Collect Microsoft Azure AD logs

Supported in:

Google secops SIEM

This document describes how you can collect Microsoft Azure Active Directory (AD) logs by setting up a Google Security Operations feed.

Azure Active Directory ( AZURE_AD ) is now called Microsoft Entra ID. Azure AD audit logs ( AZURE_AD_AUDIT ) are now Microsoft Entra ID audit logs.

For more information, see Data ingestion to Google Security Operations .

An ingestion label identifies the parser which normalizes raw log data to structured UDM format.

Before you begin

Ensure you have the following prerequisites:

An Azure subscription that you can sign in to
A global administrator or Azure AD administrator role
An Azure AD (tenant) in Azure

How to configure Azure AD

Sign in to the Azure portal.
Go to Home > App registration, select a registered application or register an application if you haven't created an application yet.
To register an application, in the App registrationsection, click New registration.
In the Namefield, provide the display name for your application.
In the Supported account typessection, select the required option to specify who can use the application or access the API.
Click Register.
Go to the Overviewpage and copy the application (client) ID and the directory (tenant) ID, which are required to configure the Google Security Operations feed.
Click API permissions.
Click Add a permission, and then select Microsoft Graphin the new pane.
Click Application permissions.
Select AuditLog.Read.All, Directory.Read.All, and SecurityEvents.Read.Allpermissions. Ensure that the permissions are Application permissionsand not Delegated permissions.
Click Grant admin consent for default directory. Applications are authorized to call APIs when they are granted permissions by users or administrators as part of the consent process.
Go to Settings > Manage.
Click Certificates and secrets.
Click New client secret. In the Valuefield, the client secret appears.
Copy the client secret value. The value is displayed only at the time of creation and it is required for the Azure app registration and to configure the Google Security Operations feed.

Set up feeds

There are two different entry points to set up feeds in the Google SecOps platform:

SIEM Settings > Feeds > Add New
Content Hub > Content Packs > Get Started

How to set up the Microsoft Entra ID (Azure AD) feed

Click the Azure Platformpack.
Locate the Azure ADlog type.
Specify values for the following fields:
- Source Type: Third party API (recommended)
- OAUTH client ID: Specify the client ID that you obtained previously.
- OAUTH client secret: Specify the client secret that you obtained previously.
- Tenant ID: Specify the tenant ID that you obtained previously.
- API Full path: Microsoft Graph REST API endpoint URL.
- API Authentication Endpoint: Microsoft Active Directory Authentication Endpoint.
Advanced Options
- Feed Name: A prepopulated value that identifies the feed.
- Asset Namespace: Namespace associated with the feed .
- Ingestion Labels: Labels applied to all events from this feed.
Click Create feed.

For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product .

For more information about Google Security Operations feeds, see Google Security Operations feeds documentation . For information about requirements for each feed type, see Feed configuration by type .

Field mapping reference

This parser code transforms raw Azure AD logs in JSON format into a unified data model (UDM). It first normalizes the data by removing unnecessary fields and then extracts relevant information like user details, timestamps, and event specifics, mapping them to corresponding UDM fields for consistent representation and analysis.

