Collect Microsoft Entra ID sign-in logs | Google Security Operations

Supported in:

Google secops SIEM

This document explains how to collect Microsoft Entra ID (formerly Azure Active Directory) sign-in logs by setting up a Google Security Operations feed. You can configure ingestion using two methods: Azure Event Hub (recommended) or the Third Party API.

Before you begin

Ensure that you have the following prerequisites:

A Google SecOps instance
Privileged access to Microsoft Azure portal
Security Administratoror Global Administratorrole in Microsoft Entra ID (required for diagnostic settings)
For the Third Party API method, one of the following roles for granting admin consent:
- Global Administrator- can grant consent for any permission, for any API
- Privileged Role Administrator- can grant consent for any permission, for any API
- Cloud Application Administrator- can grant consent for any permission for any API, except Microsoft Graph app roles (application permissions)

Method 1: Azure Event Hub (recommended)

This method streams Entra ID sign-in logs through Azure Event Hub with Capture enabled, which writes the data to Azure Blob Storage. Google SecOps then ingests the logs from Blob Storage using the Azure Blob Storage V2 feed type.

Configure Azure Storage Account

Create Storage Account

In the Azure portal, search for Storage accounts.
Click + Create.

Provide the following configuration details:

Setting	Value
Subscription	Select your Azure subscription
Resource group	Select existing or create new
Storage account name	Enter a unique name (for example, `secopsaadsignin` )
Region	Select the region closest to your Event Hub namespace
Performance	Standard (recommended)
Redundancy	LRS (Locally redundant storage) or GRS (Geo-redundant storage)

Click Review + create.
Review the overview and click Create.
Wait for the deployment to complete.

Get Storage Account credentials

Go to the Storage Accountyou created.
In the left navigation, select Access keysunder Security + networking.
Click Show keys.
Copy and save the following:
- Storage account name
- Key 1or Key 2: The shared access key.

Create Event Hub namespace and Event Hub

Create Event Hub namespace

In the Azure portal, search for Event Hubs.
Click + Create.

Provide the following configuration details:

Setting	Value
Subscription	Select your Azure subscription
Resource group	Select the same resource group as your storage account
Namespace name	Enter a unique name (for example, `secops-entraid-signin` )
Location	Select the same region as your storage account
Pricing tier	Standard (required for Event Hub Capture)

Click Review + create, then click Create.
Wait for the deployment to complete.

Create Event Hub

Go to the Event Hub namespace you created.
Click + Event Hubat the top.
Provide the following configuration details:
- Name: Enter a name (for example, entraid-signin-logs ).
- Partition count: 2 (default, increase for higher throughput).
- Cleanup policy: Delete.
- Retention time (hrs): 24 (minimum, increase if needed for resilience).
Click Review + create, then click Create.

Enable Event Hub Capture

Go to the Event Hub you created (inside the namespace).
In the left navigation, select Capture.
Set Captureto On.

Provide the following configuration details:

Setting	Value
Time window (minutes)	5 (or lower for near-real-time)
Size window (MB)	300
Capture Provider	Azure Blob Storage
Azure Subscription	Select your subscription
Storage Account	Select the storage account you created
Blob Container	Create or select a container (for example, `entraid-signin-capture` )

Click Save.

Note: Event Hub Capture writes files in Apache Avro format to the blob container. Google SecOps can parse Avro-formatted Entra ID logs.

Configure Entra ID diagnostic settings

In the Azure portal, search for Microsoft Entra ID.
In the left navigation, go to Monitoring & health > Diagnostic settings.
Click Add diagnostic setting.
Provide the following configuration details:
- Diagnostic setting name: Enter a descriptive name (for example, signin-logs-to-eventhub ).
- In the Logssection, select the sign-in log categories you want to export:
  - SignInLogs- Interactive user sign-ins.
  - NonInteractiveUserSignInLogs- Non-interactive user sign-ins (optional, recommended).
  - ServicePrincipalSignInLogs- Service principal sign-ins (optional).
  - ManagedIdentitySignInLogs- Managed identity sign-ins (optional).
- In the Destination detailssection, select Stream to an event hub.
- Subscription: Select the subscription containing your Event Hub namespace.
- Event hub namespace: Select the namespace you created (for example, secops-entraid-signin ).
- Event hub name: Select the Event Hub you created (for example, entraid-signin-logs ).
- Event hub policy name: Select RootManageSharedAccessKey.
Click Save.

Note: It may take up to 15 minutes for sign-in logs to start flowing through the Event Hub.

Set up feeds

There are two different entry points to set up feeds in the Google SecOps platform:

SIEM Settings > Feeds > Add New Feed
Content Hub > Content Packs > Get Started

Configure a feed in Google SecOps to ingest Entra ID sign-in logs

Click the Azure Platformpack.
Locate the Azure ADlog type.
Specify values for the following fields:
- Source Type: Microsoft Azure Blob Storage V2
- Azure URI: Enter the Blob Service endpoint URL with the capture container path:
```
 https://<storage-account>.blob.core.windows.net/entraid-signin-capture/ 
```
  Replace <storage-account> with your Azure storage account name.
  
