Console
    Start free

    Collect Microsoft Azure AD logs

    Supported in:

    This document describes how you can collect Microsoft Azure Active Directory (AD) logs by setting up a Google Security Operations feed.

    Azure Active Directory ( AZURE_AD ) is now called Microsoft Entra ID. Azure AD audit logs ( AZURE_AD_AUDIT ) are now Microsoft Entra ID audit logs.

    For more information, see Data ingestion to Google Security Operations .

    An ingestion label identifies the parser which normalizes raw log data to structured UDM format.

    Before you begin

    Ensure you have the following prerequisites:

    • An Azure subscription that you can sign in to
    • A global administrator or Azure AD administrator role
    • An Azure AD (tenant) in Azure

    How to configure Azure AD

    1. Sign in to the Azure portal.
    2. Go to Home > App registration, select a registered application or register an application if you haven't created an application yet.
    3. To register an application, in the App registrationsection, click New registration.
    4. In the Namefield, provide the display name for your application.
    5. In the Supported account typessection, select the required option to specify who can use the application or access the API.
    6. Click Register.
    7. Go to the Overviewpage and copy the application (client) ID and the directory (tenant) ID, which are required to configure the Google Security Operations feed.
    8. Click API permissions.
    9. Click Add a permission, and then select Microsoft Graphin the new pane.
    10. Click Application permissions.
    11. Select AuditLog.Read.All, Directory.Read.All, and SecurityEvents.Read.Allpermissions. Ensure that the permissions are Application permissionsand not Delegated permissions.
    12. Click Grant admin consent for default directory. Applications are authorized to call APIs when they are granted permissions by users or administrators as part of the consent process.
    13. Go to Settings > Manage.
    14. Click Certificates and secrets.
    15. Click New client secret. In the Valuefield, the client secret appears.
    16. Copy the client secret value. The value is displayed only at the time of creation and it is required for the Azure app registration and to configure the Google Security Operations feed.

    Set up feeds

    There are two different entry points to set up feeds in the Google SecOps platform:

    • SIEM Settings > Feeds > Add New Feed
    • Content Hub > Content Packs > Get Started

    How to set up the Microsoft Entra ID (Azure AD) feed

    1. Click the Azure Platformpack.
    2. Locate the Azure ADlog type.

    3. Specify values for the following fields:

      • Source Type: Third party API (recommended)
      • OAUTH client ID: Specify the client ID that you obtained previously.
      • OAUTH client secret: Specify the client secret that you obtained previously.
      • Tenant ID: Specify the tenant ID that you obtained previously.
      • API Full path: Microsoft Graph REST API endpoint URL.
      • API Authentication Endpoint: Microsoft Active Directory Authentication Endpoint.

      Advanced Options

      • Feed Name: A prepopulated value that identifies the feed.
      • Asset Namespace: Namespace associated with the feed .
      • Ingestion Labels: Labels applied to all events from this feed.

    4. Click Create feed.

    For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product .

    For more information about Google Security Operations feeds, see Google Security Operations feeds documentation . For information about requirements for each feed type, see Feed configuration by type .

    Field mapping reference

    This parser code transforms raw Azure AD logs in JSON format into a unified data model (UDM). It first normalizes the data by removing unnecessary fields and then extracts relevant information like user details, timestamps, and event specifics, mapping them to corresponding UDM fields for consistent representation and analysis.