UDM mapping table

Log Field	UDM Mapping	Logic
activityDateTime	read_only_udm.metadata.event_timestamp.seconds	The value is extracted from the `activityDateTime` field and converted to seconds since epoch.
activityDisplayName	read_only_udm.security_result.summary	The value is directly mapped from the `activityDisplayName` field.
additionalDetails.0.value	read_only_udm.network.http.user_agent	The value is directly mapped from the `additionalDetails.0.value` field.
additionalDetails.1.key	read_only_udm.target.resource.attribute.labels.key	The value is directly mapped from the `additionalDetails.1.key` field.
additionalDetails.1.value	read_only_udm.target.resource.attribute.labels.value	The value is directly mapped from the `additionalDetails.1.value` field.
am_category	read_only_udm.metadata.description	The value is directly mapped from the `am_category` field.
am_tenantId	read_only_udm.metadata.product_deployment_id	The value is directly mapped from the `am_tenantId` field.
appDisplayName	read_only_udm.target.application	The value is directly mapped from the `appDisplayName` field. If `appDisplayName` is empty, the value is taken from `resourceDisplayName` .
appId	read_only_udm.target.resource.attribute.labels.value	The value is directly mapped from the `appId` field.
appliedConditionalAccessPolicies.displayName	read_only_udm.about.user.user_display_name	The value is directly mapped from the `appliedConditionalAccessPolicies.displayName` field.
appliedConditionalAccessPolicies.enforcedGrantControls	read_only_udm.security_result.rule_labels.value	The value is directly mapped from the `appliedConditionalAccessPolicies.enforcedGrantControls` field.
appliedConditionalAccessPolicies.enforcedSessionControls	read_only_udm.security_result.rule_labels.value	The value is directly mapped from the `appliedConditionalAccessPolicies.enforcedSessionControls` field.
appliedConditionalAccessPolicies.id	read_only_udm.about.user.userid	The value is directly mapped from the `appliedConditionalAccessPolicies.id` field.
appliedConditionalAccessPolicies.result	read_only_udm.about.labels.value	The value is directly mapped from the `appliedConditionalAccessPolicies.result` field.
authenticationDetails.authenticationMethod	read_only_udm.security_result.detection_fields.value	The value is directly mapped from the `authenticationDetails.authenticationMethod` field.
authenticationDetails.authenticationMethodDetail	read_only_udm.security_result.detection_fields.value	The value is directly mapped from the `authenticationDetails.authenticationMethodDetail` field.
authenticationDetails.authenticationStepDateTime	read_only_udm.security_result.detection_fields.value	The value is directly mapped from the `authenticationDetails.authenticationStepDateTime` field.
authenticationDetails.authenticationStepRequirement	read_only_udm.security_result.detection_fields.value	The value is directly mapped from the `authenticationDetails.authenticationStepRequirement` field.
authenticationDetails.authenticationStepResultDetail	read_only_udm.security_result.detection_fields.value	The value is directly mapped from the `authenticationDetails.authenticationStepResultDetail` field.
authenticationProcessingDetails.key	read_only_udm.additional.fields.key	The value is directly mapped from the `authenticationProcessingDetails.key` field, prefixed with "authenticationProcessingDetails - ".
authenticationProcessingDetails.value	read_only_udm.additional.fields.value.string_value	The value is directly mapped from the `authenticationProcessingDetails.value` field.
callerIpAddress	read_only_udm.principal.ip	The value is directly mapped from the `callerIpAddress` field.
callerIpAddress	read_only_udm.principal.asset.ip	The value is directly mapped from the `callerIpAddress` field.
category	read_only_udm.metadata.description	The value is directly mapped from the `category` field.
clientAppUsed	read_only_udm.principal.application	The value is directly mapped from the `clientAppUsed` field.
conditionalAccessStatus	read_only_udm.additional.fields.value.string_value	The value is directly mapped from the `conditionalAccessStatus` field.
correlationId	read_only_udm.network.session_id	The value is directly mapped from the `correlationId` field.
correlationId	read_only_udm.security_result.detection_fields.value	The value is directly mapped from the `correlationId` field.
createdDateTime	read_only_udm.metadata.event_timestamp.seconds	The value is extracted from the `createdDateTime` field and converted to seconds since epoch.
deviceDetail.browser	read_only_udm.network.http.user_agent	The value is directly mapped from the `deviceDetail.browser` field.
deviceDetail.deviceId	read_only_udm.principal.asset.asset_id	The value is directly mapped from the `deviceDetail.deviceId` field, prefixed with "Device ID:".
deviceDetail.deviceId	read_only_udm.principal.asset_id	The value is directly mapped from the `deviceDetail.deviceId` field, prefixed with "Device ID:".
deviceDetail.displayName	read_only_udm.principal.asset.hostname	The value is directly mapped from the `deviceDetail.displayName` field.
deviceDetail.isCompliant	read_only_udm.principal.asset.attribute.labels.value	The value is directly mapped from the `deviceDetail.isCompliant` field.
deviceDetail.isManaged	read_only_udm.principal.asset.attribute.labels.value	The value is directly mapped from the `deviceDetail.isManaged` field.
deviceDetail.operatingSystem	read_only_udm.principal.platform_version	The value is directly mapped from the `deviceDetail.operatingSystem` field.
deviceDetail.trustType	read_only_udm.principal.asset.attribute.labels.value	The value is directly mapped from the `deviceDetail.trustType` field.
durationMs	read_only_udm.additional.fields.value.string_value	The value is directly mapped from the `durationMs` field.
errorCode	read_only_udm.security_result.rule_id	The value is directly mapped from the `errorCode` field.
identity	read_only_udm.target.user.user_display_name	The value is directly mapped from the `identity` field if it is different from `userId` and does not match an email address pattern.
initiatedBy.user.displayName	read_only_udm.principal.user.user_display_name	The value is directly mapped from the `initiatedBy.user.displayName` field.
initiatedBy.user.id	read_only_udm.principal.user.userid	The value is directly mapped from the `initiatedBy.user.id` field.
initiatedBy.user.ipAddress	read_only_udm.principal.ip	The value is directly mapped from the `initiatedBy.user.ipAddress` field.
initiatedBy.user.ipAddress	read_only_udm.principal.asset.ip	The value is directly mapped from the `initiatedBy.user.ipAddress` field.
initiatedBy.user.userPrincipalName	read_only_udm.principal.user.email_addresses	The value is directly mapped from the `initiatedBy.user.userPrincipalName` field if it matches an email address pattern.
ipAddress	read_only_udm.principal.ip	The value is extracted from the `ipAddress` field using a grok pattern to extract the IP address.
ipAddress	read_only_udm.principal.asset.ip	The value is extracted from the `ipAddress` field using a grok pattern to extract the IP address.
isInteractive	read_only_udm.extensions.auth.mechanism	The value is mapped to "INTERACTIVE" if `isInteractive` is "true", otherwise it is mapped to "MECHANISM_OTHER".
isInteractive	read_only_udm.security_result.detection_fields.value	The value is directly mapped from the `isInteractive` field.
level	read_only_udm.security_result.severity	The value is mapped from the `level` field based on the following logic: * "Information", "Informational", "0", "4" are mapped to "INFORMATIONAL". * "Warning", "1", "3" are mapped to "MEDIUM". * "Error", "2" are mapped to "ERROR". * "Critical", "CRITICAL", "critical" are mapped to "CRITICAL".
level	read_only_udm.security_result.severity_details	The value is directly mapped from the `level` field.
location.city	read_only_udm.principal.location.city	The value is directly mapped from the `location.city` field.
location.countryOrRegion	read_only_udm.principal.location.country_or_region	The value is directly mapped from the `location.countryOrRegion` field.
location.geoCoordinates.latitude	read_only_udm.principal.location.region_coordinates.latitude	The value is directly mapped from the `location.geoCoordinates.latitude` field and converted to a float.
location.geoCoordinates.latitude	read_only_udm.principal.location.region_latitude	The value is directly mapped from the `location.geoCoordinates.latitude` field and converted to a float.
location.geoCoordinates.longitude	read_only_udm.principal.location.region_coordinates.longitude	The value is directly mapped from the `location.geoCoordinates.longitude` field and converted to a float.
location.geoCoordinates.longitude	read_only_udm.principal.location.region_longitude	The value is directly mapped from the `location.geoCoordinates.longitude` field and converted to a float.
location.state	read_only_udm.principal.location.state	The value is directly mapped from the `location.state` field.
networkLocationDetails.networkNames	read_only_udm.additional.fields.value.string_value	The value is generated by concatenating all values from the `networkLocationDetails.networkNames` array, separated by commas.
networkLocationDetails.networkType	read_only_udm.additional.fields.value.string_value	The value is directly mapped from the `networkLocationDetails.networkType` field.
