Collect Microsoft Azure Activity and Entra ID logs

Supported in:

Google secops SIEM

This document describes the steps required to ingest Microsoft Azure activity logs (AZURE_ACTIVITY) into Google Security Operations.

Configure a Storage Account

Complete the following steps to configure a Storage account:

In the Azure console, search for Storage accounts.
Click Create.
Select the Subscription, Resource Group, region, performance (recommend Standard), and Redundancy (recommend GRS or LRS) needed for the account, enter a name for the new Storage Account.
Click Review + create, review the overview of the account and click Create.
On the Storage Account Overview page, select Access keys from the left navigation of the window.
Click Show keys and make a note of the shared key for the storage account.
Select Endpoints from the left navigation of the window.
Make a note of the Blob service endpoint. (https://<storageaccountname>.blob.core.windows.net/)

Configure Azure activity logging

Complete the following steps to configure Azure activity logging:

In the Azure console, search for Monitor.
Click the Activity log link in the left navigation of the page.
Click the Export Activity Logs at the top of the window.
Click Add diagnostic Setting.
Select all the categories you want to export to Google SecOps.
Under Destination details select Archive to a storage account.
Select the subscription and storage account you created in the previous step.
Click Save.

How to set up the Microsoft Azure activity feed

Go to SIEM Settings > Feeds.
Click + Add New Feed.
In the Feed name field, enter a suitable name.
Select Microsoft Azure Blob Storage V2 as the Source type.
Select Microsoft Azure Activity as the Log type.
Click Next.
Specify values for the following fields:
- Azure URI: enter the Blob Service endpoint value you recorded earlier, suffixed with insights-activity-logs (for example, https://acme-azure-chronicle.blob.core.windows.net/insights-activity-logs)
- Source Deletion Option: specify whether to delete files and directories after transferring.
- Maximum File Age: Includes files modified in the last number of days. Default is 180 days.
- Shared key: enter the shared key value you captured earlier.
Advanced options - Asset Namespace: Namespace associated with the feed. - Ingestion Labels: Labels applied to all events from this feed.
Click Create feed.

Field mapping reference

This parser code first initializes a large number of fields to empty strings, then performs a series of string manipulations and JSON parsing operations to extract relevant information from the Azure Activity log message. Finally, it maps the extracted data to the Unified Data Model (UDM) fields, categorizing the event type and enriching it with additional details like severity, principal information, and network data.