    UDM mapping table

    Log Field UDM Mapping Logic
    activityDateTime
    		 read_only_udm.metadata.event_timestamp.seconds The value is extracted from the activityDateTime field and converted to seconds since epoch.
    activityDisplayName
    		 read_only_udm.security_result.summary The value is directly mapped from the activityDisplayName field.
    additionalDetails.0.value
    		 read_only_udm.network.http.user_agent The value is directly mapped from the additionalDetails.0.value field.
    additionalDetails.1.key
    		 read_only_udm.target.resource.attribute.labels.key The value is directly mapped from the additionalDetails.1.key field.
    additionalDetails.1.value
    		 read_only_udm.target.resource.attribute.labels.value The value is directly mapped from the additionalDetails.1.value field.
    am_category
    		 read_only_udm.metadata.description The value is directly mapped from the am_category field.
    am_tenantId
    		 read_only_udm.metadata.product_deployment_id The value is directly mapped from the am_tenantId field.
    appDisplayName
    		 read_only_udm.target.application The value is directly mapped from the appDisplayName field. If appDisplayName is empty, the value is taken from resourceDisplayName .
    appId
    		 read_only_udm.target.resource.attribute.labels.value The value is directly mapped from the appId field.
    appliedConditionalAccessPolicies.displayName
    		 read_only_udm.about.user.user_display_name The value is directly mapped from the appliedConditionalAccessPolicies.displayName field.
    appliedConditionalAccessPolicies.enforcedGrantControls
    		 read_only_udm.security_result.rule_labels.value The value is directly mapped from the appliedConditionalAccessPolicies.enforcedGrantControls field.
    appliedConditionalAccessPolicies.enforcedSessionControls
    		 read_only_udm.security_result.rule_labels.value The value is directly mapped from the appliedConditionalAccessPolicies.enforcedSessionControls field.
    appliedConditionalAccessPolicies.id
    		 read_only_udm.about.user.userid The value is directly mapped from the appliedConditionalAccessPolicies.id field.
    appliedConditionalAccessPolicies.result
    		 read_only_udm.about.labels.value The value is directly mapped from the appliedConditionalAccessPolicies.result field.
    authenticationDetails.authenticationMethod
    		 read_only_udm.security_result.detection_fields.value The value is directly mapped from the authenticationDetails.authenticationMethod field.
    authenticationDetails.authenticationMethodDetail
    		 read_only_udm.security_result.detection_fields.value The value is directly mapped from the authenticationDetails.authenticationMethodDetail field.
    authenticationDetails.authenticationStepDateTime
    		 read_only_udm.security_result.detection_fields.value The value is directly mapped from the authenticationDetails.authenticationStepDateTime field.
    authenticationDetails.authenticationStepRequirement
    		 read_only_udm.security_result.detection_fields.value The value is directly mapped from the authenticationDetails.authenticationStepRequirement field.
    authenticationDetails.authenticationStepResultDetail
    		 read_only_udm.security_result.detection_fields.value The value is directly mapped from the authenticationDetails.authenticationStepResultDetail field.
    authenticationProcessingDetails.key
    		 read_only_udm.additional.fields.key The value is directly mapped from the authenticationProcessingDetails.key field, prefixed with "authenticationProcessingDetails - ".
    authenticationProcessingDetails.value
    		 read_only_udm.additional.fields.value.string_value The value is directly mapped from the authenticationProcessingDetails.value field.
    callerIpAddress
    		 read_only_udm.principal.ip The value is directly mapped from the callerIpAddress field.
    callerIpAddress
    		 read_only_udm.principal.asset.ip The value is directly mapped from the callerIpAddress field.
    category
    		 read_only_udm.metadata.description The value is directly mapped from the category field.
    clientAppUsed
    		 read_only_udm.principal.application The value is directly mapped from the clientAppUsed field.
    conditionalAccessStatus
    		 read_only_udm.additional.fields.value.string_value The value is directly mapped from the conditionalAccessStatus field.
    correlationId
    		 read_only_udm.network.session_id The value is directly mapped from the correlationId field.
    correlationId
    		 read_only_udm.security_result.detection_fields.value The value is directly mapped from the correlationId field.
    createdDateTime
    		 read_only_udm.metadata.event_timestamp.seconds The value is extracted from the createdDateTime field and converted to seconds since epoch.