  Note: Include the trailing slash (/) at the end of the URI.
- Source deletion option: Select the deletion option according to your preference:
  - Never: Never deletes any files after transfers.
  - Delete transferred files: Deletes files after successful transfer.
  - Delete transferred files and empty directories: Deletes files and empty directories after successful transfer.
- Maximum File Age: Include files modified in the last number of days. Default is 180 days.
- Shared key: Enter the shared access key value from the Storage Account.
- Asset namespace: The asset namespace .
- Ingestion labels: The label to be applied to the events from this feed.
Click Create feed.

After creating the feed, it may take 5-10 minutes before logs start appearing in Google SecOps.

For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product .

Configure Azure Storage firewall (if enabled)

If your Azure Storage Account uses a firewall, you must add Google SecOps IP ranges.

In the Azure portal, go to your Storage Account.
Select Networkingunder Security + networking.
Under Firewalls and virtual networks, select Enabled from selected virtual networks and IP addresses.
In the Firewallsection, under Address range, click + Add IP range.
Add each Google SecOps IP range in CIDR notation.
- See IP Allowlisting documentation .
- Or retrieve them programmatically using the Feed Management API .
Click Save.

Method 2: Third Party API

This method uses the Microsoft Graph API to retrieve Entra ID sign-in logs directly from your Microsoft tenant.

Configure IP allowlisting

Before creating the feed, you must allowlist Google SecOps IP ranges in your Microsoft Azure network settings or Conditional Access policies.

Get Google SecOps IP ranges

Go to SIEM Settings > Feeds.
Click Add New Feed.
Note the IP ranges displayed in the feed creation interface.
Alternatively, retrieve IP ranges programmatically using the Feed Management API .

Configure Conditional Access for workload identities (if required)

If your organization uses Conditional Access policies that restrict access by location:

In the Microsoft Entra admin center, go to Protection > Conditional Access > Named locations.
Click + New location.
Provide the following configuration details:
- Name: Enter Google SecOps IP Ranges .
- Mark as trusted location: Optional, based on your security policy.
- IP ranges: Add each Google SecOps IP range in CIDR notation.
Click Create.
Go to Conditional Access > Policies.
For any policies that apply to workload identities, configure an exclusion for the Google SecOps IP Ranges named location or the specific service principal.

Configure Microsoft Azure AD API access

Create app registration

Sign in to the Microsoft Entra admin center or Azure portal .
Go to Identity > Applications > App registrations.
Click New registration.
Provide the following configuration details:
- Name: Enter a descriptive name (for example, Google SecOps Sign-In Logs Integration ).
- Supported account types: Select Accounts in this organizational directory only (Single tenant).
Note: Single tenant is the correct choice for third-party API integrations. Google SecOps will access sign-in logs from YOUR specific Azure AD tenant only. Choose multi-tenant only if you intentionally need to access logs from multiple tenants in a managed service provider scenario.
- Redirect URI: Leave blank (not required for service principal authentication).
Click Register.
After registration, copy and save the following values:
- Application (client) ID
- Directory (tenant) ID

Configure API permissions

The integration requires the following Microsoft Graph application permissions:

In the app registration, go to API permissions.
Click Add a permission.
Select Microsoft Graph > Application permissions.
Select the following permissions:
- AuditLog.Read.All- Required to read sign-in logs.
- Directory.Read.All- Required by Microsoft Graph API for sign-in log access (known issue).
- SecurityEvents.Read.All- Required by Google Security Operations.
Click Add permissions.
Click Grant admin consent for [Your Organization].
Verify that the Statuscolumn shows Granted for [Your Organization]for all three permissions.

Permission	Type	Description
AuditLog.Read.All	Application	Read all sign-in and audit log data
Directory.Read.All	Application	Read directory data (required for API access)
SecurityEvents.Read.All	Application	Read security events

Create client secret

Go to Certificates & secrets.
Click New client secret.
Provide the following configuration details:
- Description: Enter a descriptive name (for example, Google SecOps Feed ).
- Expires: Select an expiration period.
Note: Microsoft recommends setting an expiration value of less than 12 months. The maximum allowed is 24 months. For enhanced security, consider using certificate credentialsor federated identity credentialsinstead of client secrets. See Migrate applications from secret-based authentication .
Click Add.
Important: Copy the client secret Valueimmediately. This value is displayed only once and cannot be retrieved later.

Verify API access before creating feed

Before creating the Google SecOps feed, verify that the service principal can successfully authenticate and access the Microsoft Graph API.