UDM Mapping Table

Log Field	UDM Mapping	Logic
category	`read_only_udm.security_result.category_details`	Directly mapped from the "category" field in the raw log.
callerIpAddress	`read_only_udm.principal.asset.ip`, `read_only_udm.principal.ip`	Directly mapped from the "callerIpAddress" field in the raw log.
correlationId	`read_only_udm.security_result.detection_fields.correlationId`	Directly mapped from the "correlationId" field in the raw log.
data.callerIpAddress	`read_only_udm.principal.asset.ip`, `read_only_udm.principal.ip`	Directly mapped from the "callerIpAddress" field within the "data" object in the raw log.
data.correlationId	`read_only_udm.security_result.detection_fields.correlationId`	Directly mapped from the "correlationId" field within the "data" object in the raw log.
data.DeploymentUnit	`read_only_udm.target.resource.name`	Directly mapped from the "DeploymentUnit" field within the "data" object in the raw log.
data.details	`read_only_udm.metadata.description`	Directly mapped from the "details" field within the "data" object in the raw log, only if the "details" field is not "Unknown".
data.entity	`read_only_udm.additional.fields.entity`	Directly mapped from the "entity" field within the "data" object in the raw log.
data.EventName	`read_only_udm.metadata.product_event_type`	Directly mapped from the "EventName" field within the "data" object in the raw log.
data.hierarchy	`read_only_udm.additional.fields.hierarchy`	Directly mapped from the "hierarchy" field within the "data" object in the raw log.
data.identity.authorization.action	`read_only_udm.security_result.detection_fields.action`	Directly mapped from the "action" field within the "authorization" object of the "identity" object in the raw log.
data.identity.authorization.evidence.principalId	`read_only_udm.principal.user.product_object_id`, `read_only_udm.principal.resource.product_object_id`, `read_only_udm.principal.group.product_object_id`	Directly mapped from the "principalId" field within the "evidence" object of the "authorization" object of the "identity" object in the raw log. The specific UDM field it maps to depends on the value of the "principalType" field. If "principalType" is "User" or "ServicePrincipal", it maps to `principal.user.product_object_id`. If "principalType" is "Group", it maps to `principal.group.product_object_id`. If "principalType" is "ServicePrincipal", it maps to `principal.resource.product_object_id`.
data.identity.authorization.evidence.principalType	`read_only_udm.principal.resource.resource_subtype`	Directly mapped from the "principalType" field within the "evidence" object of the "authorization" object of the "identity" object in the raw log.
data.identity.authorization.evidence.role	`read_only_udm.principal.user.role_name`	Directly mapped from the "role" field within the "evidence" object of the "authorization" object of the "identity" object in the raw log.
data.identity.authorization.evidence.roleAssignmentId	`read_only_udm.principal.resource.attribute.labels.roleAssignmentId`	Directly mapped from the "roleAssignmentId" field within the "evidence" object of the "authorization" object of the "identity" object in the raw log.
data.identity.authorization.evidence.roleAssignmentScope	`read_only_udm.principal.resource.attribute.labels.roleAssignmentScope`	Directly mapped from the "roleAssignmentScope" field within the "evidence" object of the "authorization" object of the "identity" object in the raw log.
data.identity.authorization.evidence.roleDefinitionId	`read_only_udm.principal.resource.attribute.labels.roleDefinitionId`	Directly mapped from the "roleDefinitionId" field within the "evidence" object of the "authorization" object of the "identity" object in the raw log.
data.identity.authorization.scope	`read_only_udm.security_result.detection_fields.scope`	Directly mapped from the "scope" field within the "authorization" object of the "identity" object in the raw log.
data.identity.claims.aio	`read_only_udm.security_result.detection_fields.aio`	Directly mapped from the "aio" field within the "claims" object of the "identity" object in the raw log.
data.identity.claims.appid	`read_only_udm.security_result.detection_fields.appid`	Directly mapped from the "appid" field within the "claims" object of the "identity" object in the raw log.
data.identity.claims.appidacr	`read_only_udm.security_result.detection_fields.appidacr`	Directly mapped from the "appidacr" field within the "claims" object of the "identity" object in the raw log.