    deviceDetail.browser
    		 read_only_udm.network.http.user_agent The value is directly mapped from the deviceDetail.browser field.
    deviceDetail.deviceId
    		 read_only_udm.principal.asset.asset_id The value is directly mapped from the deviceDetail.deviceId field, prefixed with "Device ID:".
    deviceDetail.deviceId
    		 read_only_udm.principal.asset_id The value is directly mapped from the deviceDetail.deviceId field, prefixed with "Device ID:".
    deviceDetail.displayName
    		 read_only_udm.principal.asset.hostname The value is directly mapped from the deviceDetail.displayName field.
    deviceDetail.isCompliant
    		 read_only_udm.principal.asset.attribute.labels.value The value is directly mapped from the deviceDetail.isCompliant field.
    deviceDetail.isManaged
    		 read_only_udm.principal.asset.attribute.labels.value The value is directly mapped from the deviceDetail.isManaged field.
    deviceDetail.operatingSystem
    		 read_only_udm.principal.platform_version The value is directly mapped from the deviceDetail.operatingSystem field.
    deviceDetail.trustType
    		 read_only_udm.principal.asset.attribute.labels.value The value is directly mapped from the deviceDetail.trustType field.
    durationMs
    		 read_only_udm.additional.fields.value.string_value The value is directly mapped from the durationMs field.
    errorCode
    		 read_only_udm.security_result.rule_id The value is directly mapped from the errorCode field.
    identity
    		 read_only_udm.target.user.user_display_name The value is directly mapped from the identity field if it is different from userId and does not match an email address pattern.
    initiatedBy.user.displayName
    		 read_only_udm.principal.user.user_display_name The value is directly mapped from the initiatedBy.user.displayName field.
    initiatedBy.user.id
    		 read_only_udm.principal.user.userid The value is directly mapped from the initiatedBy.user.id field.
    initiatedBy.user.ipAddress
    		 read_only_udm.principal.ip The value is directly mapped from the initiatedBy.user.ipAddress field.
    initiatedBy.user.ipAddress
    		 read_only_udm.principal.asset.ip The value is directly mapped from the initiatedBy.user.ipAddress field.
    initiatedBy.user.userPrincipalName
    		 read_only_udm.principal.user.email_addresses The value is directly mapped from the initiatedBy.user.userPrincipalName field if it matches an email address pattern.
    ipAddress
    		 read_only_udm.principal.ip The value is extracted from the ipAddress field using a grok pattern to extract the IP address.
    ipAddress
    		 read_only_udm.principal.asset.ip The value is extracted from the ipAddress field using a grok pattern to extract the IP address.
    isInteractive
    		 read_only_udm.extensions.auth.mechanism The value is mapped to "INTERACTIVE" if isInteractive is "true", otherwise it is mapped to "MECHANISM_OTHER".
    isInteractive
    		 read_only_udm.security_result.detection_fields.value The value is directly mapped from the isInteractive field.
    level
    		 read_only_udm.security_result.severity The value is mapped from the level field based on the following logic: * "Information", "Informational", "0", "4" are mapped to "INFORMATIONAL". * "Warning", "1", "3" are mapped to "MEDIUM". * "Error", "2" are mapped to "ERROR". * "Critical", "CRITICAL", "critical" are mapped to "CRITICAL".
    level
    		 read_only_udm.security_result.severity_details The value is directly mapped from the level field.
    location.city
    		 read_only_udm.principal.location.city The value is directly mapped from the location.city field.
    location.countryOrRegion
    		 read_only_udm.principal.location.country_or_region The value is directly mapped from the location.countryOrRegion field.
    location.geoCoordinates.latitude
    		 read_only_udm.principal.location.region_coordinates.latitude The value is directly mapped from the location.geoCoordinates.latitude field and converted to a float.
    location.geoCoordinates.latitude
    		 read_only_udm.principal.location.region_latitude The value is directly mapped from the location.geoCoordinates.latitude field and converted to a float.
    location.geoCoordinates.longitude
    		 read_only_udm.principal.location.region_coordinates.longitude The value is directly mapped from the location.geoCoordinates.longitude field and converted to a float.
    location.geoCoordinates.longitude
    		 read_only_udm.principal.location.region_longitude The value is directly mapped from the location.geoCoordinates.longitude field and converted to a float.
    location.state
    		 read_only_udm.principal.location.state The value is directly mapped from the location.state field.
    networkLocationDetails.networkNames
