.id" is mapped to "read_only_udm.target.user.product_object_id", and the value of "targetResources.0.displayName" is mapped to "read_only_udm.target.user.user_display_name". If the value is "Group", then the value of "targetResources.0.id" is mapped to "read_only_udm.target.group.product_object_id" and the value of "targetResources.0.displayName" is mapped to "read_only_udm.target.group.group_display_name". |
targetResources.0.userPrincipalName | read_only_udm.target.user.userid, read_only_udm.target.user.email_addresses | If the value contains "@" then it is parsed as an email address and mapped to "read_only_udm.target.user.email_addresses". Otherwise, it is mapped to "read_only_udm.target.user.userid". |
targetResources.displayName | read_only_udm.about.resource.name, read_only_udm.about.user.userid, read_only_udm.about.user.user_display_name, read_only_udm.about.group.group_display_name, read_only_udm.about.group.attribute.labels | If the value of "targetResources.type" is "User" or "ServicePrincipal", then the value is mapped to "read_only_udm.about.user.user_display_name" and "read_only_udm.about.user.userid". If the value of "targetResources.type" is "Group", then the value is mapped to "read_only_udm.about.group.group_display_name". The value of "targetResources.groupType" is mapped to "read_only_udm.about.group.attribute.labels" with the key set to "groupType". Otherwise, the value is mapped to "read_only_udm.about.resource.name". |
targetResources.groupType | read_only_udm.about.group.attribute.labels, read_only_udm.target.user.group_identifiers | Direct mapping from the raw log field "targetResources.groupType". The key for "read_only_udm.about.group.attribute.labels" is set to "groupType". |
targetResources.id | read_only_udm.about.resource.product_object_id, read_only_udm.about.user.product_object_id, read_only_udm.about.group.product_object_id | If the value of "targetResources.type" is "User" or "ServicePrincipal", then the value is mapped to "read_only_udm.about.user.product_object_id". If the value of "targetResources.type" is "Group", then the value is mapped to "read_only_udm.about.group.product_object_id". Otherwise, the value is mapped to "read_only_udm.about.resource.product_object_id". |
targetResources.modifiedProperties.displayName | read_only_udm.additional.fields | The value is mapped to "read_only_udm.additional.fields" with the key set to "targetResources.modifiedProperties.displayname {index}". |
targetResources.modifiedProperties.newValue | read_only_udm.additional.fields | The value is mapped to "read_only_udm.additional.fields" with the key set to "targetResources.modifiedProperties.newValue {index}". |
targetResources.modifiedProperties.oldValue | read_only_udm.additional.fields | The value is mapped to "read_only_udm.additional.fields" with the key set to "targetResources.modifiedProperties.oldValue {index}". |
targetResources.type | read_only_udm.about.resource.resource_subtype, read_only_udm.about.resource.resource_type, read_only_udm.about.user.userid, read_only_udm.about.user.product_object_id, read_only_udm.about.user.user_display_name, read_only_udm.about.group.product_object_id, read_only_udm.about.group.group_display_name | Direct mapping from the raw log field "targetResources.type". If the value is "ServicePrincipal", then "read_only_udm.about.resource.resource_type" is set to "SERVICE_ACCOUNT". If the value is "Device", then "read_only_udm.about.resource.resource_type" is set to "DEVICE". Otherwise, "read_only_udm.about.resource.resource_type" is set to "UNSPECIFIED". If the value is "User" or "ServicePrincipal", then the value of "targetResources.userPrincipalName" is mapped to "read_only_udm.about.user.userid", the value of "targetResources.id" is mapped to "read_only_udm.about.user.product_object_id", and the value of "targetResources.displayName" is mapped to "read_only_udm.about.user.user_display_name". If the value is "Group", then the value of "targetResources.id" is mapped to "read_only_udm.about.group.product_object_id" and the value of "targetResources.displayName" is mapped to "read_only_udm.about.group.group_display_name". |
targetResources.userPrincipalName | read_only_udm.about.user.userid, read_only_udm.about.user.email_addresses | If the value contains "@" then it is parsed as an email address and mapped to "read_only_udm.about.user.email_addresses". Otherwise, it is mapped to "read_only_udm.about.user.userid". |
tenantId | read_only_udm.additional.fields | Direct mapping from the raw log field "tenantId". The key for "read_only_udm.additional.fields" is set to "tenantId". |
time | read_only_udm.metadata.event_timestamp | Direct mapping from the raw log field "time". |
userId | read_only_udm.target.user.product_object_id | Direct mapping from the raw log field "userId". The value is set based on the values of other fields, including "activityDisplayName", "principal_userid_present", "target_userid_present", "principal_ip_present", "loggedByService", and "category". The logic for setting the value is complex and depends on the specific combination of values in these fields. The value is set to "SSO" if the value of "operationName" is "Sign-in activity". The value is set to "Microsoft". The value is set to "Azure AD Directory Audit". The value is set to "AZURE_AD_AUDIT". |
Changes
2024-07-30
- When "principal.user.userid" or "target.user.userid" is present, then only mapped "metadata.event_type" to "USER_CHANGE_PERMISSIONS".