data.identity.claims.aud	`read_only_udm.security_result.detection_fields.aud`	Directly mapped from the "aud" field within the "claims" object of the "identity" object in the raw log.
data.identity.claims.exp	`read_only_udm.security_result.detection_fields.exp`	Directly mapped from the "exp" field within the "claims" object of the "identity" object in the raw log.
data.identity.claims.`http://schemas.microsoft.com/identity/claims/identityprovider`	`read_only_udm.security_result.detection_fields.identityprovider`	Directly mapped from the "http://schemas.microsoft.com/identity/claims/identityprovider" field within the "claims" object of the "identity" object in the raw log.
data.identity.claims.`http://schemas.microsoft.com/identity/claims/objectidentifier`	`read_only_udm.security_result.detection_fields.objectidentifier`	Directly mapped from the "http://schemas.microsoft.com/identity/claims/objectidentifier" field within the "claims" object of the "identity" object in the raw log.
data.identity.claims.`http://schemas.microsoft.com/identity/claims/tenantid`	`read_only_udm.security_result.detection_fields.tenantid`	Directly mapped from the "http://schemas.microsoft.com/identity/claims/tenantid" field within the "claims" object of the "identity" object in the raw log.
data.identity.claims.`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier`	`read_only_udm.security_result.detection_fields.nameidentifier`	Directly mapped from the "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" field within the "claims" object of the "identity" object in the raw log.
data.identity.claims.iat	`read_only_udm.security_result.detection_fields.iat`	Directly mapped from the "iat" field within the "claims" object of the "identity" object in the raw log.
data.identity.claims.iss	`read_only_udm.security_result.detection_fields.iss`	Directly mapped from the "iss" field within the "claims" object of the "identity" object in the raw log.
data.identity.claims.nbf	`read_only_udm.security_result.detection_fields.nbf`	Directly mapped from the "nbf" field within the "claims" object of the "identity" object in the raw log.
data.identity.claims.rh	`read_only_udm.security_result.detection_fields.rh`	Directly mapped from the "rh" field within the "claims" object of the "identity" object in the raw log.
data.identity.claims.uti	`read_only_udm.security_result.detection_fields.uti`	Directly mapped from the "uti" field within the "claims" object of the "identity" object in the raw log.
data.identity.claims.ver	`read_only_udm.security_result.detection_fields.ver`	Directly mapped from the "ver" field within the "claims" object of the "identity" object in the raw log.
data.identity.claims.xms_tcdt	`read_only_udm.security_result.detection_fields.xms_tcdt`	Directly mapped from the "xms_tcdt" field within the "claims" object of the "identity" object in the raw log.
data.identity.UserName	`read_only_udm.principal.user.user_display_name`	Directly mapped from the "UserName" field within the "identity" object in the raw log.
data.level	`read_only_udm.security_result.severity`, `read_only_udm.security_result.severity_details`	Directly mapped from the "level" field within the "data" object in the raw log. The "level" field is also used to determine the value of the `severity` field. If "level" is "Information" or "Informational", `severity` is set to "INFORMATIONAL". If "level" is "Warning", `severity` is set to "MEDIUM". If "level" is "Error", `severity` is set to "ERROR". If "level" is "Critical", `severity` is set to "CRITICAL".
data.location	`read_only_udm.target.location.name`	Directly mapped from the "location" field within the "data" object in the raw log.
data.operationName	`read_only_udm.metadata.product_event_type`	Directly mapped from the "operationName" field within the "data" object in the raw log.
data.properties.EventChannel	`read_only_udm.additional.fields.properties EventChannel`	Directly mapped from the "EventChannel" field within the "properties" object of the "data" object in the raw log.
data.properties.EventSource	`read_only_udm.additional.fields.properties EventSource`	Directly mapped from the "EventSource" field within the "properties" object of the "data" object in the raw log.
data.properties.EventId	`read_only_udm.metadata.product_log_id`	Directly mapped from the "EventId" field within the "properties" object of the "data" object in the raw log.
data.properties.eventProperties.cause	`read_only_udm.security_result.detection_fields.cause`	Directly mapped from the "cause" field within the "eventProperties" object of the "properties" object of the "data" object in the raw log.
data.properties.eventProperties.clientIPAddress	`read_only_udm.principal.asset.ip`, `read_only_udm.principal.ip`	Directly mapped from the "clientIPAddress" field within the "eventProperties" object of the "properties" object of the "data" object in the raw log.
data.properties.eventProperties.compromisedHost	`read_only_udm.principal.asset.hostname`, `read_only_udm.principal.hostname`	Directly mapped from the "compromisedHost" field within the "eventProperties" object of the "properties" object of the "data" object in the raw log.
data.properties.eventProperties.currentHealthStatus	`read_only_udm.security_result.detection_fields.currentHealthStatus`	Directly mapped from the "currentHealthStatus" field within the "eventProperties" object of the "properties" object of the "data" object in the raw log.
data.properties.eventProperties.previousHealthStatus	`read_only_udm.security_result.detection_fields.previousHealthStatus`	Directly mapped from the "previousHealthStatus" field within the "eventProperties" object of the "properties" object of the "data" object in the raw log.
data.properties.eventProperties.type	`read_only_udm.security_result.detection_fields.type`	Directly mapped from the "type" field within the "eventProperties" object of the "properties" object of the "data" object in the raw log.
data.properties.eventProperties.User	`read_only_udm.principal.user.userid`	Directly mapped from the "User" field within the "eventProperties" object of the "properties" object of the "data" object in the raw log.
data.properties.eventProperties.userName	`read_only_udm.principal.user.user_display_name`	Directly mapped from the "userName" field within the "eventProperties" object of the "properties" object of the "data" object in the raw log, after removing the "SECURE\" prefix.
data.properties.ipAddress	`read_only_udm.principal.asset.ip`, `read_only_udm.principal.ip`	Directly mapped from the "ipAddress" field within the "properties" object of the "data" object in the raw log.
data.properties.legacyChannels	`read_only_udm.security_result.detection_fields.legacyChannels`	Directly mapped from the "legacyChannels" field within the "properties" object of the "data" object in the raw log.
data.properties.legacyEventDataId	`read_only_udm.security_result.detection_fields.legacyEventDataId`	Directly mapped from the "legacyEventDataId" field within the "properties" object of the "data" object in the raw log.
data.properties.legacyResourceId	`read_only_udm.security_result.detection_fields.legacyResourceId`	Directly mapped from the "legacyResourceId" field within the "properties" object of the "data" object in the raw log.
data.properties.legacyResourceGroup	`read_only_udm.security_result.detection_fields.legacyResourceGroup`	Directly mapped from the "legacyResourceGroup" field within the "properties" object of the "data" object in the raw log.
data.properties.legacyResourceProviderName	`read_only_udm.security_result.detection_fields.legacyResourceProviderName`	Directly mapped from the "legacyResourceProviderName" field within the "properties" object of the "data" object in the raw log.
data.properties.legacyResourceType	`read_only_udm.security_result.detection_fields.legacyResourceType`	Directly mapped from the "legacyResourceType" field within the "properties" object of the "data" object in the raw log.
data.properties.legacySubscriptionId	`read_only_udm.security_result.detection_fields.legacySubscriptionId`	Directly mapped from the "legacySubscriptionId" field within the "properties" object of the "data" object in the raw log.
data.properties.operationId	`read_only_udm.security_result.detection_fields.operationId`	Directly mapped from the "operationId" field within the "properties" object of the "data" object in the raw log.
data.properties.result	`read_only_udm.security_result.action_details`	Directly mapped from the "result" field within the "properties" object of the "data" object in the raw log.
data.properties.statusCode	`read_only_udm.network.http.response_code`	Directly mapped from the "statusCode" field within the "properties" object of the "data" object in the raw log.
data.properties.suspiciousCommandLine	`read_only_udm.target.process.command_line`	Directly mapped from the "suspiciousCommandLine" field within the "properties" object of the "data" object in the raw log.