    		 read_only_udm.additional.fields.value.string_value The value is generated by concatenating all values from the networkLocationDetails.networkNames array, separated by commas.
    networkLocationDetails.networkType
    		 read_only_udm.additional.fields.value.string_value The value is directly mapped from the networkLocationDetails.networkType field.
    networkLocationDetails.networkType
    		 read_only_udm.security_result.detection_fields.value The value is directly mapped from the networkLocationDetails.networkType field.
    operationName
    		 read_only_udm.metadata.event_type The value is mapped to "USER_LOGIN" if operationName is "Sign-in activity", "USER_CHANGE_PERMISSIONS" if operationName is "Add member to group", and "USER_RESOURCE_UPDATE_PERMISSIONS" if operationName is "Add app role assignment to service principal". Otherwise, the value is determined based on the presence of other fields: * "USER_LOGIN" if has_target_user is "true". * "USER_UNCATEGORIZED" if has_principal_user is "true". * "STATUS_UPDATE" if has_principal is "true". * "GENERIC_EVENT" otherwise.
    operationType
    		 read_only_udm.security_result.action_details The value is directly mapped from the operationType field.
    properties.activity
    		 read_only_udm.security_result.summary The value is directly mapped from the properties.activity field.
    properties.activityDateTime
    		 read_only_udm.metadata.event_timestamp.seconds The value is extracted from the properties.activityDateTime field and converted to seconds since epoch.
    properties.additionalInfo
    		 read_only_udm.network.http.user_agent The value is extracted from the properties.additionalInfo field by parsing the JSON string and extracting the value corresponding to the key "userAgent".
    properties.additionalInfo
    		 read_only_udm.target.url The value is extracted from the properties.additionalInfo field by parsing the JSON string and extracting the value corresponding to the key "alertUrl".
    properties.appId
    		 read_only_udm.target.resource.attribute.labels.value The value is directly mapped from the properties.appId field.
    properties.appDisplayName
    		 read_only_udm.target.application The value is directly mapped from the properties.appDisplayName field.
    properties.appliedConditionalAccessPolicies.displayName
    		 read_only_udm.security_result.rule_name The value is directly mapped from the properties.appliedConditionalAccessPolicies.displayName field.
    properties.appliedConditionalAccessPolicies.id
    		 read_only_udm.security_result.rule_id The value is directly mapped from the properties.appliedConditionalAccessPolicies.id field.
    properties.appliedConditionalAccessPolicies.result
    		 read_only_udm.security_result.detection_fields.value The value is directly mapped from the properties.appliedConditionalAccessPolicies.result field.
    properties.authenticationDetails.authenticationMethod
    		 read_only_udm.security_result.detection_fields.value The value is directly mapped from the properties.authenticationDetails.authenticationMethod field.
    properties.authenticationDetails.authenticationMethodDetail
    		 read_only_udm.security_result.detection_fields.value The value is directly mapped from the properties.authenticationDetails.authenticationMethodDetail field.
    properties.authenticationDetails.authenticationStepDateTime
    		 read_only_udm.security_result.detection_fields.value The value is directly mapped from the properties.authenticationDetails.authenticationStepDateTime field.
    properties.authenticationDetails.authenticationStepRequirement
    		 read_only_udm.security_result.detection_fields.value The value is directly mapped from the properties.authenticationDetails.authenticationStepRequirement field.
    properties.authenticationDetails.authenticationStepResultDetail
    		 read_only_udm.security_result.detection_fields.value The value is directly mapped from the properties.authenticationDetails.authenticationStepResultDetail field.
    properties.authenticationProcessingDetails.key
    		 read_only_udm.additional.fields.key The value is directly mapped from the properties.authenticationProcessingDetails.key field, prefixed with "properties authenticationProcessingDetails - ".
    properties.authenticationProcessingDetails.value
    		 read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.authenticationProcessingDetails.value field.
    properties.authenticationRequirement
    		 read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.authenticationRequirement field.
    properties.authenticationRequirementPolicies.detail
    		 read_only_udm.security_result.detection_fields.value The value is directly mapped from the properties.authenticationRequirementPolicies.detail field.
    properties.authenticationRequirementPolicies.requirementProvider