2024-06-26
- Mapped delta between "targetResources.modifiedProperties.newValue" and "targetResources.modifiedProperties.oldValue" to "additional.fields".
2024-06-10
- When "initiatedBy.user.ipAddress" is having an IP, then set "principal_ip_present" to "true".
- Added a condition to set "metadata.event_type" to "USER_DELETION" only when "principal_ip_present" is "true".
2024-06-03
- Added a JSON block to parse unparsed logs.
- Added a conditional check for "event_type" "USER_DELETION".
2024-05-20
Bug-Fix:
- Modified the mapping of the "targetResource".
- Mapped first iteration of the "targetResource" to "target" and the following iteration of "targetResource" to "about".
- Changed key name of "loggedByService" field to "loggedByService" from "log_Service".
- Changed mapping of "resourceId" from "target.resource.id" to "additional_fields".
- When "targetResources.type" = "Application", "Policy", "Role", "Directory", "RoleAssignment", "Request", "Provider", "Other", then mapped "targetResources.displayName" to "noun.resource.name"; "targetResources.id" to "noun.resource.product_object_id"; "noun.resource.resource_type" = "UNSPECIFIED" and "targetResource.type" to "noun.resource.resource_subtype".
- When "targetResources.type" = "User", then mapped "targetResources.displayName" to "noun.resource.name"; "targetResources.id" to "noun.resource.product_object_id"; "noun.resource.resource_type" = "UNSPECIFIED"; "targetResource.type" to "noun.resource.resource_subtype"; "targetResources.displayName" to "noun.user.user_display_name"; "targetResources.id" to "noun.user.product_object_id"; "targetResources.userPrincipalName" to "noun.user.userid".
- When "targetResources.type" = "ServicePrincipal", then mapped "targetResources.displayName" to "noun.resource.name", "targetResources.id" to "noun.resource.product_object_id", "noun.resource.resource_type" = "SERVICE_ACCOUNT", "targetResource.type" to "noun.resource.resource_subtype", "targetResources.displayName" to "noun.user.user_display_name", "targetResources.id" to "noun.user.product_object_id" and "targetResources.userPrincipalName" to "noun.user.userid".
- When "targetResources.type" = "Group", then mapped "targetResources.displayName" to "noun.resource.name", "targetResources.id" to "noun.resource.product_object_id", "noun.resource.resource_type" = "UNSPECIFIED" , "targetResource.type" to "noun.resource.resource_subtype", "targetResources.displayName" to "noun.group.group_display_name", "targetResources.id" to "noun.group.product_object_id", and "groupType" to "noun.group.attribute.labels".
2024-05-17
- Mapped "initiatedBy.user.id" to "principal.user.product_object_id".
- Mapped "initiatedBy.user.userPrincipalName" to "principal.user.userid".
2024-03-18
- Displayed "targetResources.modifiedProperties.displayname", "targetResources.modifiedProperties.newValue" and "targetResources.modifiedProperties.oldValue" fields even when value is null.