data.properties.suspiciousProcess	`read_only_udm.target.process.file.full_path`	Directly mapped from the "suspiciousProcess" field within the "properties" object of the "data" object in the raw log.
data.properties.suspiciousProcessId	`read_only_udm.target.process.pid`	Directly mapped from the "suspiciousProcessId" field within the "properties" object of the "data" object in the raw log.
data.properties.tlsVersion	`read_only_udm.network.tls.version`	Directly mapped from the "tlsVersion" field within the "properties" object of the "data" object in the raw log.
data.properties.userAgent	`read_only_udm.network.http.user_agent`, `read_only_udm.network.http.parsed_user_agent`	Directly mapped from the "userAgent" field within the "properties" object of the "data" object in the raw log.
data.properties.userAgentHeader	`read_only_udm.network.http.user_agent`, `read_only_udm.network.http.parsed_user_agent`	Directly mapped from the "userAgentHeader" field within the "properties" object of the "data" object in the raw log.
data.properties.userId	`read_only_udm.target.user.product_object_id`	Directly mapped from the "userId" field within the "properties" object of the "data" object in the raw log.
data.ReleaseVersion	`read_only_udm.metadata.product_version`	Directly mapped from the "ReleaseVersion" field within the "data" object in the raw log.
data.resourceId	`read_only_udm.target.resource.name`	Directly mapped from the "resourceId" field within the "data" object in the raw log.
data.resourceType	`read_only_udm.additional.fields.resourceType`	Directly mapped from the "resourceType" field within the "data" object in the raw log.
data.resultDescription	`read_only_udm.metadata.description`	Directly mapped from the "resultDescription" field within the "data" object in the raw log.
data.resultSignature	`read_only_udm.additional.fields.resultSignature`	Directly mapped from the "resultSignature" field within the "data" object in the raw log.
data.resultType	`read_only_udm.security_result.action_details`, `read_only_udm.additional.fields.resultType`	Directly mapped from the "resultType" field within the "data" object in the raw log.
data.RoleLocation	`read_only_udm.target.location.name`	Directly mapped from the "RoleLocation" field within the "data" object in the raw log.
data.time	`read_only_udm.metadata.event_timestamp`	The "time" field within the "data" object in the raw log is parsed to extract the timestamp, which is then mapped to `event_timestamp`.
data.uri	`read_only_udm.network.http.referral_url`	Directly mapped from the "uri" field within the "data" object in the raw log.
`read_only_udm.extensions.auth.mechanism`	`INTERACTIVE`	Set to "INTERACTIVE" if the "isInteractive" field within the "properties" object of the "data" object in the raw log is "true". Otherwise, it is set to "MECHANISM_OTHER".
`read_only_udm.extensions.auth.type`	`MACHINE`	Set to "MACHINE" if the "category" field in the raw log is "NonInteractiveUserSignInLogs", "ManagedIdentitySignInLogs", or "ServicePrincipalSignInLogs".
`read_only_udm.metadata.log_type`	`AZURE_ACTIVITY`	Hardcoded to "AZURE_ACTIVITY".
`read_only_udm.metadata.vendor_name`	`Microsoft`	Hardcoded to "Microsoft".
`read_only_udm.principal.platform`	`WINDOWS`, `MAC`, `LINUX`, `ANDROID`	Determined based on the value of the "properties.test.deviceDetail.operatingSystem" field. If it contains "Win", `platform` is set to "WINDOWS". If it contains "Mac", `platform` is set to "MAC". If it contains "Lin", `platform` is set to "LINUX". If it contains "Android", `platform` is set to "ANDROID".
`read_only_udm.principal.resource.type`	`SERVICE_ACCOUNT`, `UNSPECIFIED`	Determined based on the value of the "identity.authorization.evidence.principalType" field. If it is "ServicePrincipal", `type` is set to "SERVICE_ACCOUNT". Otherwise, it is set to "UNSPECIFIED".
`read_only_udm.security_result.action`	`ALLOW`, `BLOCK`, `UNKNOWN_ACTION`	Determined based on the values of the "resultType", "status_errorcode", and "statusText" fields. If "resultType" is one of "Success", "success", "Succeeded", "Started", "Resolved", "Active", "Updated", "Start", "Accept", "Accepted", "0", or if "status_errorcode" is 0, or if "statusText" is "Success", `action` is set to "ALLOW". If "resultType" is one of "Failure", "Failed", or if "status_errorcode" is not empty, or if "resultType" is not empty, `action` is set to "BLOCK". Otherwise, it is set to "UNKNOWN_ACTION".
`read_only_udm.target.cloud.environment`	`MICROSOFT_AZURE`	Hardcoded to "MICROSOFT_AZURE".