    		 read_only_udm.security_result.detection_fields.value The value is directly mapped from the properties.authenticationRequirementPolicies.requirementProvider field.
    properties.clientAppUsed
    		 read_only_udm.principal.application The value is directly mapped from the properties.clientAppUsed field.
    properties.conditionalAccessStatus
    		 read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.conditionalAccessStatus field.
    properties.createdDateTime
    		 read_only_udm.metadata.event_timestamp.seconds The value is extracted from the properties.createdDateTime field and converted to seconds since epoch.
    properties.crossTenantAccessType
    		 read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.crossTenantAccessType field.
    properties.detectedDateTime
    		 read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.detectedDateTime field.
    properties.detectionTimingType
    		 read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.detectionTimingType field.
    properties.homeTenantId
    		 read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.homeTenantId field.
    properties.id
    		 read_only_udm.metadata.product_log_id The value is directly mapped from the properties.id field.
    properties.initiatedBy.user.displayName
    		 read_only_udm.principal.user.user_display_name The value is directly mapped from the properties.initiatedBy.user.displayName field.
    properties.initiatedBy.user.id
    		 read_only_udm.principal.user.windows_sid The value is directly mapped from the properties.initiatedBy.user.id field.
    properties.initiatedBy.user.ipAddress
    		 read_only_udm.principal.ip The value is directly mapped from the properties.initiatedBy.user.ipAddress field.
    properties.initiatedBy.user.ipAddress
    		 read_only_udm.principal.asset.ip The value is directly mapped from the properties.initiatedBy.user.ipAddress field.
    properties.initiatedBy.user.userPrincipalName
    		 read_only_udm.principal.user.userid The value is directly mapped from the properties.initiatedBy.user.userPrincipalName field if it does not match an email address pattern.
    properties.initiatedBy.user.userPrincipalName
    		 read_only_udm.principal.user.email_addresses The value is directly mapped from the properties.initiatedBy.user.userPrincipalName field if it matches an email address pattern.
    properties.ipAddress
    		 read_only_udm.principal.ip The value is extracted from the properties.ipAddress field using a grok pattern to extract the IP address.
    properties.ipAddress
    		 read_only_udm.principal.asset.ip The value is extracted from the properties.ipAddress field using a grok pattern to extract the IP address.
    properties.isGuest
    		 read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.isGuest field.
    properties.isDeleted
    		 read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.isDeleted field.
    properties.isProcessing
    		 read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.isProcessing field.
    properties.lastUpdatedDateTime
    		 read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.lastUpdatedDateTime field.
    properties.location.city
    		 read_only_udm.principal.location.city The value is directly mapped from the properties.location.city field.
    properties.location.countryOrRegion
    		 read_only_udm.principal.location.country_or_region The value is directly mapped from the properties.location.countryOrRegion field.
    properties.location.geoCoordinates.latitude
    		 read_only_udm.principal.location.region_coordinates.latitude The value is directly mapped from the properties.location.geoCoordinates.latitude field and converted to a float.
    properties.location.geoCoordinates.latitude
    		 read_only_udm.principal.location.region_latitude The value is directly mapped from the properties.location.geoCoordinates.latitude field and converted to a float.
    properties.location.geoCoordinates.longitude
    		 read_only_udm.principal.location.region_coordinates.longitude The value is directly mapped from the properties.location.geoCoordinates.longitude field and converted to a float.
    properties.location.geoCoordinates.longitude
    		 read_only_udm.principal.location.region_longitude The value is directly mapped from the properties.location.geoCoordinates.longitude field and converted to a float.
    properties.location.state
    		 read_only_udm.principal.location.state The value is directly mapped from the properties.location.state field.
    properties.networkLocationDetails.networkNames
    		 read_only_udm.additional.fields.value.string_value The value is generated by concatenating all values from the properties.networkLocationDetails.networkNames array, separated by commas.