Test authentication using PowerShell

  # Replace with your actual values 
 $tenantId 
 = 
 "your-tenant-id" 
 $clientId 
 = 
 "your-client-id" 
 $clientSecret 
 = 
 "your-client-secret" 
 # Token request parameters (must be lowercase) 
 $tokenBody 
 = 
 @{ 
 grant_type 
 = 
 "client_credentials" 
 client_id 
 = 
 $clientId 
 client_secret 
 = 
 $clientSecret 
 scope 
 = 
 "https://graph.microsoft.com/.default" 
 } 
 # Request access token 
 $tokenEndpoint 
 = 
 "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token" 
 $tokenResponse 
 = 
 Invoke-RestMethod 
 -Method 
 Post 
 -Uri 
 $tokenEndpoint 
 -Body 
 $tokenBody 
 -ContentType 
 "application/x-www-form-urlencoded" 
 if 
 ( 
 $tokenResponse 
 . 
 access_token 
 ) 
 { 
 Write-Host 
 "✓ Successfully obtained access token" 
 -ForegroundColor 
 Green 
 # Test API call to sign-ins endpoint 
 $apiUrl 
 = 
 "https://graph.microsoft.com/v1.0/auditLogs/signIns? 
 `$ 
 top=1" 
 $headers 
 = 
 @{ 
 Authorization 
 = 
 "Bearer 
 $( 
 $tokenResponse 
 . 
 access_token 
 ) 
 " 
 } 
 try 
 { 
 $signInResponse 
 = 
 Invoke-RestMethod 
 -Method 
 Get 
 -Uri 
 $apiUrl 
 -Headers 
 $headers 
 Write-Host 
 "✓ Successfully accessed sign-ins API" 
 -ForegroundColor 
 Green 
 Write-Host 
 "Sample sign-in log retrieved successfully" 
 -ForegroundColor 
 Green 
 } 
 catch 
 { 
 Write-Host 
 "✗ Failed to access sign-ins API" 
 -ForegroundColor 
 Red 
 Write-Host 
 "Error: 
 $( 
 $_ 
 . 
 Exception 
 . 
 Message 
 ) 
 " 
 -ForegroundColor 
 Red 
 } 
 } 
 else 
 { 
 Write-Host 
 "✗ Failed to obtain access token" 
 -ForegroundColor 
 Red 
 }

Expected output:

 ✓ Successfully obtained access token
✓ Successfully accessed sign-ins API
Sample sign-in log retrieved successfully

Test authentication using curl

  # Replace with your actual values 
 TENANT_ID 
 = 
 "your-tenant-id" 
 CLIENT_ID 
 = 
 "your-client-id" 
 CLIENT_SECRET 
 = 
 "your-client-secret" 
 # Request access token 
curl  
-X  
POST  
 "https://login.microsoftonline.com/ 
 $TENANT_ID 
 /oauth2/v2.0/token" 
  
 \ 
-H  
 "Content-Type: application/x-www-form-urlencoded" 
  
 \ 
-d  
 "grant_type=client_credentials" 
  
 \ 
-d  
 "client_id= 
 $CLIENT_ID 
 " 
  
 \ 
-d  
 "client_secret= 
 $CLIENT_SECRET 
 " 
  
 \ 
-d  
 "scope=https://graph.microsoft.com/.default" 
 # Test API access 
curl  
-H  
 "Authorization: Bearer YOUR_ACCESS_TOKEN" 
  
 \ 
 "https://graph.microsoft.com/v1.0/auditLogs/signIns?\$top=1"

Set up feeds

There are two different entry points to set up feeds in the Google SecOps platform:

SIEM Settings > Feeds > Add New Feed
Content Hub > Content Packs > Get Started

Configure a feed in Google SecOps to ingest Microsoft Azure AD sign-in logs

Click the Azure Platformpack.
Locate the Azure ADlog type.
Specify values for the following fields:
- Source Type: Third party API (recommended)
- OAuth client ID: The Application (client) ID from the app registration.
- OAuth client secret: The client secret value you copied earlier.
- Tenant ID: Your Microsoft tenant ID from the app registration (UUID format, for example, 0fc279f9-fe30-41be-97d3-abe1d7681418 ).
- API Full Path: Microsoft Graph REST API endpoint URL:
```
 graph.microsoft.com/v1.0/auditLogs/signIns 
```
  Note: Do NOT include https:// prefix. The feed will add the protocol automatically.
- API Authentication Endpoint: Microsoft Active Directory Authentication Endpoint:
```
 login.microsoftonline.com 
```
  Note: Do NOT include https:// prefix or the /oauth2/v2.0/token path. The feed will construct the full authentication URL automatically using your Tenant ID.
Advanced Options:
- Feed Name: A prepopulated value that identifies the feed.
- Asset namespace: The asset namespace that the feed will be associated with.
- Ingestion Labels: Labels will be added to all the events from this feed.
Click Create feed.

After creating the feed, context data will be retrieved periodically. It may take up to 24 hours for the initial directory snapshot to appear in Google SecOps.

For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product .

For more information about Google Security Operations feeds, see Google Security Operations feeds documentation . For information about requirements for each feed type, see Feed configuration by type . If you encounter issues when you create feeds, contact Google Security Operations support .