networkLocationDetails.networkType	read_only_udm.security_result.detection_fields.value	The value is directly mapped from the `networkLocationDetails.networkType` field.
operationName	read_only_udm.metadata.event_type	The value is mapped to "USER_LOGIN" if `operationName` is "Sign-in activity", "USER_CHANGE_PERMISSIONS" if `operationName` is "Add member to group", and "USER_RESOURCE_UPDATE_PERMISSIONS" if `operationName` is "Add app role assignment to service principal". Otherwise, the value is determined based on the presence of other fields: * "USER_LOGIN" if `has_target_user` is "true". * "USER_UNCATEGORIZED" if `has_principal_user` is "true". * "STATUS_UPDATE" if `has_principal` is "true". * "GENERIC_EVENT" otherwise.
operationType	read_only_udm.security_result.action_details	The value is directly mapped from the `operationType` field.
properties.activity	read_only_udm.security_result.summary	The value is directly mapped from the `properties.activity` field.
properties.activityDateTime	read_only_udm.metadata.event_timestamp.seconds	The value is extracted from the `properties.activityDateTime` field and converted to seconds since epoch.
properties.additionalInfo	read_only_udm.network.http.user_agent	The value is extracted from the `properties.additionalInfo` field by parsing the JSON string and extracting the value corresponding to the key "userAgent".
properties.additionalInfo	read_only_udm.target.url	The value is extracted from the `properties.additionalInfo` field by parsing the JSON string and extracting the value corresponding to the key "alertUrl".
properties.appId	read_only_udm.target.resource.attribute.labels.value	The value is directly mapped from the `properties.appId` field.
properties.appDisplayName	read_only_udm.target.application	The value is directly mapped from the `properties.appDisplayName` field.
properties.appliedConditionalAccessPolicies.displayName	read_only_udm.security_result.rule_name	The value is directly mapped from the `properties.appliedConditionalAccessPolicies.displayName` field.
properties.appliedConditionalAccessPolicies.id	read_only_udm.security_result.rule_id	The value is directly mapped from the `properties.appliedConditionalAccessPolicies.id` field.
properties.appliedConditionalAccessPolicies.result	read_only_udm.security_result.detection_fields.value	The value is directly mapped from the `properties.appliedConditionalAccessPolicies.result` field.
properties.authenticationDetails.authenticationMethod	read_only_udm.security_result.detection_fields.value	The value is directly mapped from the `properties.authenticationDetails.authenticationMethod` field.
properties.authenticationDetails.authenticationMethodDetail	read_only_udm.security_result.detection_fields.value	The value is directly mapped from the `properties.authenticationDetails.authenticationMethodDetail` field.
properties.authenticationDetails.authenticationStepDateTime	read_only_udm.security_result.detection_fields.value	The value is directly mapped from the `properties.authenticationDetails.authenticationStepDateTime` field.
properties.authenticationDetails.authenticationStepRequirement	read_only_udm.security_result.detection_fields.value	The value is directly mapped from the `properties.authenticationDetails.authenticationStepRequirement` field.
properties.authenticationDetails.authenticationStepResultDetail	read_only_udm.security_result.detection_fields.value	The value is directly mapped from the `properties.authenticationDetails.authenticationStepResultDetail` field.
properties.authenticationProcessingDetails.key	read_only_udm.additional.fields.key	The value is directly mapped from the `properties.authenticationProcessingDetails.key` field, prefixed with "properties authenticationProcessingDetails - ".
properties.authenticationProcessingDetails.value	read_only_udm.additional.fields.value.string_value	The value is directly mapped from the `properties.authenticationProcessingDetails.value` field.
properties.authenticationRequirement	read_only_udm.additional.fields.value.string_value	The value is directly mapped from the `properties.authenticationRequirement` field.
properties.authenticationRequirementPolicies.detail	read_only_udm.security_result.detection_fields.value	The value is directly mapped from the `properties.authenticationRequirementPolicies.detail` field.
properties.authenticationRequirementPolicies.requirementProvider	read_only_udm.security_result.detection_fields.value	The value is directly mapped from the `properties.authenticationRequirementPolicies.requirementProvider` field.