    properties.networkLocationDetails.networkType
    		 read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.networkLocationDetails.networkType field.
    properties.networkLocationDetails.networkType
    		 read_only_udm.security_result.detection_fields.value The value is directly mapped from the properties.networkLocationDetails.networkType field.
    properties.resourceServicePrincipalId
    		 read_only_udm.target.resource.attribute.labels.value The value is directly mapped from the properties.resourceServicePrincipalId field.
    properties.riskDetail
    		 read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.riskDetail field.
    properties.riskEventType
    		 read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.riskEventType field.
    properties.riskLastUpdatedDateTime
    		 read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.riskLastUpdatedDateTime field.
    properties.riskLevel
    		 read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.riskLevel field.
    properties.riskLevelDuringSignIn
    		 read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.riskLevelDuringSignIn field.
    properties.riskState
    		 read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.riskState field.
    properties.riskType
    		 read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.riskType field.
    properties.source
    		 read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.source field.
    properties.targetResources.0.id
    		 read_only_udm.target.user.product_object_id The value is directly mapped from the properties.targetResources.0.id field.
    properties.targetResources.modifiedProperties.0.newValue
    		 read_only_udm.target.group.product_object_id The value is directly mapped from the properties.targetResources.modifiedProperties.0.newValue field.
    properties.tokenIssuerType
    		 read_only_udm.additional.fields.value.string_value The value is directly mapped from the properties.tokenIssuerType field.
    properties.userAgent
    		 read_only_udm.network.http.parsed_user_agent The value is directly mapped from the properties.userAgent field and converted to a parsed user agent object.
    properties.userAgent
    		 read_only_udm.network.http.user_agent The value is directly mapped from the properties.userAgent field.
    properties.userId
    		 read_only_udm.target.user.product_object_id The value is directly mapped from the properties.userId field.
    properties.userPrincipalName
    		 read_only_udm.target.user.userid The value is directly mapped from the properties.userPrincipalName field if it does not match an email address pattern.
    properties.userPrincipalName
    		 read_only_udm.target.user.email_addresses The value is directly mapped from the properties.userPrincipalName field if it matches an email address pattern.
    result
    		 read_only_udm.security_result.action The value is mapped to "ALLOW" if result is "success".
    result
    		 read_only_udm.security_result.action_details The value is directly mapped from the result field if result is "success".
    resultDescription
    		 read_only_udm.security_result.description The value is directly mapped from the resultDescription field.
    resultSignature
    		 read_only_udm.additional.fields.value.string_value The value is directly mapped from the resultSignature field.
    resultType
    		 read_only_udm.security_result.action The value is mapped to "ALLOW" if resultType is "0".
    resultType
    		 read_only_udm.security_result.rule_id The value is directly mapped from the resultType field if it is not empty and not "0".
    resultType
    		 read_only_udm.security_result.summary The value is mapped to "Successful login occurred" if resultType is "0" and "Failed login occurred" otherwise.
    resourceDisplayName
    		 read_only_udm.target.application The value is directly mapped from the resourceDisplayName field.
    resourceDisplayName
    		 read_only_udm.target.resource.name The value is directly mapped from the resourceDisplayName field.
    resourceId
    		 read_only_udm.target.resource.id The value is directly mapped from the resourceId field.
    resourceId
    		 read_only_udm.target.resource.product_object_id The value is directly mapped from the resourceId field.
    resourceServicePrincipalId
    		 read_only_udm.target.resource.attribute.labels.value The value is directly mapped from the resourceServicePrincipalId field.
    riskDetail
    		 read_only_udm.additional.fields.value.string_value The value is directly mapped from the riskDetail field.
    riskEventTypes
    		 read_only_udm.additional.fields.value.string_value The value is extracted from the riskEventTypes array and mapped to a string value in the additional.fields array.
    riskEventTypes