This document explains how to collect Microsoft Azure Activity and Entra ID logs by setting up Google Security Operations feeds using Microsoft Azure Blob Storage.

Azure Activity logs provide insight into subscription-level operations performed on Azure resources, such as creating storage accounts, deleting event hubs, or modifying virtual machines. Microsoft Entra ID (formerly Azure Active Directory) logs capture identity and access management events, including user sign-ins, audit logs, provisioning activities, and security risk detections.

Before you begin

Ensure that you have the following prerequisites:

A Google SecOps instance
Privileged access to Microsoft Azure portal with permissions to:
- Create Storage Accounts
- Configure Diagnostic Settings for Azure Monitor and Entra ID
- Manage access keys
Security Administrator role or higher in Entra ID for Entra ID diagnostic settings

Configure Azure Storage Account

Before you can ingest logs, you must set up an Azure Storage account to host your data. This process involves creating the account, retrieving authentication keys, and identifying the service endpoint required for integration.

Create Storage Account

In the Azure portal, search for Storage accounts.
Click + Create.

Provide the following configuration details:

Setting	Value
Subscription	Select your Azure subscription
Resource group	Select existing or create new
Storage account name	Enter a unique name (for example, `secops-azure-logs`)
Region	Select the region (for example, `East US`)
Performance	Standard (recommended)
Redundancy	GRS (Geo-redundant storage) or LRS (Locally redundant storage)

Click Review + create.
Review the overview of the account and click Create.
Wait for the deployment to complete.

Get Storage Account credentials

Go to the Storage Account you just created.
In the left navigation, select Access keys under Security + networking.
Click Show keys.
Copy and save the following for later use:
- Storage account name: Your storage account name (for example, secops-azure-logs)
- Key 1 or Key 2: The shared access key (a 512-bit random string in base-64 encoding)

Get Blob Service endpoint

In the same Storage Account, select Endpoints from the left navigation.
Copy and save the Blob service endpoint URL.
- Example: https://secops-azure-logs.blob.core.windows.net/

Configure Azure Activity Logs diagnostic settings

To export Azure Activity logs to the storage account:

In the Azure portal, search for Monitor.
Click Activity log in the left navigation.
Click Export Activity Logs at the top of the window.
Click Add diagnostic setting.
Provide the following configuration details:
- Diagnostic setting name: Enter a descriptive name (for example, activity-logs-to-secops).
- In the Logs section, select the following categories:
  - Administrative
  - Security
  - Service Health
  - Alert
  - Recommendation
  - Policy
  - Autoscale
  - Resource Health
- In the Destination details section, select the Archive to a storage account checkbox.
- Subscription: Select the subscription containing your storage account.
- Storage account: Select the storage account you created earlier (for example, secops-azure-logs).
Click Save.

Configure Entra ID diagnostic settings

To export Entra ID logs to the storage account:

In the Azure portal, search for Microsoft Entra ID or Azure Active Directory.
In the left navigation, go to Monitoring & health > Diagnostic settings.
Click Add diagnostic setting.
Provide the following configuration details:
- Diagnostic setting name: Enter a descriptive name (for example, entraid-logs-to-secops).
- In the Logs section, select the log categories you want to export:
  - SignInLogs: Interactive user sign-ins
  - NonInteractiveUserSignInLogs: Non-interactive user sign-ins (service principals, managed identities acting on behalf of users)
  - ServicePrincipalSignInLogs: Service principal and application sign-ins
  - ManagedIdentitySignInLogs: Managed identity sign-ins
  - AuditLogs: Audit trail of all changes in Entra ID (user creation, role assignments, etc.)
  - ProvisioningLogs: User and group provisioning events
  - RiskyUsers: Users flagged by Identity Protection
  - UserRiskEvents: Risk detections for user accounts
  - MicrosoftGraphActivityLogs: Microsoft Graph API activity logs
- In the Destination details section, select the Archive to a storage account checkbox.
- Subscription: Select the subscription containing your storage account.
- Storage account: Select the storage account you created earlier (for example, secops-azure-logs).
Click Save.

Note: It may take up to 72 hours for Entra ID logs to start appearing in the storage account. Each selected log category creates a separate container with the naming pattern insights-logs-{category-name}.

Retrieve the Google SecOps service account

Google SecOps uses a unique service account to read data from your Azure Blob Storage. You must grant this service account access to your storage account.

Get the service account email

Go to SIEM Settings > Feeds.
Click Add New Feed.
Click Configure a single feed.
In the Feed name field, enter a temporary name.
Select Microsoft Azure Blob Storage V2 as the Source type.
Select any log type (you can change this later).
Click Get Service Account.

A unique service account email is displayed, for example:

chronicle-12345678@chronicle-gcp-prod.iam.gserviceaccount.com

Copy this email address for use in the next step.
Click Cancel to exit the feed creation (you will create the actual feeds later).

Grant IAM permissions to the Google SecOps service account

The Google SecOps service account needs Storage Blob Data Reader role on your storage account.