Regional endpoints

For Microsoft Azure AD deployments in sovereign clouds, use the appropriate regional endpoints:

Cloud Environment	API Full Path	API Authentication Endpoint
Global	`graph.microsoft.com/v1.0/auditLogs/signIns`	`login.microsoftonline.com`
US Government L4	`graph.microsoft.us/v1.0/auditLogs/signIns`	`login.microsoftonline.us`
US Government L5 (DOD)	`dod-graph.microsoft.us/v1.0/auditLogs/signIns`	`login.microsoftonline.us`
China (21Vianet)	`microsoftgraph.chinacloudapi.cn/v1.0/auditLogs/signIns`	`login.chinacloudapi.cn`

UDM Mapping Table

Log Field	UDM Mapping	Logic
`activityDateTime`	`principal.event_timestamp`	Parsed from the `activityDateTime` field. If the field is not in the expected "yyyy-MM-ddTHH:mm:ss.SSSZ" format or "ISO8601" format, the parser will try other formats like "MM/dd/yyyy HH:mm:ss A" or "MM/d/yyyy HH:mm:ss A".
`activityDisplayName`	`security_result.summary`	Directly mapped from `activityDisplayName` .
`additionalDetails.0.value`	`network.http.user_agent`	Directly mapped from `additionalDetails.0.value` .
`additionalDetails.1.key`	`target.resource.attribute.labels.key`	Directly mapped from `additionalDetails.1.key` .
`additionalDetails.1.value`	`target.resource.attribute.labels.value`	Directly mapped from `additionalDetails.1.value` .
`additionalInfo.[].Key`	`network.http.user_agent` , `target.url`	If `Key` is `userAgent` , map `Value` to `network.http.user_agent` and `network.http.parsed_user_agent` . If `Key` is `alertUrl` , map `Value` to `target.url` .
`additionalInfo.[].Value`	`network.http.user_agent` , `target.url`	If `Key` is `userAgent` , map `Value` to `network.http.user_agent` and `network.http.parsed_user_agent` . If `Key` is `alertUrl` , map `Value` to `target.url` .
`am_category`	`metadata.description`	Directly mapped from `am_category` .
`am_tenantId`	`metadata.product_deployment_id`	Directly mapped from `am_tenantId` .
`appId`	`target.resource.attribute.labels.value`	Directly mapped from `appId` with label key as "App Id".
`appDisplayName`	`target.application`	Directly mapped from `appDisplayName` .
`appliedConditionalAccessPolicies.[].displayName`	`security_result.[].rule_name` , `about.[].user.user_display_name`	Directly mapped from `appliedConditionalAccessPolicies.[].displayName` .
`appliedConditionalAccessPolicies.[].enforcedGrantControls`	`security_result.[].rule_labels.value`	Directly mapped from `appliedConditionalAccessPolicies.[].enforcedGrantControls` with label key as "applied_conditional_access_policies_enforced_grant_controls".
`appliedConditionalAccessPolicies.[].enforcedSessionControls`	`security_result.[].rule_labels.value`	Directly mapped from `appliedConditionalAccessPolicies.[].enforcedSessionControls` with label key as "applied_conditional_access_policies_enforced_session_controls".
`appliedConditionalAccessPolicies.[].id`	`security_result.[].rule_id` , `about.[].user.userid`	Directly mapped from `appliedConditionalAccessPolicies.[].id` .
`appliedConditionalAccessPolicies.[].result`	`security_result.[].detection_fields.value` , `about.[].labels.value`	Directly mapped from `appliedConditionalAccessPolicies.[].result` with label key as "Result".
`authenticationDetails.[].authenticationMethod`	`security_result.[].detection_fields.value`	Directly mapped from `authenticationDetails.[].authenticationMethod` with label key as "authenticationMethod".
`authenticationDetails.[].authenticationMethodDetail`	`security_result.[].detection_fields.value`	Directly mapped from `authenticationDetails.[].authenticationMethodDetail` with label key as "authenticationMethodDetail".
`authenticationDetails.[].authenticationStepDateTime`	`security_result.[].detection_fields.value`	Directly mapped from `authenticationDetails.[].authenticationStepDateTime` with label key as "authenticationStepDateTime".
`authenticationDetails.[].authenticationStepRequirement`	`security_result.[].detection_fields.value`	Directly mapped from `authenticationDetails.[].authenticationStepRequirement` with label key as "authenticationStepRequirement".
`authenticationDetails.[].authenticationStepResultDetail`	`security_result.[].detection_fields.value`	Directly mapped from `authenticationDetails.[].authenticationStepResultDetail` with label key as "authenticationStepResultDetail".
`authenticationDetails.[].succeeded`	`security_result.action`	If value is "true", then `ALLOW` , else `BLOCK` .
`authenticationRequirement`	`additional.fields.value.string_value`	Directly mapped from `authenticationRequirement` with label key as "AuthenticationRequirement".
`authenticationRequirementPolicies.[].detail`	`security_result.detection_fields.value`	Directly mapped from `authenticationRequirementPolicies.[].detail` with label key as "detail".
`authenticationRequirementPolicies.[].requirementProvider`	`security_result.detection_fields.value`	Directly mapped from `authenticationRequirementPolicies.[].requirementProvider` with label key as "requirementProvider".
`callerIpAddress`	`principal.ip` , `principal.asset.ip`	Directly mapped from `callerIpAddress` .
`category`	`metadata.description`	Directly mapped from `category` .
`clientAppUsed`	`principal.application`	Directly mapped from `clientAppUsed` .
`conditionalAccessStatus`	`additional.fields.value.string_value`	Directly mapped from `conditionalAccessStatus` with label key as "conditionalAccessStatus".
`correlationId`	`network.session_id` , `security_result.detection_fields.value`	Directly mapped from `correlationId` . Also used as `security_result.detection_fields.value` with label key as "CorrelationId".
`createdDateTime`	`when`	The `when` field is derived from the `createdDateTime` field. The date and time are extracted from the `createdDateTime` field using grok and then combined to form the `when` field.
`deviceDetail.browser`	`network.http.user_agent`	Directly mapped from `deviceDetail.browser` .
`deviceDetail.deviceId`	`principal.asset.asset_id` , `principal.asset_id`	Directly mapped from `deviceDetail.deviceId` and prefixed with "Device ID:".
`deviceDetail.displayName`	`principal.asset.hostname`	Directly mapped from `deviceDetail.displayName` .
`deviceDetail.isCompliant`	`principal.asset.attribute.labels.value`	Directly mapped from `deviceDetail.isCompliant` with label key as "isCompliant".
`deviceDetail.isManaged`	`principal.asset.attribute.labels.value`	Directly mapped from `deviceDetail.isManaged` with label key as "isManaged".
`deviceDetail.operatingSystem`	`principal.platform_version`	Directly mapped from `deviceDetail.operatingSystem` .
`deviceDetail.trustType`	`principal.asset.attribute.labels.value`	Directly mapped from `deviceDetail.trustType` with label key as "trustType".
`durationMs`	`additional.fields.value.string_value`	Directly mapped from `durationMs` with label key as "durationMs".
`event.id`	-	Not mapped as per instructions (point 3).
`id`	`metadata.product_log_id`	Directly mapped from `id` .
`identity`	`target.user.user_display_name`	Directly mapped from `identity` if it is different from `userId` and is not an email address.
`initiatedBy.user.displayName`	`principal.user.user_display_name`	Directly mapped from `initiatedBy.user.displayName` .
`initiatedBy.user.id`	`principal.user.userid` , `principal.user.windows_sid`	Directly mapped from `initiatedBy.user.id` .
`initiatedBy.user.ipAddress`	`principal.ip` , `principal.asset.ip`	Directly mapped from `initiatedBy.user.ipAddress` .
`initiatedBy.user.userPrincipalName`	`principal.user.email_addresses` , `principal.user.userid`	Directly mapped from `initiatedBy.user.userPrincipalName` . If it is an email address, it is mapped to `email_addresses` , otherwise to `userid` .
`Level`	`security_result.severity_details` , `level`	Directly mapped from `Level` .
`level`	`security_result.severity_details` , `security_result.severity`	Directly mapped from `level` . Also mapped to `security_result.severity` after converting to uppercase. Special handling for "Information", "Informational", "0", "4", "Warning", "1", "3", "Error", "2", and "Critical" values.
`location.city`	`principal.location.city`	Directly mapped from `location.city` .
`location.countryOrRegion`	`principal.location.country_or_region`	Directly mapped from `location.countryOrRegion` .
`location.geoCoordinates.altitude`	`additional.fields.value.string_value`	Directly mapped from `location.geoCoordinates.altitude` with label key as "location_geoCoordinates_altitude".
`location.geoCoordinates.latitude`	`principal.location.region_latitude` , `principal.location.region_coordinates.latitude`	Directly mapped from `location.geoCoordinates.latitude` .
`location.geoCoordinates.longitude`	`principal.location.region_longitude` , `principal.location.region_coordinates.longitude`	Directly mapped from `location.geoCoordinates.longitude` .
`location.state`	`principal.location.state`	Directly mapped from `location.state` .
`location`	`principal.location.name`	Directly mapped from `location` .
`log_type`	`metadata.log_type`	Directly mapped from `log_type` .
`networkLocationDetails.[].networkNames`	`additional.fields.value.string_value`	Concatenated values from `networkLocationDetails.[].networkNames` with label key as "networkName {index}".
`networkLocationDetails.[].networkType`	`security_result.detection_fields.value` , `additional.fields.value.string_value`	Directly mapped from `networkLocationDetails.[].networkType` with label key as "networkType". Also used as `additional.fields.value.string_value` with label key as "networkType {index}".
`operationName`	`event_type`	If `operationName` is "Sign-in activity", then `USER_LOGIN` . If `operationName` is "Add member to group", then `USER_CHANGE_PERMISSIONS` .
`operationType`	`security_result.action_details`	Directly mapped from `operationType` .
`properties.activity`	`security_result.summary`	Directly mapped from `properties.activity` .
`properties.activityDateTime`	`when`	Parsed from the `properties.activityDateTime` field. If the field is not in the expected "yyyy-MM-ddTHH:mm:ss.SSSZ" format or "ISO8601" format, the parser will try other formats like "MM/dd/yyyy HH:mm:ss A" or "MM/d/yyyy HH:mm:ss A".
`properties.activityDisplayName`	`security_result.summary`	Directly mapped from `properties.activityDisplayName` .
`properties.additionalInfo`	`network.http.user_agent` , `target.url`	Parsed as JSON and if key is userAgent, map value to `network.http.user_agent` and `network.http.parsed_user_agent` . If key is alertUrl, map value to `target.url` .
`properties.appliedConditionalAccessPolicies.[].displayName`	`security_result.[].rule_name`	Directly mapped from `properties.appliedConditionalAccessPolicies.[].displayName` .
`properties.appliedConditionalAccessPolicies.[].enforcedGrantControls`	`security_result.[].rule_labels.value`	Directly mapped from `properties.appliedConditionalAccessPolicies.[].enforcedGrantControls` with label key as "applied_conditional_access_policies_enforced_grant_controls".
`properties.appliedConditionalAccessPolicies.[].enforcedSessionControls`	`security_result.[].rule_labels.value`	Directly mapped from `properties.appliedConditionalAccessPolicies.[].enforcedSessionControls` with label key as "applied_conditional_access_policies_enforced_session_controls".
`properties.appliedConditionalAccessPolicies.[].id`	`security_result.[].rule_id`	Directly mapped from `properties.appliedConditionalAccessPolicies.[].id` .
`properties.appliedConditionalAccessPolicies.[].result`	`security_result.[].detection_fields.value`	Directly mapped from `properties.appliedConditionalAccessPolicies.[].result` with label key as "Result".
`properties.appId`	`appId`	Directly mapped from `properties.appId` .
`properties.appDisplayName`	`target.application`	Directly mapped from `properties.appDisplayName` .
`properties.authenticationDetails.[].authenticationMethod`	`security_result.detection_fields.value`	Directly mapped from `properties.authenticationDetails.[].authenticationMethod` with label key as "authenticationMethod".
`properties.authenticationDetails.[].authenticationMethodDetail`	`security_result.detection_fields.value`	Directly mapped from `properties.authenticationDetails.[].authenticationMethodDetail` with label key as "authenticationMethodDetail".
`properties.authenticationDetails.[].authenticationStepDateTime`	`security_result.detection_fields.value`	Directly mapped from `properties.authenticationDetails.[].authenticationStepDateTime` with label key as "authenticationStepDateTime".
`properties.authenticationDetails.[].authenticationStepRequirement`	`security_result.detection_fields.value`	Directly mapped from `properties.authenticationDetails.[].authenticationStepRequirement` with label key as "authenticationStepRequirement".
`properties.authenticationDetails.[].authenticationStepResultDetail`	`security_result.detection_fields.value`	Directly mapped from `properties.authenticationDetails.[].authenticationStepResultDetail` with label key as "authenticationStepResultDetail".
`properties.authenticationRequirement`	`additional.fields.value.string_value`	Directly mapped from `properties.authenticationRequirement` with label key as "AuthenticationRequirement".
`properties.authenticationRequirementPolicies.[].detail`	`security_result.detection_fields.value`	Directly mapped from `properties.authenticationRequirementPolicies.[].detail` with label key as "detail".
`properties.authenticationRequirementPolicies.[].requirementProvider`	`security_result.detection_fields.value`	Directly mapped from `properties.authenticationRequirementPolicies.[].requirementProvider` with label key as "requirementProvider".
`properties.clientAppUsed`	`principal.application`	Directly mapped from `properties.clientAppUsed` .
`properties.conditionalAccessStatus`	`additional.fields.value.string_value`	Directly mapped from `properties.conditionalAccessStatus` with label key as "conditionalAccessStatus".
`properties.crossTenantAccessType`	`additional.fields.value.string_value`	Directly mapped from `properties.crossTenantAccessType` with label key as "crossTenantAccessType".
`properties.detectedDateTime`	`additional.fields.value.string_value`	Directly mapped from `properties.detectedDateTime` with label key as "detectedDateTime".
`properties.detectionTimingType`	`additional.fields.value.string_value`	Directly mapped from `properties.detectionTimingType` with label key as "detectionTimingType".
`properties.homeTenantId`	`additional.fields.value.string_value`	Directly mapped from `properties.homeTenantId` with label key as "homeTenantId".
`properties.id`	`metadata.product_log_id`	Directly mapped from `properties.id` .
`properties.initiatedBy.user.displayName`	`principal.user.user_display_name`	Directly mapped from `properties.initiatedBy.user.displayName` .
`properties.initiatedBy.user.id`	`principal.user.windows_sid`	Directly mapped from `properties.initiatedBy.user.id` .
`properties.initiatedBy.user.ipAddress`	`principal.ip` , `principal.asset.ip`	Directly mapped from `properties.initiatedBy.user.ipAddress` .