properties.clientAppUsed	read_only_udm.principal.application	The value is directly mapped from the `properties.clientAppUsed` field.
properties.conditionalAccessStatus	read_only_udm.additional.fields.value.string_value	The value is directly mapped from the `properties.conditionalAccessStatus` field.
properties.createdDateTime	read_only_udm.metadata.event_timestamp.seconds	The value is extracted from the `properties.createdDateTime` field and converted to seconds since epoch.
properties.crossTenantAccessType	read_only_udm.additional.fields.value.string_value	The value is directly mapped from the `properties.crossTenantAccessType` field.
properties.detectedDateTime	read_only_udm.additional.fields.value.string_value	The value is directly mapped from the `properties.detectedDateTime` field.
properties.detectionTimingType	read_only_udm.additional.fields.value.string_value	The value is directly mapped from the `properties.detectionTimingType` field.
properties.homeTenantId	read_only_udm.additional.fields.value.string_value	The value is directly mapped from the `properties.homeTenantId` field.
properties.id	read_only_udm.metadata.product_log_id	The value is directly mapped from the `properties.id` field.
properties.initiatedBy.user.displayName	read_only_udm.principal.user.user_display_name	The value is directly mapped from the `properties.initiatedBy.user.displayName` field.
properties.initiatedBy.user.id	read_only_udm.principal.user.windows_sid	The value is directly mapped from the `properties.initiatedBy.user.id` field.
properties.initiatedBy.user.ipAddress	read_only_udm.principal.ip	The value is directly mapped from the `properties.initiatedBy.user.ipAddress` field.
properties.initiatedBy.user.ipAddress	read_only_udm.principal.asset.ip	The value is directly mapped from the `properties.initiatedBy.user.ipAddress` field.
properties.initiatedBy.user.userPrincipalName	read_only_udm.principal.user.userid	The value is directly mapped from the `properties.initiatedBy.user.userPrincipalName` field if it does not match an email address pattern.
properties.initiatedBy.user.userPrincipalName	read_only_udm.principal.user.email_addresses	The value is directly mapped from the `properties.initiatedBy.user.userPrincipalName` field if it matches an email address pattern.
properties.ipAddress	read_only_udm.principal.ip	The value is extracted from the `properties.ipAddress` field using a grok pattern to extract the IP address.
properties.ipAddress	read_only_udm.principal.asset.ip	The value is extracted from the `properties.ipAddress` field using a grok pattern to extract the IP address.
properties.isGuest	read_only_udm.additional.fields.value.string_value	The value is directly mapped from the `properties.isGuest` field.
properties.isDeleted	read_only_udm.additional.fields.value.string_value	The value is directly mapped from the `properties.isDeleted` field.
properties.isProcessing	read_only_udm.additional.fields.value.string_value	The value is directly mapped from the `properties.isProcessing` field.
properties.lastUpdatedDateTime	read_only_udm.additional.fields.value.string_value	The value is directly mapped from the `properties.lastUpdatedDateTime` field.
properties.location.city	read_only_udm.principal.location.city	The value is directly mapped from the `properties.location.city` field.
properties.location.countryOrRegion	read_only_udm.principal.location.country_or_region	The value is directly mapped from the `properties.location.countryOrRegion` field.
properties.location.geoCoordinates.latitude	read_only_udm.principal.location.region_coordinates.latitude	The value is directly mapped from the `properties.location.geoCoordinates.latitude` field and converted to a float.
properties.location.geoCoordinates.latitude	read_only_udm.principal.location.region_latitude	The value is directly mapped from the `properties.location.geoCoordinates.latitude` field and converted to a float.
properties.location.geoCoordinates.longitude	read_only_udm.principal.location.region_coordinates.longitude	The value is directly mapped from the `properties.location.geoCoordinates.longitude` field and converted to a float.
properties.location.geoCoordinates.longitude	read_only_udm.principal.location.region_longitude	The value is directly mapped from the `properties.location.geoCoordinates.longitude` field and converted to a float.
properties.location.state	read_only_udm.principal.location.state	The value is directly mapped from the `properties.location.state` field.
properties.networkLocationDetails.networkNames	read_only_udm.additional.fields.value.string_value	The value is generated by concatenating all values from the `properties.networkLocationDetails.networkNames` array, separated by commas.
properties.networkLocationDetails.networkType	read_only_udm.additional.fields.value.string_value	The value is directly mapped from the `properties.networkLocationDetails.networkType` field.
properties.networkLocationDetails.networkType	read_only_udm.security_result.detection_fields.value	The value is directly mapped from the `properties.networkLocationDetails.networkType` field.
properties.resourceServicePrincipalId	read_only_udm.target.resource.attribute.labels.value	The value is directly mapped from the `properties.resourceServicePrincipalId` field.
properties.riskDetail	read_only_udm.additional.fields.value.string_value	The value is directly mapped from the `properties.riskDetail` field.
properties.riskEventType	read_only_udm.additional.fields.value.string_value	The value is directly mapped from the `properties.riskEventType` field.
properties.riskLastUpdatedDateTime	read_only_udm.additional.fields.value.string_value	The value is directly mapped from the `properties.riskLastUpdatedDateTime` field.
properties.riskLevel	read_only_udm.additional.fields.value.string_value	The value is directly mapped from the `properties.riskLevel` field.
properties.riskLevelDuringSignIn	read_only_udm.additional.fields.value.string_value	The value is directly mapped from the `properties.riskLevelDuringSignIn` field.
properties.riskState	read_only_udm.additional.fields.value.string_value	The value is directly mapped from the `properties.riskState` field.
properties.riskType	read_only_udm.additional.fields.value.string_value	The value is directly mapped from the `properties.riskType` field.
properties.source	read_only_udm.additional.fields.value.string_value	The value is directly mapped from the `properties.source` field.
properties.targetResources.0.id	read_only_udm.target.user.product_object_id	The value is directly mapped from the `properties.targetResources.0.id` field.
properties.targetResources.modifiedProperties.0.newValue	read_only_udm.target.group.product_object_id	The value is directly mapped from the `properties.targetResources.modifiedProperties.0.newValue` field.
properties.tokenIssuerType	read_only_udm.additional.fields.value.string_value	The value is directly mapped from the `properties.tokenIssuerType` field.
properties.userAgent	read_only_udm.network.http.parsed_user_agent	The value is directly mapped from the `properties.userAgent` field and converted to a parsed user agent object.
properties.userAgent	read_only_udm.network.http.user_agent	The value is directly mapped from the `properties.userAgent` field.
properties.userId	read_only_udm.target.user.product_object_id	The value is directly mapped from the `properties.userId` field.
properties.userPrincipalName	read_only_udm.target.user.userid	The value is directly mapped from the `properties.userPrincipalName` field if it does not match an email address pattern.
properties.userPrincipalName	read_only_udm.target.user.email_addresses	The value is directly mapped from the `properties.userPrincipalName` field if it matches an email address pattern.
result	read_only_udm.security_result.action	The value is mapped to "ALLOW" if `result` is "success".
result	read_only_udm.security_result.action_details	The value is directly mapped from the `result` field if `result` is "success".
resultDescription	read_only_udm.security_result.description	The value is directly mapped from the `resultDescription` field.
resultSignature	read_only_udm.additional.fields.value.string_value	The value is directly mapped from the `resultSignature` field.
resultType	read_only_udm.security_result.action	The value is mapped to "ALLOW" if `resultType` is "0".
resultType	read_only_udm.security_result.rule_id	The value is directly mapped from the `resultType` field if it is not empty and not "0".
resultType	read_only_udm.security_result.summary	The value is mapped to "Successful login occurred" if `resultType` is "0" and "Failed login occurred" otherwise.
resourceDisplayName	read_only_udm.target.application	The value is directly mapped from the `resourceDisplayName` field.
resourceDisplayName	read_only_udm.target.resource.name	The value is directly mapped from the `resourceDisplayName` field.
resourceId	read_only_udm.target.resource.id	The value is directly mapped from the `resourceId` field.
resourceId	read_only_udm.target.resource.product_object_id	The value is directly mapped from the `resourceId` field.
resourceServicePrincipalId	read_only_udm.target.resource.attribute.labels.value	The value is directly mapped from the `resourceServicePrincipalId` field.
riskDetail	read_only_udm.additional.fields.value.string_value	The value is directly mapped from the `riskDetail` field.
riskEventTypes	read_only_udm.additional.fields.value.string_value	The value is extracted from the `riskEventTypes` array and mapped to a string value in the `additional.fields` array.
riskEventTypes	read_only_udm.additional.fields.value.list_value.values.string_value	The value is directly mapped from each element of the `riskEventTypes` array.
riskEventTypes_v2	read_only_udm.additional.fields.value.list_value.values.string_value	The value is directly mapped from each element of the `riskEventTypes_v2` array.
riskLevelAggregated	read_only_udm.additional.fields.value.string_value	The value is directly mapped from the `riskLevelAggregated` field.
riskLevelDuringSignIn	read_only_udm.additional.fields.value.string_value	The value is directly mapped from the `riskLevelDuringSignIn` field.
riskState	read_only_udm.additional.fields.value.string_value	The value is directly mapped from the `riskState` field.
status.additionalDetails	read_only_udm.security_result.description	The value is directly mapped from the `status.additionalDetails` field.
status.errorCode	read_only_udm.security_result.action	The value is mapped to "ALLOW" if `status.errorCode` is "0".
status.errorCode	read_only_udm.security_result.rule_id	The value is directly mapped from the `status.errorCode` field if it is not empty.
status.errorCode	read_only_udm.security_result.summary	The value is mapped to "Successful login occurred" if `status.errorCode` is "0" and "Failed login occurred" otherwise.
status.failureReason	read_only_udm.additional.fields.value.string_value	The value is directly mapped from the `status.failureReason` field.
targetResources.displayName	read_only_udm.target.resource.name	The value is directly mapped from the `targetResources.displayName` field.
targetResources.id	read_only_udm.target.resource.id	The value is directly mapped from the `targetResources.id` field.
targetResources.id	read_only_udm.target.resource.product_object_id	The value is directly mapped from the `targetResources.id` field.
targetResources.modifiedProperties.displayName	read_only_udm.target.resource.attribute.labels.key	The value is directly mapped from the `targetResources.modifiedProperties.displayName` field.
targetResources.modifiedProperties.newValue	read_only_udm.target.resource.attribute.labels.value	The value is directly mapped from the `targetResources.modifiedProperties.newValue` field after removing double quotes.
targetResources.modifiedProperties.oldValue	read_only_udm.target.resource.attribute.labels.value	The value is directly mapped from the `targetResources.modifiedProperties.oldValue` field.
targetResources.type	read_only_udm.target.resource.type	The value is directly mapped from the `targetResources.type` field.
targetResources.userPrincipalName	read_only_udm.target.user.user_display_name	The value is directly mapped from the `targetResources.userPrincipalName` field.
tenantId	read_only_udm.metadata.product_deployment_id	The value is directly mapped from the `tenantId` field.
time	read_only_udm.metadata.event_timestamp.seconds	The value is extracted from the `time` field and converted to seconds since epoch.
userAgent	read_only_udm.network.http.parsed_user_agent	The value is directly mapped from the `userAgent` field and converted to a parsed user agent object.
userAgent	read_only_udm.network.http.user_agent	The value is directly mapped from the `userAgent` field.
userDisplayName	read_only_udm.target.user.user_display_name	The value is directly mapped from the `userDisplayName` field if it is different from `userId` and does not match an email address pattern.
userPrincipalName	read_only_udm.principal.administrative_domain	The domain part of the email address is extracted from the `userPrincipalName` field using a grok pattern and mapped to the `principal.administrative_domain` field.
userPrincipalName	read_only_udm.target.user.email_addresses	The value is directly mapped from the `userPrincipalName` field if it matches an email address pattern.
userPrincipalName	read_only_udm.target.user.userid	The value is directly mapped from the `userPrincipalName` field if it does not match an email address pattern.
userId	read_only_udm.target.user.product_object_id	The value is directly mapped from the `userId` field.
read_only_udm.metadata.log_type	AZURE_AD	This value is hardcoded in the parser.
read_only_udm.metadata.vendor_name	Microsoft	This value is hardcoded in the parser.
read_only_udm.metadata.product_name	Azure AD	This value is hardcoded in the parser.
read_only_udm.extensions.auth.type	SSO	This value is hardcoded in the parser.

Need more help? Get answers from Community members and Google SecOps professionals.