    		 read_only_udm.additional.fields.value.list_value.values.string_value The value is directly mapped from each element of the riskEventTypes array.
    riskEventTypes_v2
    		 read_only_udm.additional.fields.value.list_value.values.string_value The value is directly mapped from each element of the riskEventTypes_v2 array.
    riskLevelAggregated
    		 read_only_udm.additional.fields.value.string_value The value is directly mapped from the riskLevelAggregated field.
    riskLevelDuringSignIn
    		 read_only_udm.additional.fields.value.string_value The value is directly mapped from the riskLevelDuringSignIn field.
    riskState
    		 read_only_udm.additional.fields.value.string_value The value is directly mapped from the riskState field.
    status.additionalDetails
    		 read_only_udm.security_result.description The value is directly mapped from the status.additionalDetails field.
    status.errorCode
    		 read_only_udm.security_result.action The value is mapped to "ALLOW" if status.errorCode is "0".
    status.errorCode
    		 read_only_udm.security_result.rule_id The value is directly mapped from the status.errorCode field if it is not empty.
    status.errorCode
    		 read_only_udm.security_result.summary The value is mapped to "Successful login occurred" if status.errorCode is "0" and "Failed login occurred" otherwise.
    status.failureReason
    		 read_only_udm.additional.fields.value.string_value The value is directly mapped from the status.failureReason field.
    targetResources.displayName
    		 read_only_udm.target.resource.name The value is directly mapped from the targetResources.displayName field.
    targetResources.id
    		 read_only_udm.target.resource.id The value is directly mapped from the targetResources.id field.
    targetResources.id
    		 read_only_udm.target.resource.product_object_id The value is directly mapped from the targetResources.id field.
    targetResources.modifiedProperties.displayName
    		 read_only_udm.target.resource.attribute.labels.key The value is directly mapped from the targetResources.modifiedProperties.displayName field.
    targetResources.modifiedProperties.newValue
    		 read_only_udm.target.resource.attribute.labels.value The value is directly mapped from the targetResources.modifiedProperties.newValue field after removing double quotes.
    targetResources.modifiedProperties.oldValue
    		 read_only_udm.target.resource.attribute.labels.value The value is directly mapped from the targetResources.modifiedProperties.oldValue field.
    targetResources.type
    		 read_only_udm.target.resource.type The value is directly mapped from the targetResources.type field.
    targetResources.userPrincipalName
    		 read_only_udm.target.user.user_display_name The value is directly mapped from the targetResources.userPrincipalName field.
    tenantId
    		 read_only_udm.metadata.product_deployment_id The value is directly mapped from the tenantId field.
    time
    		 read_only_udm.metadata.event_timestamp.seconds The value is extracted from the time field and converted to seconds since epoch.
    userAgent
    		 read_only_udm.network.http.parsed_user_agent The value is directly mapped from the userAgent field and converted to a parsed user agent object.
    userAgent
    		 read_only_udm.network.http.user_agent The value is directly mapped from the userAgent field.
    userDisplayName
    		 read_only_udm.target.user.user_display_name The value is directly mapped from the userDisplayName field if it is different from userId and does not match an email address pattern.
    userPrincipalName
    		 read_only_udm.principal.administrative_domain The domain part of the email address is extracted from the userPrincipalName field using a grok pattern and mapped to the principal.administrative_domain field.
    userPrincipalName
    		 read_only_udm.target.user.email_addresses The value is directly mapped from the userPrincipalName field if it matches an email address pattern.
    userPrincipalName
    		 read_only_udm.target.user.userid The value is directly mapped from the userPrincipalName field if it does not match an email address pattern.
    userId
    		 read_only_udm.target.user.product_object_id The value is directly mapped from the userId field.
    read_only_udm.metadata.log_type
    		 AZURE_AD This value is hardcoded in the parser.
    read_only_udm.metadata.vendor_name
    		 Microsoft This value is hardcoded in the parser.
    read_only_udm.metadata.product_name
    		 Azure AD This value is hardcoded in the parser.
    read_only_udm.extensions.auth.type
    		 SSO This value is hardcoded in the parser.

    Need more help? Get answers from Community members and Google SecOps professionals.

    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: