This guide explains how to export Azure VPN logs to Google Security Operations using an Azure Storage Account. The parser extracts fields from JSON-formatted Azure VPN logs and then uses Grok patterns to extract further details from the properties.message field. Finally, it maps the extracted information to the standardized fields of the Unified Data Model (UDM).
Before you begin
Ensure you have the following prerequisites:
Google SecOps instance
An active Azure tenant
Privileged access to Azure
Configure Azure Storage Account
In the Azure console, search for Storage accounts.
Click + Create.
Specify values for the following input parameters:
Subscription: Select the subscription.
Resource Group: Select the resource group.
Region: Select the region.
Performance: Select the performance (Standard recommended).
Redundancy: Select the redundancy (GRS or LRS recommended).
Storage account name: Enter a name for the new storage account.
Click Review + create.
Review the overview of the account and click Create.
From the Storage Account Overview page, select the Access keys submenu in Security + networking.
Click Show next to key1 or key2.
Click Copy to clipboard to copy the key.
Save the key in a secure location for later use.
From the Storage Account Overview page, select the Endpoints submenu in Settings.
Click Copy to clipboard to copy the Blob service endpoint URL; for example, https://<storageaccountname>.blob.core.windows.net.
Save the endpoint URL in a secure location for later use.
How to configure Log Export for Azure VPN Gateway Logs
Sign in to the Azure Portal using your privileged account.
Select the Subscription being monitored.
In the resource list of that subscription, locate the VPN gateway (this should typically be of the Resource Type, Virtual Network Gateway).
Click the Gateway.
Select Monitoring > Diagnostic Services.
Click + Add diagnostic setting.
Enter a descriptive name for the diagnostic setting.
Select allLogs.
Select the Archive to a storage account checkbox as the destination.
Specify the Subscription and Storage Account.
Click Save.
Set up feeds
There are two different entry points to set up feeds in the
Google SecOps platform:
SIEM Settings > Feeds > Add New
Content Hub > Content Packs > Get Started
How to set up the Azure VPN feed
Click the Azure Platform pack.
Locate the Azure VPN log type and click Add new feed.
Specify values for the following fields:
Source Type: Microsoft Azure Blob Storage V2.
Azure URI: The blob endpoint URL.
ENDPOINT_URL/BLOB_NAME
Replace the following:
ENDPOINT_URL: The blob endpoint URL (https://<storageaccountname>.blob.core.windows.net)
BLOB_NAME: The name of the blob (such as, <logname>-logs)
Source deletion options: Select the deletion option according to your ingestion preferences.
Maximum File Age: Includes files modified in the last number of days.
Default is 180 days.
Shared key: The access key to the Azure Blob Storage.
Advanced options
Feed Name: A prepopulated value that identifies the feed.
Ingestion Labels: Labels applied to all events from this feed.
Click Create feed.
For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product.
UDM Mapping Table
Log Field
UDM Mapping
Logic
category
security_result.category_details
Directly mapped from the category field in the raw log.
IV_PLAT
security_result.detection_fields.value
Directly mapped from the IV_PLAT field in the raw log. Part of a key-value pair within the detection_fields array, where the key is IV_PLAT.
IV_PLAT_VER
security_result.detection_fields.value
Directly mapped from the IV_PLAT_VER field in the raw log. Part of a key-value pair within the detection_fields array, where the key is IV_PLAT_VER.
IV_PROTO
security_result.detection_fields.value
Directly mapped from the IV_PROTO field in the raw log. Part of a key-value pair within the detection_fields array, where the key is IV_PROTO.
IV_VER
security_result.detection_fields.value
Directly mapped from the IV_VER field in the raw log. Part of a key-value pair within the detection_fields array, where the key is IV_VER.
level
security_result.severity
Mapped from the level field in the raw log. If level is Informational, the severity is set to INFORMATIONAL.
local_ip
target.ip
Extracted from the properties.message field using grok patterns and mapped to the target IP address.
local_port
target.port
Extracted from the properties.message field using grok patterns and mapped to the target port number. Converted to integer type.
operationName
metadata.product_event_type
Directly mapped from the operationName field in the raw log.
properties.message
metadata.description
Extracted from the properties.message field using grok patterns. Depending on the message format, the description might include additional details extracted from desc2 field.
remote_ip
principal.ip
Extracted from the properties.message field using grok patterns and mapped to the principal IP address.
remote_port
principal.port
Extracted from the properties.message field using grok patterns and mapped to the principal port number. Converted to integer type.
resourceid
target.resource.product_object_id
Directly mapped from the resourceid field in the raw log.
time
timestamp, metadata.event_timestamp
Parsed from the time field in the raw log using the RFC 3339 format and mapped to both the event timestamp and the UDM timestamp.
metadata.log_type
Hardcoded to AZURE_VPN.
metadata.vendor_name
Hardcoded to AZURE.
metadata.product_name
Hardcoded to VPN.
metadata.event_type
Dynamically set based on the presence of IP addresses. If both remote_ip and local_ip are present, it's set to NETWORK_CONNECTION, otherwise USER_RESOURCE_ACCESS.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis guide explains the process of exporting Azure VPN logs to Google Security Operations using an Azure Storage Account.\u003c/p\u003e\n"],["\u003cp\u003eAzure VPN logs are parsed to extract fields from JSON format, with further detail extraction from the \u003cstrong\u003eproperties.message\u003c/strong\u003e field using Grok patterns.\u003c/p\u003e\n"],["\u003cp\u003eThe extracted Azure VPN log information is mapped to standardized fields in the Unified Data Model (UDM) for analysis within Google SecOps.\u003c/p\u003e\n"],["\u003cp\u003eConfiguration steps include setting up an Azure Storage Account, enabling log export for Azure VPN Gateway logs, and configuring a feed in Google SecOps.\u003c/p\u003e\n"],["\u003cp\u003eThe UDM Mapping Table describes how specific log fields from Azure VPN logs are translated into UDM fields, including dynamic settings based on the presence of IP addresses for the \u003ccode\u003emetadata.event_type\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,["# Collect Azure VPN logs\n======================\n\nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\nThis guide explains how to export Azure VPN logs to Google Security Operations using an Azure Storage Account. The parser extracts fields from JSON-formatted Azure VPN logs and then uses Grok patterns to extract further details from the **properties.message** field. Finally, it maps the extracted information to the standardized fields of the Unified Data Model (UDM).\n\nBefore you begin\n----------------\n\nEnsure you have the following prerequisites:\n\n- Google SecOps instance\n- An active Azure tenant\n- Privileged access to Azure\n\nConfigure Azure Storage Account\n-------------------------------\n\n1. In the Azure console, search for **Storage accounts**.\n2. Click **+ Create**.\n3. Specify values for the following input parameters:\n - **Subscription**: Select the subscription.\n - **Resource Group**: Select the resource group.\n - **Region**: Select the region.\n - **Performance**: Select the performance (Standard recommended).\n - **Redundancy**: Select the redundancy (GRS or LRS recommended).\n - **Storage account name**: Enter a name for the new storage account.\n4. Click **Review + create**.\n5. Review the overview of the account and click **Create**.\n6. From the **Storage Account Overview** page, select the **Access keys** submenu in **Security + networking**.\n7. Click **Show** next to **key1** or **key2**.\n8. Click **Copy to clipboard** to copy the key.\n9. Save the key in a secure location for later use.\n10. From the **Storage Account Overview** page, select the **Endpoints** submenu in **Settings**.\n11. Click **Copy to clipboard** to copy the **Blob service** endpoint URL; for example, `https://\u003cstorageaccountname\u003e.blob.core.windows.net`.\n12. Save the endpoint URL in a secure location for later use.\n\nHow to configure Log Export for Azure VPN Gateway Logs\n------------------------------------------------------\n\n1. Sign in to the **Azure Portal** using your privileged account.\n2. Select the **Subscription** being monitored.\n3. In the resource list of that subscription, locate the VPN gateway (this should typically be of the Resource Type, Virtual Network Gateway).\n4. Click the Gateway.\n5. Select **Monitoring \\\u003e Diagnostic Services**.\n6. Click **+ Add diagnostic setting** .\n - Enter a descriptive name for the diagnostic setting.\n7. Select **allLogs**.\n8. Select the **Archive to a storage account** checkbox as the destination.\n - Specify the **Subscription** and **Storage Account**.\n9. Click **Save**.\n\nSet up feeds\n------------\n\nThere are two different entry points to set up feeds in the\nGoogle SecOps platform:\n\n- **SIEM Settings \\\u003e Feeds \\\u003e Add New**\n- **Content Hub \\\u003e Content Packs \\\u003e Get Started**\n\nHow to set up the Azure VPN feed\n--------------------------------\n\n1. Click the **Azure Platform** pack.\n2. Locate the **Azure VPN** log type and click **Add new feed**.\n3. Specify values for the following fields:\n\n - **Source Type**: Microsoft Azure Blob Storage V2.\n - **Azure URI** : The blob endpoint URL.\n - `ENDPOINT_URL/BLOB_NAME`\n - Replace the following:\n - `ENDPOINT_URL`: The blob endpoint URL (`https://\u003cstorageaccountname\u003e.blob.core.windows.net`)\n - `BLOB_NAME`: The name of the blob (such as, `\u003clogname\u003e-logs`)\n - **Source deletion options**: Select the deletion option according to your ingestion preferences.\n\n | **Note:** If you select the `Delete transferred files` or `Delete transferred files and empty directories` option, make sure that you granted appropriate permissions to the service account.\n - **Maximum File Age**: Includes files modified in the last number of days.\n Default is 180 days.\n\n - **Shared key**: The access key to the Azure Blob Storage.\n\n **Advanced options**\n - **Feed Name**: A prepopulated value that identifies the feed.\n - **Asset Namespace** : [Namespace associated with the feed](/chronicle/docs/investigation/asset-namespaces).\n - **Ingestion Labels**: Labels applied to all events from this feed.\n4. Click **Create feed**.\n\n| **Note:** The Content Hub is not available on the SIEM standalone platform. To upgrade, contact your Google SecOps representative.\n\nFor more information about configuring multiple feeds for different log types within this product family, see [Configure feeds by product](/chronicle/docs/ingestion/ingestion-entities/configure-multiple-feeds).\n\nUDM Mapping Table\n-----------------\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