- Mapped "callerIpAddress" to "principal.ip".
2024-03-12
Bug-Fix:
- Synced mappings of Azure Monitor envelope format log mappings to Microsoft Graph API format logs.
- Mapped "target.resource.resource_type" based on "targetResources.type".
- Mapped "targetResources.type" to "target.resource.type".
2024-03-04
- Mapped "user_principal_name" from "initiatedBy.user.userPrincipalName" to "principal.resource.attribute.labels".
- Mapped "domain" from "initiatedBy.user.userPrincipalName" to "principal.administrative_domain".
- Mapped "loggedByService" and "properties.loggedByService" to "additional.fields".
- Changed mapping of "initiatedBy.user.id" from "principal.user.product_object_id" to "principal.user.userid".
- Mapped "tgt_user_principal_name" from "target.userPrincipalName" to "target.resource.attribute.labels".
- Mapped "domain" from "target.userPrincipalName" to "target.administrative_domain".
- Mapped "category" to "additional.fields".
- When "additionalDetails[n].key" is "AppId", then mapped "additionalDetails[n].value" to "target.process.pid".
- When "additionalDetails[n].key" is "User-Agent", then mapped "additionalDetails[n].value" to "network.http.user_agent" and "network.http.parsed_user_agent".
- Mapped "metadata.event_type" based on "loggedByService", "category" and "activityDisplayName".
- Mapped "targetResources.modifiedProperties.displayname", "targetResources.modifiedProperties.newValue" and "targetResources.modifiedProperties.oldValue" to "additional.fields".
2024-02-21
- Added conditional check if "principal.user.userid" is present before setting "metadata.event_type" to "USER_CREATION".
- Changed mapping of "initiatedBy.user.id" from "principal.user.userid" to "principal.user.product_object_id".
- Changed mapping of "initiatedBy.app.servicePrincipalId" from "principal.user.userid" to "principal.user.product_object_id".
- Changed mapping of "initiatedBy.app.servicePrincipalName" from "principal.user.user_display_name" to "principal.user.userid".
- Changed mapping of "properties.initiatedBy.user.id" from "principal.user.userid" to "principal.user.product_object_id".
- Changed mapping of "properties.initiatedBy.app.servicePrincipalId" from "principal.user.userid" to "principal.user.product_object_id".
- Changed mapping of "properties.initiatedBy.app.servicePrincipalName" from "principal.user.user_display_name" to "principal.user.userid".
- If "targetResourceType" value is similar to "User" or "ServicePrincipal", then changed mapping of "target.id" from "target.user.userid" to "target.user.product_object_id".
- If "targetResourceType" value is similar to "User" or "ServicePrincipal", then mapped "target.userPrincipalName" to "target.user.userid".
- If "targetResourceType" value is similar to "User" or "ServicePrincipal", then mapped "target.displayName" to "target.user.user_display_name".
2024-02-12
- Added conditional check for "modifiedProperty.displayName", "modifiedProperty.newValue", and "modifiedProperty.oldValue".
- When "targetResource.id" is "User" or "ServicePrincipal", then mapped it to "target.user.userid".
2024-01-08
Bug-Fix:
- Added a Grok pattern to validate email values before mapping them to "principal.user.email_addresses" and "target.user.email_addresses".
2023-12-19
- Mapped "targetResource.modifiedProperties.newValue", "targetResource.modifiedProperties.oldValue", and "targetResource.modifiedProperties.displayName" to "additional.fields".
2023-11-23
- Mapped "targetResources.0.modifiedProperties.newValue/oldValue" fields to "event.idm.read_only_udm.additional.fields".
- Added ip_address format check to "initiatedBy.user.ipAddress" prior mapping to udm.
2023-10-16
- modified the following mappings:
- Changed 'metadata.event_type' from 'USER_UNCATEGORIZED' to 'USER_RESOURCE_ACCESS' where 'target.type is not 'user'.
- Changed mapping of 'target.id' from 'principal.user.userid, to 'principal.user.group_or_identifiers' where 'target.type' is not 'user'.
- Mapped the field which has been mapped to 'target.resource.id' to 'target.resource.product_object_id' as well because 'target.resource.id' is deprecated.
2023-08-03
- modified the following mappings:
- Changed 'metadata.event_type' from 'USER_UNCATEGORIZED' to 'USER_CREATION' where 'activityDisplayName' is 'Add user'.
- Changed mapping of 'activityDisplayName' from 'metadata.description, to 'metadata.product_event_type'.
- Mapped appropriate 'metadata.event_type' where 'activityDisplayName' is 'Add member to group', 'Add owner to group'.
- All fields under 'targetResources' should be part of the UDM target.user. fields.
- 'target.user.userid' mapped against the correct 'id' under 'targetResource'.
- For 'activityDisplayName' as 'Add member to role outside of PIM (permanent)' in activityDisplayName' mapped 'target.user.xxx' when resource type is 'User'.
- For 'activityDisplayName' as 'Add Member to Role' mapped 'Role.WellKnownObjectName' to 'target.resource.attribute.roles.name'.
2023-07-24
- mapped "targetresources.modifiedproperties.newvalue" to "target.user.title" when "targetresources.modifiedproperties.displayname" value contains "role.displayname".
2023-05-25
- Bug-fix: Changed mapping from "target.resource.attribute.labels.value" to "target.user.userid" when "targetResources.modifiedProperties.displayName" equals "mailNickname".
2023-05-05
- modified the following mappings-
- Changed mapping from "target.resource.attribute.labels.value" to "target.user.product_object_id" when "targetResources.modifiedProperties.displayName" equals "objectId".
- Changed mapping from "target.resource.attribute.labels.value" to "target.user.user_display_name" when "targetResources.modifiedProperties.displayName" equals "displayName".
- Changed mapping from "target.resource.attribute.labels.value" to "target.user.first_name" when "targetResources.modifiedProperties.displayName" equals "givenName".
- Changed mapping from "target.resource.attribute.labels.value" to "target.user.title" when "targetResources.modifiedProperties.displayName" equals "jobTitle".
- Changed mapping from "target.resource.attribute.labels.value" to "target.user.email_addresses" when "targetResources.modifiedProperties.displayName" equals "mail".
- Changed mapping from "target.resource.attribute.labels.value" to "target.user.last_name" when "targetResources.modifiedProperties.displayName" equals "surname".
- Changed mapping from "target.resource.attribute.labels.value" to "target.user.department" when "targetResources.modifiedProperties.displayName" equals "department".
- Changed mapping from "target.resource.attribute.labels.value" to "target.user.office_address.name" when "targetResources.modifiedProperties.displayName" equals "physicalDeliveryOfficeName".
- Changed mapping from "target.resource.attribute.labels.value" to "target.user.employee_id" when "targetResources.modifiedProperties.displayName" equals "employeeId".
- Changed mapping from "target.resource.attribute.labels.value" to "target.user.phone_numbers" when "targetResources.modifiedProperties.displayName" equals "mobile".
2023-04-18
- "initiatedBy.user.userPrincipalName" mapped to "principal.user.user_display_name" or "principal.user.userid" or "principal.user.email_addresses".
- "targetResources.type" mapped to "target.resource.attribute.labels".
2023-04-12
Enhancement -
- Mapped "initiatedBy.user.userPrincipalName" to "principal.user.email_addresses" and "event_type" to "USER_UNCATEGORIZED".
- when "initiatedBy.user.userPrincipalName" is not null.
- If "targetResources.modifiedProperties.displayName" is "userPrincipalName" than mapped it to "principal.user.email_addresses".
- Mapped "event_type" to "USER_UNCATEGORIZED" when "activityDisplayName" is in ["Issue an id_token to the application", "Set Company Information"].
2023-02-20
Bug-Fix -
- Mapped multiple IP addresses coming under key "additionalDetails.ClientIpAddress" to "principal.ip".
- Mapped metadata.event_type as "USER_UNCATEGORIZED" when "activityDisplayName" equals "Delete user" and "initiatedBy.user.userPrincipalName" field is not present.
2023-02-02
- Enhancement - Mapped the following when "activityDisplayName" equals "Delete user" :
- Mapped "event_type" to "USER_DELETION".
- Mapped "initiatedBy.user.userPrincipalName" to "principal.user.userid".
2022-11-24
Enhancement -
- Mapped "modifiedProperties.newValue" to "target.resource.attribute.labels".
- Mapped "modifiedProperties.oldValue" to "src.resource.attribute.labels".
2022-11-07
Enhancement -
- Mapped "target.modifiedProperties.TargetId.DeviceId" to "event.idm.read_only_udm.target.asset.asset_id".
2022-09-16
Enhancement -
- Mapped "properties.initiatedBy.user.ipAddress" to "principal.ip".
- Mapped "properties.initiatedBy.user.userPrincipalName" to "principal.user.userid".
- Mapped "properties.resultReason" to "security_result.description".
- Mapped "identity" to "target.user.userid".
- Mapped "operationName" to "metadata.product_event_type".
- Mapped "metadata.event_type" to "USER_UNCATEGORIZED" where "properties.activityDisplayName" is "Get resource properties of a tenant".
- Mapped "category" and "properties.category" to "security_result.category_details".
- Mapped "resultDescription" to "metadata.description".
- Mapped "resultType" to "security_result.rule_id".
2022-06-20
- Enhancement - Enhanced the parser to parse the logs with category : 'AuditLogs' and 'SignInLogs' by adding following mappings :
- Mapped the field 'properties.id' to 'metadata.product_log_id'.
- Mapped the field 'properties.loggedByService' to 'target.application'.
- Mapped the field 'Level' to 'security_result.severity' and 'security_result.severity_details'.
- Mapped the field 'properties.result' to 'security_result.summary' and 'security_result.action'.
- Mapped the field 'properties.operationType' to 'security_result.action_details'.
- Mapped the field 'properties.activityDisplayName' to 'metadata.description'.
- Mapped the field 'properties.category' to 'metadata.product_event_type'.
- Mapped the field 'properties.resultReason' to 'security_result.description'.
- Mapped the field 'properties.initiatedBy.app.displayName' to 'principal.application'.
- Mapped the field 'properties.ipAddress' to 'principal.ip'.
- Mapped the field 'properties.initiatedBy.app.servicePrincipalId' to 'principal.user.userid'.
- Mapped the field 'properties.initiatedBy.app.servicePrincipalName' to 'principal.user.user_display_name'.
- Mapped the field 'properties.appId' and 'properties.initiatedBy.app.appId' to 'principal.resource.attribute.labels'.
- Mapped the field 'properties.location.city' to 'principal.location.city'.
- Mapped the field 'properties.location.state' to 'principal.location.state'.
- Mapped the field 'properties.location.countryOrRegion' to 'principal.location.country_or_region'.
- Mapped the field 'properties.location.geoCoordinates.latitude' to 'principal.location.region_latitude'.
- Mapped the field 'properties.location.geoCoordinates.longitude' to 'principal.location.region_longitude'.
- Mapped the fields 'properties.targetResources.modifiedProperties' to 'target.user.attribute.labels'.
- Mapped the field 'targetResources.displayName' to 'target.user.user_display_name'.
- Mapped the field 'targetResources.id' to 'target.user.userid'.
- Mapped the fields 'properties.additionalDetails', 'properties.riskDetail', 'properties.riskEventTypes', 'properties.riskEventTypes_v2', 'properties.riskLevelAggregated', 'properties.riskLevelDuringSignIn', 'properties.riskState', 'properties.conditionalAccessStatus', 'tenantId' to 'additional.fields'.
- Mapped the field 'operationVersion' to 'metadata.product_version'.
- Mapped the field 'properties.appliedConditionalAccessPolicies.displayName' to 'about.user.user_display_name'.
- Mapped the field 'properties.appliedConditionalAccessPolicies..id' to 'about.user.userid'.
- Mapped the field 'properties.appliedConditionalAccessPolicies.result' to 'about.labels'.