`properties.initiatedBy.user.userPrincipalName`	`principal.user.email_addresses` , `principal.user.userid`	Directly mapped from `properties.initiatedBy.user.userPrincipalName` . If it is an email address, it is mapped to `email_addresses` , otherwise to `userid` .
`properties.ipAddress`	`principal.ip` , `principal.asset.ip`	Directly mapped from `properties.ipAddress` .
`properties.isGuest`	`additional.fields.value.string_value`	Directly mapped from `properties.isGuest` with label key as "isGuest".
`properties.isDeleted`	`additional.fields.value.string_value`	Directly mapped from `properties.isDeleted` with label key as "isDeleted".
`properties.isProcessing`	`additional.fields.value.string_value`	Directly mapped from `properties.isProcessing` with label key as "isProcessing".
`properties.lastUpdatedDateTime`	`additional.fields.value.string_value`	Directly mapped from `properties.lastUpdatedDateTime` with label key as "lastUpdatedDateTime".
`properties.location.city`	`principal.location.city`	Directly mapped from `properties.location.city` .
`properties.location.countryOrRegion`	`principal.location.country_or_region`	Directly mapped from `properties.location.countryOrRegion` .
`properties.location.geoCoordinates.latitude`	`principal.location.region_latitude` , `principal.location.region_coordinates.latitude`	Directly mapped from `properties.location.geoCoordinates.latitude` .
`properties.location.geoCoordinates.longitude`	`principal.location.region_longitude` , `principal.location.region_coordinates.longitude`	Directly mapped from `properties.location.geoCoordinates.longitude` .
`properties.location.state`	`principal.location.state`	Directly mapped from `properties.location.state` .
`properties.networkLocationDetails.[].networkNames`	`additional.fields.value.string_value`	Concatenated values from `properties.networkLocationDetails.[].networkNames` with label key as "properties networkName {index}".
`properties.networkLocationDetails.[].networkType`	`additional.fields.value.string_value`	Directly mapped from `properties.networkLocationDetails.[].networkType` with label key as "properties networkType {index}".
`properties.riskEventType`	`additional.fields.value.string_value`	Directly mapped from `properties.riskEventType` with label key as "riskEventType".
`properties.riskLastUpdatedDateTime`	`additional.fields.value.string_value`	Directly mapped from `properties.riskLastUpdatedDateTime` with label key as "riskLastUpdatedDateTime".
`properties.riskLevel`	`additional.fields.value.string_value`	Directly mapped from `properties.riskLevel` with label key as "riskLevel".
`properties.riskLevelDuringSignIn`	`additional.fields.value.string_value`	Directly mapped from `properties.riskLevelDuringSignIn` with label key as "riskLevelDuringSignIn".
`properties.riskState`	`additional.fields.value.string_value`	Directly mapped from `properties.riskState` with label key as "riskState".
`properties.riskDetail`	`additional.fields.value.string_value`	Directly mapped from `properties.riskDetail` with label key as "riskDetail".
`properties.riskType`	`additional.fields.value.string_value`	Directly mapped from `properties.riskType` with label key as "riskType".
`properties.source`	`additional.fields.value.string_value`	Directly mapped from `properties.source` with label key as "source".
`properties.targetResources.0.id`	`target.user.product_object_id`	Directly mapped from `properties.targetResources.0.id` .
`properties.targetResources.modifiedProperties.0.newValue`	`target.group.product_object_id`	Directly mapped from `properties.targetResources.modifiedProperties.0.newValue` .
`properties.tokenIssuerType`	`additional.fields.value.string_value`	Directly mapped from `properties.tokenIssuerType` with label key as "tokenIssuerType".
`properties.userAgent`	`network.http.user_agent` , `network.http.parsed_user_agent`	Directly mapped from `properties.userAgent` .
`properties.userDisplayName`	`target.user.user_display_name`	Directly mapped from `properties.userDisplayName` .
`properties.userId`	`target.user.product_object_id`	Directly mapped from `properties.userId` .
`properties.userPrincipalName`	`target.user.userid` , `target.user.email_addresses`	Directly mapped from `properties.userPrincipalName` . If it is an email address, it is mapped to `email_addresses` , otherwise to `userid` .
`result`	`security_result.action` , `security_result.action_details`	If `result` is "success", then `ALLOW` .
`resultDescription`	`security_result.description`	Directly mapped from `resultDescription` .
`resultSignature`	`additional.fields.value.string_value`	Directly mapped from `resultSignature` with label key as "resultSignature".
`resultType`	`security_result.rule_id` , `action` , `security_result.summary`	If `resultType` is "0", then `ALLOW` and "Successful login occurred". Otherwise, `BLOCK` and "Failed login occurred".
`resourceId`	`target.resource.id` , `target.resource.product_object_id`	Directly mapped from `resourceId` .