In the Azure portal, go to Storage accounts.
Click your storage account name (for example, secops-azure-logs).
Go to the Access Control (IAM) tab.
Click + Add > Add role assignment.
In the Role tab, search for and select Storage Blob Data Reader.
Click Next.
In the Members tab, click + Select members.
In the search box, paste the Google SecOps service account email.
Select the service account from the results.
Click Select.
Click Review + assign.
Review the assignment and click Review + assign again.

Note: If you plan to use the deletion option "Delete transferred files" or "Delete transferred files and empty directories," grant Storage Blob Data Contributor role instead of Storage Blob Data Reader.

Configure feeds in Google SecOps

You must create a separate feed for each log type and container. The following table shows the mapping between Azure containers and Google SecOps log types:

Container Name	Chronicle Log Type	Data Source
`insights-activity-logs`	Azure Activity	Azure Activity Logs
`insights-logs-signinlogs`	Azure AD	Entra ID Interactive Sign-ins
`insights-logs-noninteractiveusersigninlogs`	Azure AD	Entra ID Non-interactive Sign-ins
`insights-logs-serviceprincipalsigninlogs`	Azure AD	Entra ID Service Principal Sign-ins
`insights-logs-managedidentitysigninlogs`	Azure AD	Entra ID Managed Identity Sign-ins
`insights-logs-auditlogs`	Azure AD Audit	Entra ID Audit Logs
`insights-logs-provisioninglogs`	Azure AD	Entra ID Provisioning Logs
`insights-logs-riskyusers`	Azure AD	Entra ID Risky Users
`insights-logs-userriskevents`	Azure AD	Entra ID User Risk Events
`insights-logs-microsoftgraphactivitylogs`	Microsoft Graph Activity Logs	Microsoft Graph Activity

Create feed for Azure Activity Logs

Go to SIEM Settings > Feeds.
Click Add New Feed.
On the next page, click Configure a single feed.
In the Feed name field, enter Azure Activity Logs.
Select Microsoft Azure Blob Storage V2 as the Source type.
Select Azure Activity as the Log type.
Click Next.
Specify values for the following input parameters:
- Azure URI: Enter the Blob Service endpoint URL with the container path:
```
https://secops-azure-logs.blob.core.windows.net/insights-activity-logs/
```
  - Replace secops-azure-logs with your Azure storage account name.
Note: Include the trailing slash (/) at the end of the URI.
- Source deletion option: Select the deletion option according to your preference:
  - Never: Never deletes any files after transfers.
  - Delete transferred files: Deletes files after successful transfer.
  - Delete transferred files and empty directories: Deletes files and empty directories after successful transfer.
    
    Note: If you select a deletion option, make sure that you granted the Storage Blob Data Contributor role to the service account.
- Maximum File Age: Include files modified in the last number of days. Default is 180 days.
- Shared key: Enter the shared key value (access key) you captured from the Storage Account earlier.
- Asset namespace: The asset namespace.
- Ingestion labels: The label to be applied to the events from this feed.
Click Next.
Review your new feed configuration in the Finalize screen, and then click Submit.

Create feeds for Entra ID logs

Repeat the following steps for each Entra ID log type you configured in the diagnostic settings:

For Interactive Sign-in Logs:

Go to SIEM Settings > Feeds.
Click Add New Feed.
Click Configure a single feed.
In the Feed name field, enter Azure AD Interactive Sign-in Logs.
Select Microsoft Azure Blob Storage V2 as the Source type.
Select Azure AD as the Log type.
Click Next.
Specify values for the following input parameters:
- Azure URI:
```
https://secops-azure-logs.blob.core.windows.net/insights-logs-signinlogs/
```
  Note: Include the trailing slash (/) at the end of the URI.
- Source deletion option: Select according to your preference.
- Maximum File Age: 180 days (default).
- Shared key: Enter the shared key value.
  
  Caution: To avoid HTTP 429 (Too Many Requests) errors and ingestion delays, don't reuse the same shared key or storage account across multiple feeds.
- Asset namespace: The asset namespace.
- Ingestion labels: The label to be applied.
Click Next and then Submit.

For Non-interactive Sign-in Logs: