Collect Microsoft Azure AD Audit logs

Supported in:

This document describes how you can collect Microsoft Azure Active Directory (AD) logs by setting up a Google Security Operations feed.

Azure Active Directory (AZURE_AD) is now called Microsoft Entra ID. Azure AD audit logs (AZURE_AD_AUDIT) are now Microsoft Entra ID audit logs.

For more information, see Data ingestion to Google Security Operations.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format.

Before you begin

To complete the tasks on this page, ensure that you have the following:

  • An Azure subscription that you can sign in to.
  • A global administrator or Azure AD administrator role.
  • An Azure AD (tenant) in Azure.

Configure Azure AD

  1. Sign in to the Azure portal.
  2. Go to Home > App registration, select a registered application or register an application if you haven't created an application yet.
  3. To register an application, in the App registration section, click New registration.
  4. In the Name field, provide the display name for your application.
  5. In the Supported account types section, select the required option to specify who can use the application or access the API.
  6. Click Register.
  7. Go to the Overview page and copy the application (client) ID and the directory (tenant) ID, which are required to configure the Google Security Operations feed.
  8. Click API permissions.
  9. Click Add a permission, and then select Microsoft Graph in the new pane.
  10. Click Application permissions.
  11. Select AuditLog.Read.All, Directory.Read.All, and SecurityEvents.Read.All permissions. Ensure that the permissions are Application permissions and not Delegated permissions.
  12. Click Grant admin consent for default directory. Applications are authorized to call APIs when they are granted permissions by users or administrators as part of the consent process.
  13. Go to Settings > Manage.
  14. Click Certificates and secrets.
  15. Click New client secret. In the Value field, the client secret appears.
  16. Copy the client secret value. The value is displayed only at the time of creation and it is required for the Azure app registration and to configure the Google Security Operations feed.

Configure a feed in Google Security Operations to ingest Azure AD Audit logs

  1. Select SIEM Settings > Feeds.
  2. Click Add new.
  3. Enter a unique name for the Feed name.
  4. Select Third party API as the Source type.
  5. Select Azure AD Directory Audit as the Log type.
  6. Click Next.
  7. Configure the following mandatory input parameters:
    • OAUTH client ID: specify the client ID that you obtained previously.
    • OAUTH client secret: specify the client secret that you obtained previously.
    • Tenant ID: specify the tenant ID that you obtained previously.
  8. Click Next and then click Submit.

For more information about Google Security Operations feeds, see Google Security Operations feeds documentation. For information about requirements for each feed type, see Feed configuration by type. If you encounter issues when you create feeds, contact Google Security Operations support.

Field mapping reference

This parser processes Azure AD Directory Audit logs in JSON format. It extracts relevant fields, transforms them into a unified data model (UDM), and enriches the data with additional context like user details, IP addresses, and security outcomes. The parser also categorizes events based on their characteristics, mapping them to specific UDM event types for easier analysis.

UDM Mapping Table

Log Field UDM Mapping Logic
activityDateTime read_only_udm.metadata.event_timestamp Direct mapping from the raw log field "activityDateTime".
activityDisplayName read_only_udm.metadata.product_event_type Direct mapping from the raw log field "activityDisplayName".
additionalDetails.ApplicationId read_only_udm.additional.fields Direct mapping from the raw log field "additionalDetails", where key is "ApplicationId".
additionalDetails.Client read_only_udm.network.http.user_agent Direct mapping from the raw log field "additionalDetails", where key is "Client".
additionalDetails.ClientIpAddress read_only_udm.principal.ip, read_only_udm.principal.asset.ip Direct mapping from the raw log field "additionalDetails", where key is "ClientIpAddress".
additionalDetails.DomainName read_only_udm.target.hostname, read_only_udm.target.asset.hostname Direct mapping from the raw log field "additionalDetails", where key is "DomainName".
additionalDetails.EmailAddress read_only_udm.target.user.email_addresses Direct mapping from the raw log field "additionalDetails", where key is "EmailAddress".
additionalDetails.GrantType read_only_udm.additional.fields Direct mapping from the raw log field "additionalDetails", where key is "GrantType".
additionalDetails.LocalAccountUsername read_only_udm.additional.fields Direct mapping from the raw log field "additionalDetails", where key is "LocalAccountUsername".
additionalDetails.PhoneNumber read_only_udm.target.user.phone_numbers Direct mapping from the raw log field "additionalDetails", where key is "PhoneNumber".
additionalDetails.PolicyId read_only_udm.security_result.rule_name Direct mapping from the raw log field "additionalDetails", where key is "PolicyId".
additionalDetails.Scopes read_only_udm.additional.fields Direct mapping from the raw log field "additionalDetails", where key is "Scopes".
additionalDetails.TenantId read_only_udm.additional.fields Direct mapping from the raw log field "additionalDetails", where key is "TenantId".
additionalDetails.VerificationMethod read_only_udm.additional.fields Direct mapping from the raw log field "additionalDetails", where key is "VerificationMethod".
appId read_only_udm.target.process.pid Direct mapping from the raw log field "appId".
appliedConditionalAccessPolicies read_only_udm.about The "displayName" field is mapped to "read_only_udm.about.user.user_display_name" and the "id" field is mapped to "read_only_udm.about.user.userid". The "result" field is mapped to "read_only_udm.about.labels", with the key set to "Result".
category read_only_udm.additional.fields, read_only_udm.security_result.category_details Direct mapping from the raw log field "category". The key for "read_only_udm.additional.fields" is set to "log_category".
callerIpAddress read_only_udm.principal.ip, read_only_udm.principal.asset.ip Direct mapping from the raw log field "callerIpAddress".
clientAppUsed read_only_udm.principal.application Direct mapping from the raw log field "clientAppUsed".
correlationId read_only_udm.network.session_id Direct mapping from the raw log field "correlationId".
id read_only_udm.metadata.product_log_id Direct mapping from the raw log field "id".
identity read_only_udm.target.user.userid Direct mapping from the raw log field "identity".
initiatedBy.app.appId read_only_udm.principal.resource.attribute.labels Direct mapping from the raw log field "initiatedBy.app.appId". The key for "read_only_udm.principal.resource.attribute.labels" is set to "App Id".
initiatedBy.app.displayName read_only_udm.principal.application Direct mapping from the raw log field "initiatedBy.app.displayName".
initiatedBy.app.servicePrincipalId read_only_udm.principal.user.product_object_id Direct mapping from the raw log field "initiatedBy.app.servicePrincipalId".
initiatedBy.app.servicePrincipalName read_only_udm.principal.user.userid Direct mapping from the raw log field "initiatedBy.app.servicePrincipalName".
initiatedBy.user.displayName read_only_udm.principal.user.user_display_name, read_only_udm.principal.user.email_addresses If the value contains "@" then it is parsed as an email address and mapped to "read_only_udm.principal.user.email_addresses". Otherwise, it is mapped to "read_only_udm.principal.user.user_display_name".
initiatedBy.user.id read_only_udm.principal.user.product_object_id Direct mapping from the raw log field "initiatedBy.user.id".
initiatedBy.user.ipAddress read_only_udm.principal.ip, read_only_udm.principal.asset.ip Direct mapping from the raw log field "initiatedBy.user.ipAddress".
initiatedBy.user.userPrincipalName read_only_udm.principal.user.userid, read_only_udm.principal.user.email_addresses, read_only_udm.principal.administrative_domain, read_only_udm.principal.resource.attribute.labels If the value contains "@" then it is parsed as an email address and mapped to "read_only_udm.principal.user.email_addresses". Otherwise, it is mapped to "read_only_udm.principal.user.userid". The domain part of the email address is mapped to "read_only_udm.principal.administrative_domain". The full value is also mapped to "read_only_udm.principal.resource.attribute.labels" with the key set to "User Principal Name".
ipAddress read_only_udm.principal.ip, read_only_udm.principal.asset.ip Direct mapping from the raw log field "ipAddress".
Level read_only_udm.security_result.severity, read_only_udm.security_result.severity_details The value is converted to a string and mapped to "read_only_udm.security_result.severity_details". The "read_only_udm.security_result.severity" field is set to "INFORMATIONAL".
location.city read_only_udm.principal.location.city Direct mapping from the raw log field "location.city".
location.countryOrRegion read_only_udm.principal.location.country_or_region Direct mapping from the raw log field "location.countryOrRegion".
location.geoCoordinates.latitude read_only_udm.principal.location.region_latitude Direct mapping from the raw log field "location.geoCoordinates.latitude".
location.geoCoordinates.longitude read_only_udm.principal.location.region_longitude Direct mapping from the raw log field "location.geoCoordinates.longitude".
location.state read_only_udm.principal.location.state Direct mapping from the raw log field "location.state".
loggedByService read_only_udm.additional.fields Direct mapping from the raw log field "loggedByService". The key for "read_only_udm.additional.fields" is set to "loggedByService".
operationName read_only_udm.metadata.product_event_type Direct mapping from the raw log field "operationName".
operationType read_only_udm.security_result.action_details Direct mapping from the raw log field "operationType".
properties.activityDateTime read_only_udm.metadata.event_timestamp Direct mapping from the raw log field "properties.activityDateTime".
properties.activityDisplayName read_only_udm.metadata.product_event_type Direct mapping from the raw log field "properties.activityDisplayName".
properties.appDisplayName read_only_udm.target.application Direct mapping from the raw log field "properties.appDisplayName".
properties.category read_only_udm.security_result.category_details Direct mapping from the raw log field "properties.category".
properties.id read_only_udm.metadata.product_log_id Direct mapping from the raw log field "properties.id".
properties.initiatedBy.app.appId read_only_udm.principal.resource.attribute.labels Direct mapping from the raw log field "properties.initiatedBy.app.appId". The key for "read_only_udm.principal.resource.attribute.labels" is set to "App Id".
properties.initiatedBy.app.displayName read_only_udm.principal.application Direct mapping from the raw log field "properties.initiatedBy.app.displayName".
properties.initiatedBy.app.servicePrincipalId read_only_udm.principal.user.product_object_id Direct mapping from the raw log field "properties.initiatedBy.app.servicePrincipalId".
properties.initiatedBy.app.servicePrincipalName read_only_udm.principal.user.userid Direct mapping from the raw log field "properties.initiatedBy.app.servicePrincipalName".
properties.initiatedBy.user.displayName read_only_udm.principal.user.user_display_name, read_only_udm.principal.user.email_addresses If the value contains "@" then it is parsed as an email address and mapped to "read_only_udm.principal.user.email_addresses". Otherwise, it is mapped to "read_only_udm.principal.user.user_display_name".
properties.initiatedBy.user.id read_only_udm.principal.user.product_object_id Direct mapping from the raw log field "properties.initiatedBy.user.id".
properties.initiatedBy.user.ipAddress read_only_udm.principal.ip, read_only_udm.principal.asset.ip Direct mapping from the raw log field "properties.initiatedBy.user.ipAddress".
properties.initiatedBy.user.userPrincipalName read_only_udm.principal.user.userid, read_only_udm.principal.user.email_addresses, read_only_udm.principal.administrative_domain, read_only_udm.principal.resource.attribute.labels If the value contains "@" then it is parsed as an email address and mapped to "read_only_udm.principal.user.email_addresses". Otherwise, it is mapped to "read_only_udm.principal.user.userid". The domain part of the email address is mapped to "read_only_udm.principal.administrative_domain". The full value is also mapped to "read_only_udm.principal.resource.attribute.labels" with the key set to "User Principal Name".
properties.loggedByService read_only_udm.additional.fields Direct mapping from the raw log field "properties.loggedByService". The key for "read_only_udm.additional.fields" is set to "loggedByService".
properties.operationType read_only_udm.security_result.action_details Direct mapping from the raw log field "properties.operationType".
properties.result read_only_udm.security_result.summary Direct mapping from the raw log field "properties.result".
properties.resultReason read_only_udm.security_result.description Direct mapping from the raw log field "properties.resultReason".
properties.userPrincipalName read_only_udm.target.user.user_display_name Direct mapping from the raw log field "properties.userPrincipalName".
result read_only_udm.security_result.summary, read_only_udm.security_result.action Direct mapping from the raw log field "result". If the value is "success" then "read_only_udm.security_result.action" is set to "ALLOW". If the value is "failure" then "read_only_udm.security_result.action" is set to "BLOCK".
resultDescription read_only_udm.metadata.description, read_only_udm.security_result.description Direct mapping from the raw log field "resultDescription".
resultReason read_only_udm.security_result.description Direct mapping from the raw log field "resultReason".
resultType read_only_udm.security_result.rule_id, read_only_udm.security_result.summary, read_only_udm.security_result.action Direct mapping from the raw log field "resultType". If the value is "0" then "read_only_udm.security_result.action" is set to "ALLOW" and "read_only_udm.security_result.summary" is set to "Successful login occurred". Otherwise, "read_only_udm.security_result.action" is set to "BLOCK", "read_only_udm.security_result.summary" is set to "Failed login occurred", "read_only_udm.security_result.description" is set to the value of "resultDescription", and "read_only_udm.security_result.severity" is set to "ERROR".
resourceDisplayName read_only_udm.target.resource.name Direct mapping from the raw log field "resourceDisplayName".
resourceId read_only_udm.additional.fields Direct mapping from the raw log field "resourceId". The key for "read_only_udm.additional.fields" is set to "resourceId".
riskDetail read_only_udm.additional.fields Direct mapping from the raw log field "riskDetail". The key for "read_only_udm.additional.fields" is set to "riskDetail".
riskEventTypes read_only_udm.additional.fields Direct mapping from the raw log field "riskEventTypes". The key for "read_only_udm.additional.fields" is set to "riskEventTypes".
riskEventTypes_v2 read_only_udm.additional.fields Direct mapping from the raw log field "riskEventTypes_v2". The key for "read_only_udm.additional.fields" is set to "riskEventTypes_v2".
riskLevelAggregated read_only_udm.additional.fields Direct mapping from the raw log field "riskLevelAggregated". The key for "read_only_udm.additional.fields" is set to "riskLevelAggregated".
riskLevelDuringSignIn read_only_udm.additional.fields, read_only_udm.security_result.priority Direct mapping from the raw log field "riskLevelDuringSignIn". The key for "read_only_udm.additional.fields" is set to "riskLevelDuringSignIn". If the value is "medium" then "read_only_udm.security_result.priority" is set to "MEDIUM_PRIORITY".
riskState read_only_udm.additional.fields Direct mapping from the raw log field "riskState". The key for "read_only_udm.additional.fields" is set to "riskState".
targetResources.0.displayName read_only_udm.target.resource.name, read_only_udm.target.user.user_display_name, read_only_udm.target.group.group_display_name If the value of "targetResources.0.type" is "User" or "ServicePrincipal", then the value is mapped to "read_only_udm.target.user.user_display_name". If the value of "targetResources.0.type" is "Group", then the value is mapped to "read_only_udm.target.group.group_display_name". Otherwise, the value is mapped to "read_only_udm.target.resource.name".
targetResources.0.groupType read_only_udm.target.group.attribute.labels Direct mapping from the raw log field "targetResources.0.groupType". The key for "read_only_udm.target.group.attribute.labels" is set to "groupType".
targetResources.0.id read_only_udm.target.resource.product_object_id, read_only_udm.target.user.product_object_id, read_only_udm.target.group.product_object_id If the value of "targetResources.0.type" is "User" or "ServicePrincipal", then the value is mapped to "read_only_udm.target.user.product_object_id". If the value of "targetResources.0.type" is "Group", then the value is mapped to "read_only_udm.target.group.product_object_id". Otherwise, the value is mapped to "read_only_udm.target.resource.product_object_id".
targetResources.0.modifiedProperties.displayName read_only_udm.additional.fields, read_only_udm.target.asset.asset_id, read_only_udm.target.user.title, read_only_udm.target.resource.attribute.roles, read_only_udm.target.user.user_display_name, read_only_udm.target.user.first_name, read_only_udm.target.user.last_name, read_only_udm.target.user.department, read_only_udm.target.user.office_address.name, read_only_udm.target.user.employee_id, read_only_udm.target.user.phone_numbers, read_only_udm.target.user.userid, read_only_udm.target.resource.attribute.labels, read_only_udm.src.resource.attribute.labels The value is mapped to "read_only_udm.additional.fields" with the key set to "targetResources.modifiedProperties.displayname {index}". If the value is "TargetId.DeviceId", then the value of "targetResources.0.modifiedProperties.newValue" is mapped to "read_only_udm.target.asset.asset_id" with the prefix "Device ID:". If the value is "DisplayName" or "jobTitle", then the value of "targetResources.0.modifiedProperties.newValue" is mapped to "read_only_udm.target.user.title". If the value is "WellKnownObjectName", then the value of "targetResources.0.modifiedProperties.newValue" is mapped to "read_only_udm.target.resource.attribute.roles" with the key set to "name". If the value is "displayName" and "targetResources.0.displayName" is null, then the value of "targetResources.0.modifiedProperties.newValue" is mapped to "read_only_udm.target.user.user_display_name". If the value is "givenName", then the value of "targetResources.0.modifiedProperties.newValue" is mapped to "read_only_udm.target.user.first_name". If the value is "surname", then the value of "targetResources.0.modifiedProperties.newValue" is mapped to "read_only_udm.target.user.last_name". If the value is "department", then the value of "targetResources.0.modifiedProperties.newValue" is mapped to "read_only_udm.target.user.department". If the value is "physicalDeliveryOfficeName", then the value of "targetResources.0.modifiedProperties.newValue" is mapped to "read_only_udm.target.user.office_address.name". If the value is "employeeId", then the value of "targetResources.0.modifiedProperties.newValue" is mapped to "read_only_udm.target.user.employee_id". If the value is "mobile", then the value of "targetResources.0.modifiedProperties.newValue" is mapped to "read_only_udm.target.user.phone_numbers". If the value is "MailNickname", then the value of "targetResources.0.modifiedProperties.newValue" is mapped to "read_only_udm.target.user.userid". Otherwise, the value of "targetResources.0.modifiedProperties.newValue" is mapped to "read_only_udm.target.resource.attribute.labels" with the key set to the value of "targetResources.0.modifiedProperties.displayName". The value of "targetResources.0.modifiedProperties.oldValue" is mapped to "read_only_udm.src.resource.attribute.labels" with the key set to the value of "targetResources.0.modifiedProperties.displayName".
targetResources.0.modifiedProperties.newValue read_only_udm.target.asset.asset_id, read_only_udm.target.user.title, read_only_udm.target.resource.attribute.roles, read_only_udm.target.user.user_display_name, read_only_udm.target.user.first_name, read_only_udm.target.user.last_name, read_only_udm.target.user.department, read_only_udm.target.user.office_address.name, read_only_udm.target.user.employee_id, read_only_udm.target.user.phone_numbers, read_only_udm.target.user.userid, read_only_udm.target.resource.attribute.labels, read_only_udm.additional.fields If the value of "targetResources.0.modifiedProperties.displayName" is "TargetId.DeviceId", then the value is mapped to "read_only_udm.target.asset.asset_id" with the prefix "Device ID:". If the value of "targetResources.0.modifiedProperties.displayName" is "DisplayName" or "jobTitle", then the value is mapped to "read_only_udm.target.user.title". If the value of "targetResources.0.modifiedProperties.displayName" is "WellKnownObjectName", then the value is mapped to "read_only_udm.target.resource.attribute.roles" with the key set to "name". If the value of "targetResources.0.modifiedProperties.displayName" is "displayName" and "targetResources.0.displayName" is null, then the value is mapped to "read_only_udm.target.user.user_display_name". If the value of "targetResources.0.modifiedProperties.displayName" is "givenName", then the value is mapped to "read_only_udm.target.user.first_name". If the value of "targetResources.0.modifiedProperties.displayName" is "surname", then the value is mapped to "read_only_udm.target.user.last_name". If the value of "targetResources.0.modifiedProperties.displayName" is "department", then the value is mapped to "read_only_udm.target.user.department". If the value of "targetResources.0.modifiedProperties.displayName" is "physicalDeliveryOfficeName", then the value is mapped to "read_only_udm.target.user.office_address.name". If the value of "targetResources.0.modifiedProperties.displayName" is "employeeId", then the value is mapped to "read_only_udm.target.user.employee_id". If the value of "targetResources.0.modifiedProperties.displayName" is "mobile", then the value is mapped to "read_only_udm.target.user.phone_numbers". If the value of "targetResources.0.modifiedProperties.displayName" is "MailNickname", then the value is mapped to "read_only_udm.target.user.userid". Otherwise, the value is mapped to "read_only_udm.target.resource.attribute.labels" with the key set to the value of "targetResources.0.modifiedProperties.displayName". The value is also mapped to "read_only_udm.additional.fields" with the key set to "targetResources.modifiedProperties.newValue {index}".
targetResources.0.modifiedProperties.oldValue read_only_udm.src.resource.attribute.labels, read_only_udm.additional.fields The value is mapped to "read_only_udm.src.resource.attribute.labels" with the key set to the value of "targetResources.0.modifiedProperties.displayName". The value is also mapped to "read_only_udm.additional.fields" with the key set to "targetResources.modifiedProperties.oldValue {index}".
targetResources.0.type read_only_udm.target.resource.resource_subtype, read_only_udm.target.resource.resource_type, read_only_udm.target.user.userid, read_only_udm.target.user.product_object_id, read_only_udm.target.user.user_display_name, read_only_udm.target.group.product_object_id, read_only_udm.target.group.group_display_name Direct mapping from the raw log field "targetResources.0.type". If the value is "ServicePrincipal", then "read_only_udm.target.resource.resource_type" is set to "SERVICE_ACCOUNT". If the value is "Device", then "read_only_udm.target.resource.resource_type" is set to "DEVICE". Otherwise, "read_only_udm.target.resource.resource_type" is set to "UNSPECIFIED". If the value is "User" or "ServicePrincipal", then the value of "targetResources.0.userPrincipalName" is mapped to "read_only_udm.target.user.userid", the value of "targetResources.0.id" is mapped to "read_only_udm.target.user.product_object_id", and the value of "targetResources.0.displayName" is mapped to "read_only_udm.target.user.user_display_name". If the value is "Group", then the value of "targetResources.0.id" is mapped to "read_only_udm.target.group.product_object_id" and the value of "targetResources.0.displayName" is mapped to "read_only_udm.target.group.group_display_name".
targetResources.0.userPrincipalName read_only_udm.target.user.userid, read_only_udm.target.user.email_addresses If the value contains "@" then it is parsed as an email address and mapped to "read_only_udm.target.user.email_addresses". Otherwise, it is mapped to "read_only_udm.target.user.userid".
targetResources.displayName read_only_udm.about.resource.name, read_only_udm.about.user.userid, read_only_udm.about.user.user_display_name, read_only_udm.about.group.group_display_name, read_only_udm.about.group.attribute.labels If the value of "targetResources.type" is "User" or "ServicePrincipal", then the value is mapped to "read_only_udm.about.user.user_display_name" and "read_only_udm.about.user.userid". If the value of "targetResources.type" is "Group", then the value is mapped to "read_only_udm.about.group.group_display_name". The value of "targetResources.groupType" is mapped to "read_only_udm.about.group.attribute.labels" with the key set to "groupType". Otherwise, the value is mapped to "read_only_udm.about.resource.name".
targetResources.groupType read_only_udm.about.group.attribute.labels, read_only_udm.target.user.group_identifiers Direct mapping from the raw log field "targetResources.groupType". The key for "read_only_udm.about.group.attribute.labels" is set to "groupType".
targetResources.id read_only_udm.about.resource.product_object_id, read_only_udm.about.user.product_object_id, read_only_udm.about.group.product_object_id If the value of "targetResources.type" is "User" or "ServicePrincipal", then the value is mapped to "read_only_udm.about.user.product_object_id". If the value of "targetResources.type" is "Group", then the value is mapped to "read_only_udm.about.group.product_object_id". Otherwise, the value is mapped to "read_only_udm.about.resource.product_object_id".
targetResources.modifiedProperties.displayName read_only_udm.additional.fields The value is mapped to "read_only_udm.additional.fields" with the key set to "targetResources.modifiedProperties.displayname {index}".
targetResources.modifiedProperties.newValue read_only_udm.additional.fields The value is mapped to "read_only_udm.additional.fields" with the key set to "targetResources.modifiedProperties.newValue {index}".
targetResources.modifiedProperties.oldValue read_only_udm.additional.fields The value is mapped to "read_only_udm.additional.fields" with the key set to "targetResources.modifiedProperties.oldValue {index}".
targetResources.type read_only_udm.about.resource.resource_subtype, read_only_udm.about.resource.resource_type, read_only_udm.about.user.userid, read_only_udm.about.user.product_object_id, read_only_udm.about.user.user_display_name, read_only_udm.about.group.product_object_id, read_only_udm.about.group.group_display_name Direct mapping from the raw log field "targetResources.type". If the value is "ServicePrincipal", then "read_only_udm.about.resource.resource_type" is set to "SERVICE_ACCOUNT". If the value is "Device", then "read_only_udm.about.resource.resource_type" is set to "DEVICE". Otherwise, "read_only_udm.about.resource.resource_type" is set to "UNSPECIFIED". If the value is "User" or "ServicePrincipal", then the value of "targetResources.userPrincipalName" is mapped to "read_only_udm.about.user.userid", the value of "targetResources.id" is mapped to "read_only_udm.about.user.product_object_id", and the value of "targetResources.displayName" is mapped to "read_only_udm.about.user.user_display_name". If the value is "Group", then the value of "targetResources.id" is mapped to "read_only_udm.about.group.product_object_id" and the value of "targetResources.displayName" is mapped to "read_only_udm.about.group.group_display_name".
targetResources.userPrincipalName read_only_udm.about.user.userid, read_only_udm.about.user.email_addresses If the value contains "@" then it is parsed as an email address and mapped to "read_only_udm.about.user.email_addresses". Otherwise, it is mapped to "read_only_udm.about.user.userid".
tenantId read_only_udm.additional.fields Direct mapping from the raw log field "tenantId". The key for "read_only_udm.additional.fields" is set to "tenantId".
time read_only_udm.metadata.event_timestamp Direct mapping from the raw log field "time".
userId read_only_udm.target.user.product_object_id Direct mapping from the raw log field "userId". The value is set based on the values of other fields, including "activityDisplayName", "principal_userid_present", "target_userid_present", "principal_ip_present", "loggedByService", and "category". The logic for setting the value is complex and depends on the specific combination of values in these fields. The value is set to "SSO" if the value of "operationName" is "Sign-in activity". The value is set to "Microsoft". The value is set to "Azure AD Directory Audit". The value is set to "AZURE_AD_AUDIT".

Changes

2024-07-30

  • When "principal.user.userid" or "target.user.userid" is present, then only mapped "metadata.event_type" to "USER_CHANGE_PERMISSIONS".

2024-06-26

  • Mapped delta between "targetResources.modifiedProperties.newValue" and "targetResources.modifiedProperties.oldValue" to "additional.fields".

2024-06-10

  • When "initiatedBy.user.ipAddress" is having an IP, then set "principal_ip_present" to "true".
  • Added a condition to set "metadata.event_type" to "USER_DELETION" only when "principal_ip_present" is "true".

2024-06-03

  • Added a JSON block to parse unparsed logs.
  • Added a conditional check for "event_type" "USER_DELETION".

2024-05-20

Bug-Fix:

  • Modified the mapping of the "targetResource".
  • Mapped first iteration of the "targetResource" to "target" and the following iteration of "targetResource" to "about".
  • Changed key name of "loggedByService" field to "loggedByService" from "log_Service".
  • Changed mapping of "resourceId" from "target.resource.id" to "additional_fields".
  • When "targetResources.type" = "Application", "Policy", "Role", "Directory", "RoleAssignment", "Request", "Provider", "Other", then mapped "targetResources.displayName" to "noun.resource.name"; "targetResources.id" to "noun.resource.product_object_id"; "noun.resource.resource_type" = "UNSPECIFIED" and "targetResource.type" to "noun.resource.resource_subtype".
  • When "targetResources.type" = "User", then mapped "targetResources.displayName" to "noun.resource.name"; "targetResources.id" to "noun.resource.product_object_id"; "noun.resource.resource_type" = "UNSPECIFIED"; "targetResource.type" to "noun.resource.resource_subtype"; "targetResources.displayName" to "noun.user.user_display_name"; "targetResources.id" to "noun.user.product_object_id"; "targetResources.userPrincipalName" to "noun.user.userid".
  • When "targetResources.type" = "ServicePrincipal", then mapped "targetResources.displayName" to "noun.resource.name", "targetResources.id" to "noun.resource.product_object_id", "noun.resource.resource_type" = "SERVICE_ACCOUNT", "targetResource.type" to "noun.resource.resource_subtype", "targetResources.displayName" to "noun.user.user_display_name", "targetResources.id" to "noun.user.product_object_id" and "targetResources.userPrincipalName" to "noun.user.userid".
  • When "targetResources.type" = "Group", then mapped "targetResources.displayName" to "noun.resource.name", "targetResources.id" to "noun.resource.product_object_id", "noun.resource.resource_type" = "UNSPECIFIED" , "targetResource.type" to "noun.resource.resource_subtype", "targetResources.displayName" to "noun.group.group_display_name", "targetResources.id" to "noun.group.product_object_id", and "groupType" to "noun.group.attribute.labels".

2024-05-17

  • Mapped "initiatedBy.user.id" to "principal.user.product_object_id".
  • Mapped "initiatedBy.user.userPrincipalName" to "principal.user.userid".

2024-03-18

  • Displayed "targetResources.modifiedProperties.displayname", "targetResources.modifiedProperties.newValue" and "targetResources.modifiedProperties.oldValue" fields even when value is null.
  • Mapped "callerIpAddress" to "principal.ip".

2024-03-12

Bug-Fix:

  • Synced mappings of Azure Monitor envelope format log mappings to Microsoft Graph API format logs.
  • Mapped "target.resource.resource_type" based on "targetResources.type".
  • Mapped "targetResources.type" to "target.resource.type".

2024-03-04

  • Mapped "user_principal_name" from "initiatedBy.user.userPrincipalName" to "principal.resource.attribute.labels".
  • Mapped "domain" from "initiatedBy.user.userPrincipalName" to "principal.administrative_domain".
  • Mapped "loggedByService" and "properties.loggedByService" to "additional.fields".
  • Changed mapping of "initiatedBy.user.id" from "principal.user.product_object_id" to "principal.user.userid".
  • Mapped "tgt_user_principal_name" from "target.userPrincipalName" to "target.resource.attribute.labels".
  • Mapped "domain" from "target.userPrincipalName" to "target.administrative_domain".
  • Mapped "category" to "additional.fields".
  • When "additionalDetails[n].key" is "AppId", then mapped "additionalDetails[n].value" to "target.process.pid".
  • When "additionalDetails[n].key" is "User-Agent", then mapped "additionalDetails[n].value" to "network.http.user_agent" and "network.http.parsed_user_agent".
  • Mapped "metadata.event_type" based on "loggedByService", "category" and "activityDisplayName".
  • Mapped "targetResources.modifiedProperties.displayname", "targetResources.modifiedProperties.newValue" and "targetResources.modifiedProperties.oldValue" to "additional.fields".

2024-02-21

  • Added conditional check if "principal.user.userid" is present before setting "metadata.event_type" to "USER_CREATION".
  • Changed mapping of "initiatedBy.user.id" from "principal.user.userid" to "principal.user.product_object_id".
  • Changed mapping of "initiatedBy.app.servicePrincipalId" from "principal.user.userid" to "principal.user.product_object_id".
  • Changed mapping of "initiatedBy.app.servicePrincipalName" from "principal.user.user_display_name" to "principal.user.userid".
  • Changed mapping of "properties.initiatedBy.user.id" from "principal.user.userid" to "principal.user.product_object_id".
  • Changed mapping of "properties.initiatedBy.app.servicePrincipalId" from "principal.user.userid" to "principal.user.product_object_id".
  • Changed mapping of "properties.initiatedBy.app.servicePrincipalName" from "principal.user.user_display_name" to "principal.user.userid".
  • If "targetResourceType" value is similar to "User" or "ServicePrincipal", then changed mapping of "target.id" from "target.user.userid" to "target.user.product_object_id".
  • If "targetResourceType" value is similar to "User" or "ServicePrincipal", then mapped "target.userPrincipalName" to "target.user.userid".
  • If "targetResourceType" value is similar to "User" or "ServicePrincipal", then mapped "target.displayName" to "target.user.user_display_name".

2024-02-12

  • Added conditional check for "modifiedProperty.displayName", "modifiedProperty.newValue", and "modifiedProperty.oldValue".
  • When "targetResource.id" is "User" or "ServicePrincipal", then mapped it to "target.user.userid".

2024-01-08

Bug-Fix:

  • Added a Grok pattern to validate email values before mapping them to "principal.user.email_addresses" and "target.user.email_addresses".

2023-12-19

  • Mapped "targetResource.modifiedProperties.newValue", "targetResource.modifiedProperties.oldValue", and "targetResource.modifiedProperties.displayName" to "additional.fields".

2023-11-23

  • Mapped "targetResources.0.modifiedProperties.newValue/oldValue" fields to "event.idm.read_only_udm.additional.fields".
  • Added ip_address format check to "initiatedBy.user.ipAddress" prior mapping to udm.

2023-10-16

  • modified the following mappings:
  • Changed 'metadata.event_type' from 'USER_UNCATEGORIZED' to 'USER_RESOURCE_ACCESS' where 'target.type is not 'user'.
  • Changed mapping of 'target.id' from 'principal.user.userid, to 'principal.user.group_or_identifiers' where 'target.type' is not 'user'.
  • Mapped the field which has been mapped to 'target.resource.id' to 'target.resource.product_object_id' as well because 'target.resource.id' is deprecated.

2023-08-03

  • modified the following mappings:
  • Changed 'metadata.event_type' from 'USER_UNCATEGORIZED' to 'USER_CREATION' where 'activityDisplayName' is 'Add user'.
  • Changed mapping of 'activityDisplayName' from 'metadata.description, to 'metadata.product_event_type'.
  • Mapped appropriate 'metadata.event_type' where 'activityDisplayName' is 'Add member to group', 'Add owner to group'.
  • All fields under 'targetResources' should be part of the UDM target.user. fields.
  • 'target.user.userid' mapped against the correct 'id' under 'targetResource'.
  • For 'activityDisplayName' as 'Add member to role outside of PIM (permanent)' in activityDisplayName' mapped 'target.user.xxx' when resource type is 'User'.
  • For 'activityDisplayName' as 'Add Member to Role' mapped 'Role.WellKnownObjectName' to 'target.resource.attribute.roles.name'.

2023-07-24

  • mapped "targetresources.modifiedproperties.newvalue" to "target.user.title" when "targetresources.modifiedproperties.displayname" value contains "role.displayname".

2023-05-25

  • Bug-fix: Changed mapping from "target.resource.attribute.labels.value" to "target.user.userid" when "targetResources.modifiedProperties.displayName" equals "mailNickname".

2023-05-05

  • modified the following mappings-
  • Changed mapping from "target.resource.attribute.labels.value" to "target.user.product_object_id" when "targetResources.modifiedProperties.displayName" equals "objectId".
  • Changed mapping from "target.resource.attribute.labels.value" to "target.user.user_display_name" when "targetResources.modifiedProperties.displayName" equals "displayName".
  • Changed mapping from "target.resource.attribute.labels.value" to "target.user.first_name" when "targetResources.modifiedProperties.displayName" equals "givenName".
  • Changed mapping from "target.resource.attribute.labels.value" to "target.user.title" when "targetResources.modifiedProperties.displayName" equals "jobTitle".
  • Changed mapping from "target.resource.attribute.labels.value" to "target.user.email_addresses" when "targetResources.modifiedProperties.displayName" equals "mail".
  • Changed mapping from "target.resource.attribute.labels.value" to "target.user.last_name" when "targetResources.modifiedProperties.displayName" equals "surname".
  • Changed mapping from "target.resource.attribute.labels.value" to "target.user.department" when "targetResources.modifiedProperties.displayName" equals "department".
  • Changed mapping from "target.resource.attribute.labels.value" to "target.user.office_address.name" when "targetResources.modifiedProperties.displayName" equals "physicalDeliveryOfficeName".
  • Changed mapping from "target.resource.attribute.labels.value" to "target.user.employee_id" when "targetResources.modifiedProperties.displayName" equals "employeeId".
  • Changed mapping from "target.resource.attribute.labels.value" to "target.user.phone_numbers" when "targetResources.modifiedProperties.displayName" equals "mobile".

2023-04-18

  • "initiatedBy.user.userPrincipalName" mapped to "principal.user.user_display_name" or "principal.user.userid" or "principal.user.email_addresses".
  • "targetResources.type" mapped to "target.resource.attribute.labels".

2023-04-12

Enhancement -

  • Mapped "initiatedBy.user.userPrincipalName" to "principal.user.email_addresses" and "event_type" to "USER_UNCATEGORIZED".
  • when "initiatedBy.user.userPrincipalName" is not null.
  • If "targetResources.modifiedProperties.displayName" is "userPrincipalName" than mapped it to "principal.user.email_addresses".
  • Mapped "event_type" to "USER_UNCATEGORIZED" when "activityDisplayName" is in ["Issue an id_token to the application", "Set Company Information"].

2023-02-20

Bug-Fix -

  • Mapped multiple IP addresses coming under key "additionalDetails.ClientIpAddress" to "principal.ip".
  • Mapped metadata.event_type as "USER_UNCATEGORIZED" when "activityDisplayName" equals "Delete user" and "initiatedBy.user.userPrincipalName" field is not present.

2023-02-02

  • Enhancement - Mapped the following when "activityDisplayName" equals "Delete user" :
  • Mapped "event_type" to "USER_DELETION".
  • Mapped "initiatedBy.user.userPrincipalName" to "principal.user.userid".

2022-11-24

Enhancement -

  • Mapped "modifiedProperties.newValue" to "target.resource.attribute.labels".
  • Mapped "modifiedProperties.oldValue" to "src.resource.attribute.labels".

2022-11-07

Enhancement -

  • Mapped "target.modifiedProperties.TargetId.DeviceId" to "event.idm.read_only_udm.target.asset.asset_id".

2022-09-16

Enhancement -

  • Mapped "properties.initiatedBy.user.ipAddress" to "principal.ip".
  • Mapped "properties.initiatedBy.user.userPrincipalName" to "principal.user.userid".
  • Mapped "properties.resultReason" to "security_result.description".
  • Mapped "identity" to "target.user.userid".
  • Mapped "operationName" to "metadata.product_event_type".
  • Mapped "metadata.event_type" to "USER_UNCATEGORIZED" where "properties.activityDisplayName" is "Get resource properties of a tenant".
  • Mapped "category" and "properties.category" to "security_result.category_details".
  • Mapped "resultDescription" to "metadata.description".
  • Mapped "resultType" to "security_result.rule_id".

2022-06-20

  • Enhancement - Enhanced the parser to parse the logs with category : 'AuditLogs' and 'SignInLogs' by adding following mappings :
  • Mapped the field 'properties.id' to 'metadata.product_log_id'.
  • Mapped the field 'properties.loggedByService' to 'target.application'.
  • Mapped the field 'Level' to 'security_result.severity' and 'security_result.severity_details'.
  • Mapped the field 'properties.result' to 'security_result.summary' and 'security_result.action'.
  • Mapped the field 'properties.operationType' to 'security_result.action_details'.
  • Mapped the field 'properties.activityDisplayName' to 'metadata.description'.
  • Mapped the field 'properties.category' to 'metadata.product_event_type'.
  • Mapped the field 'properties.resultReason' to 'security_result.description'.
  • Mapped the field 'properties.initiatedBy.app.displayName' to 'principal.application'.
  • Mapped the field 'properties.ipAddress' to 'principal.ip'.
  • Mapped the field 'properties.initiatedBy.app.servicePrincipalId' to 'principal.user.userid'.
  • Mapped the field 'properties.initiatedBy.app.servicePrincipalName' to 'principal.user.user_display_name'.
  • Mapped the field 'properties.appId' and 'properties.initiatedBy.app.appId' to 'principal.resource.attribute.labels'.
  • Mapped the field 'properties.location.city' to 'principal.location.city'.
  • Mapped the field 'properties.location.state' to 'principal.location.state'.
  • Mapped the field 'properties.location.countryOrRegion' to 'principal.location.country_or_region'.
  • Mapped the field 'properties.location.geoCoordinates.latitude' to 'principal.location.region_latitude'.
  • Mapped the field 'properties.location.geoCoordinates.longitude' to 'principal.location.region_longitude'.
  • Mapped the fields 'properties.targetResources.modifiedProperties' to 'target.user.attribute.labels'.
  • Mapped the field 'targetResources.displayName' to 'target.user.user_display_name'.
  • Mapped the field 'targetResources.id' to 'target.user.userid'.
  • Mapped the fields 'properties.additionalDetails', 'properties.riskDetail', 'properties.riskEventTypes', 'properties.riskEventTypes_v2', 'properties.riskLevelAggregated', 'properties.riskLevelDuringSignIn', 'properties.riskState', 'properties.conditionalAccessStatus', 'tenantId' to 'additional.fields'.
  • Mapped the field 'operationVersion' to 'metadata.product_version'.
  • Mapped the field 'properties.appliedConditionalAccessPolicies.displayName' to 'about.user.user_display_name'.
  • Mapped the field 'properties.appliedConditionalAccessPolicies..id' to 'about.user.userid'.
  • Mapped the field 'properties.appliedConditionalAccessPolicies.result' to 'about.labels'.