`resourceDisplayName`	`target.resource.name` , `appDisplayName`	Directly mapped from `resourceDisplayName` .
`riskDetail`	`additional.fields.value.string_value`	Directly mapped from `riskDetail` with label key as "riskDetail".
`riskEventTypes.[].`	`additional.fields.value.string_value` , `additional.fields.value.list_value.values.string_value`	Values are added to a list with key as "riskEventTypes" in `additional.fields` . Also, each value is added as a separate field with key as "riskEventType" in `additional.fields` .
`riskEventTypes_v2.[].`	`additional.fields.value.list_value.values.string_value`	Values are added to a list with key as "riskEventTypes_v2" in `additional.fields` .
`riskLevelAggregated`	`additional.fields.value.string_value`	Directly mapped from `riskLevelAggregated` with label key as "riskLevelAggregated".
`riskLevelDuringSignIn`	`additional.fields.value.string_value`	Directly mapped from `riskLevelDuringSignIn` with label key as "riskLevelDuringSignIn".
`riskState`	`additional.fields.value.string_value`	Directly mapped from `riskState` with label key as "riskState".
`status.additionalDetails`	`security_result.description`	Directly mapped from `status.additionalDetails` .
`status.errorCode`	`security_result.rule_id` , `errorCode`	Directly mapped from `status.errorCode` .
`target.displayName`	`resourceDisplayName`	Directly mapped from `target.displayName` .
`target.id`	`resourceId`	Directly mapped from `target.id` .
`target.modifiedProperties.[].displayName`	`target.resource.attribute.labels.key`	Directly mapped from `target.modifiedProperties.[].displayName` .
`target.modifiedProperties.[].newValue`	`target.resource.attribute.labels.value` , `target.resource.product_object_id`	Directly mapped from `target.modifiedProperties.[].newValue` .
`target.modifiedProperties.[].oldValue`	`target.resource.attribute.labels.value`	Directly mapped from `target.modifiedProperties.[].oldValue` .
`target.type`	`target.resource.type`	Directly mapped from `target.type` .
`tenantId`	`metadata.product_deployment_id`	Directly mapped from `tenantId` .
`time`	`when`	The `when` field is derived from the `time` field. The date and time are extracted from the `time` field using grok and then combined to form the `when` field.
`userAgent`	`network.http.user_agent` , `network.http.parsed_user_agent`	Directly mapped from `userAgent` .
`userDisplayName`	`target.user.user_display_name`	Directly mapped from `userDisplayName` .
`userId`	`target.user.product_object_id`	Directly mapped from `userId` .
`userPrincipalName`	`target.user.userid` , `principal.administrative_domain` , `target.user.email_addresses`	Directly mapped from `userPrincipalName` . If it is an email address, it is mapped to `email_addresses` and the domain part is extracted and mapped to `principal.administrative_domain` . Otherwise, it is mapped to `userid` .
(Parser Logic)	`event.idm.is_alert` , `event.idm.is_significant`	Set to true if level is "Critical".
(Parser Logic)	`event.idm.read_only_udm.metadata.event_type`	Set to "USER_LOGIN" if `has_target_user` is "true". Set to "USER_UNCATEGORIZED" if `has_principal_user` is "true". Set to "STATUS_UPDATE" if `has_principal` is "true". Set to "GENERIC_EVENT" otherwise.
(Parser Logic)	`event.idm.read_only_udm.metadata.vendor_name`	Set to "Microsoft".
(Parser Logic)	`event.idm.read_only_udm.metadata.product_name`	Set to "Azure AD".
(Parser Logic)	`event.idm.read_only_udm.extensions.auth.type`	Set to "SSO".
(Parser Logic)	`event.idm.read_only_udm.extensions.auth.mechanism`	Set to "INTERACTIVE" if `isInteractive` is "true". Set to "MECHANISM_OTHER" otherwise.
(Parser Logic)	`security_result.action`	Set to ALLOW if result is success.
(Parser Logic)	`security_result.action`	Set to ALLOW if resultType is 0.
(Parser Logic)	`security_result.action`	Set to BLOCK if resultType is not 0 and not "".
(Parser Logic)	`security_result.category`	Set to "AUTH_VIOLATION" if resultType is not 0 and not "".
(Parser Logic)	`security_result.description`	Set to "Group membership modified" if operationName is "Add member to group" and result is "success".
(Parser Logic)	`security_result.priority`	Set to "MEDIUM_PRIORITY" if properties.riskLevelDuringSignIn is "medium".
(Parser Logic)	`security_result.summary`	Set to "Successful login occurred" if resultType is 0.
(Parser Logic)	`security_result.summary`	Set to "Failed login occurred" if resultType is not 0 and not "".
(Parser Logic)	`security_result.summary`	Set to properties.activityDisplayName if it exists.
(Parser Logic)	`security_result.severity`	Set to INFORMATIONAL if level is "Information", "Informational", "0", or "4". Set to MEDIUM if level is "Warning", "1", or "3". Set to ERROR if level is "Error" or "2". Set to CRITICAL if level is "Critical".
(Parser Logic)	`security_result.severity`	Set to ERROR if resultType is not 0 and not "".

Need more help? Get answers from Community members and Google SecOps professionals.