Mengumpulkan log Microsoft Azure AD
Didukung di:
Google SecOps
SIEM
Dokumen ini menjelaskan cara mengumpulkan log Microsoft Azure Active Directory (AD) dengan menyiapkan feed Google Security Operations.
Azure Active Directory (AZURE_AD) kini disebut Microsoft Entra ID. Log audit Azure AD
(AZURE_AD_AUDIT) kini menjadi log audit Microsoft Entra ID.
Untuk mengetahui informasi selengkapnya, lihat Penyerapan data ke Google Security Operations.
Label penyerapan mengidentifikasi parser yang menormalisasi data log mentah ke format UDM terstruktur.
Sebelum memulai
Pastikan Anda memenuhi prasyarat berikut:
- Langganan Azure yang dapat Anda gunakan untuk login
- Peran administrator global atau administrator Azure AD
- Azure AD (tenant) di Azure
Cara mengonfigurasi Azure AD
- Login ke portal Azure.
- Buka Beranda > Pendaftaran aplikasi, pilih aplikasi yang terdaftar atau daftarkan aplikasi jika Anda belum membuat aplikasi.
- Untuk mendaftarkan aplikasi, di bagian App registration, klik New registration.
- Di kolom Name, berikan nama tampilan untuk aplikasi Anda.
Di bagian Supported account types, pilih Accounts in this organizational directory only (Single tenant)
- Redirect URI: Biarkan kosong (tidak diperlukan untuk autentikasi principal layanan).
Klik Daftar.
Buka halaman Overview, lalu salin ID aplikasi (klien) dan ID direktori (tenant), yang diperlukan untuk mengonfigurasi feed Google Security Operations.
Klik API permissions.
Klik Add a permission, lalu pilih Microsoft Graph di panel baru.
Klik Application permissions.
Pilih izin AuditLog.Read.All, Directory.Read.All, dan SecurityEvents.Read.All. Pastikan izinnya adalah Izin aplikasi, bukan Izin yang didelegasikan.
Klik Grant admin consent for default directory. Aplikasi diberi otorisasi untuk memanggil API jika aplikasi diberi izin oleh pengguna atau administrator sebagai bagian dari proses izin.
Buka Setelan > Kelola.
Klik Certificates and secrets.
Klik New client secret. Di kolom Nilai, rahasia klien akan muncul.
Salin nilai rahasia klien. Nilai hanya ditampilkan pada saat pembuatan dan diperlukan untuk pendaftaran aplikasi Azure dan untuk mengonfigurasi feed Google Security Operations.
Menyiapkan feed
Ada dua titik entri berbeda untuk menyiapkan feed di platform Google SecOps:
- Setelan SIEM > Feed > Tambahkan Feed Baru
- Hub Konten > Paket Konten > Mulai
Cara menyiapkan feed Microsoft Entra ID (Azure AD)
- Klik paket Azure Platform.
- Cari jenis log Azure AD.
Tentukan nilai untuk kolom berikut:
- Jenis Sumber: API pihak ketiga (direkomendasikan)
- OAUTH client ID: Tentukan client ID yang Anda peroleh sebelumnya.
- Rahasia klien OAUTH: Tentukan rahasia klien yang Anda peroleh sebelumnya.
- Tenant ID: Tentukan tenant ID yang Anda peroleh sebelumnya.
- Jalur lengkap API: URL endpoint Microsoft Graph REST API.
- Endpoint Autentikasi API: Endpoint Autentikasi Microsoft Active Directory.
Opsi Lanjutan
- Nama Feed: Nilai yang telah diisi otomatis yang mengidentifikasi feed.
- Namespace Aset: Namespace yang terkait dengan feed.
- Label Penyerapan: Label yang diterapkan ke semua peristiwa dari feed ini.
Klik Buat feed.
Untuk mengetahui informasi selengkapnya tentang cara mengonfigurasi beberapa feed untuk berbagai jenis log dalam keluarga produk ini, lihat Mengonfigurasi feed menurut produk.
Untuk mengetahui informasi selengkapnya tentang feed Google Security Operations, lihat dokumentasi feed Google Security Operations. Untuk mengetahui informasi tentang persyaratan untuk setiap jenis feed, lihat Konfigurasi feed menurut jenis.
Referensi pemetaan kolom
Kode parser ini mengubah log Azure AD mentah dalam format JSON menjadi model data terpadu (UDM). Pertama-tama, data dinormalisasi dengan menghapus kolom yang tidak diperlukan, lalu informasi yang relevan seperti detail pengguna, stempel waktu, dan spesifikasi peristiwa diekstrak, dan dipetakan ke kolom UDM yang sesuai untuk representasi dan analisis yang konsisten.
Tabel pemetaan UDM
| Kolom log | Pemetaan UDM | Keterangan |
|---|---|---|
about |
about |
|
accountEnabled |
user.user_authentication_statususer.attribute.labels.value (kunci: accountEnabled) |
Jika accountEnabled adalah true, user.user_authentication_status ditetapkan ke ACTIVE dan label dengan kunci accountEnabled dan nilai true ditambahkan. Jika tidak, label dengan kunci accountEnabled dan nilai false akan ditambahkan. |
additionalDetails |
additional.fields |
|
appOwnerTenantId |
target.resource.attribute.labels |
|
authenticationAppDeviceDetails |
additional.fields |
|
authenticationContextClassReference |
security_result.detection_fields |
|
autonomousSystemNumber |
principal.resource.attribute.labels |
|
browser |
network.http.user_agent |
|
browser |
network.http.user_agent |
|
businessPhones |
user.phone_numbers |
Beberapa nomor telepon diekstrak dan dipetakan sebagai entri terpisah. |
city |
user.personal_address.city |
|
clientCredentialType |
additional.fields |
|
companyName |
user.company_name |
|
country |
user.personal_address.country_or_region |
Jika country kosong, nilai akan diambil dari usageLocation. |
createdDateTime |
user.attribute.creation_time |
Dikonversi menjadi stempel waktu dari kolom createdDateTime di log mentah menggunakan format RFC 3339. |
cribl_pipe |
additional.fields |
|
crossTenantAccessType |
additional.fields |
|
department |
user.department |
Beberapa departemen diekstrak dan dipetakan sebagai entri terpisah. |
deviceDetail.displayName |
principal.hostname,principal.asset.hostname |
|
displayName |
user.user_display_name |
|
employeeId |
user.employee_id |
Jika employeeId kosong, nilai akan diambil dari extension_employeeNumber. |
employeeType |
user.attribute.labels.value (kunci: employeeType) |
Dipetakan dari kolom employeeType dalam log mentah dan ditambahkan sebagai label dengan kunci employeeType. |
empmanager-src.accountEnabled |
user.user_authentication_statususer.attribute.labels.value (kunci: accountEnabled) |
Jika manager kosong dan empmanager-src.accountEnabled adalah true, user.user_authentication_status ditetapkan ke ACTIVE dan label dengan kunci accountEnabled dan nilai true ditambahkan. Jika tidak, label dengan kunci accountEnabled dan nilai false akan ditambahkan. |
empmanager-src.onPremisesDistinguishedName |
manager_role.type |
Jika gopher-manager kosong dan bagian OU dari nama khusus pengelola berisi Users, manager_role.type akan ditetapkan ke ADMINISTRATOR. Jika berisi Service Accounts, manager_role.type disetel ke SERVICE_ACCOUNT. |
empmanager-src.userPrincipalName |
manager_role.type |
Jika gopher-manager kosong dan empmanager-src.userPrincipalName dimulai dengan svc-, manager_role.type akan disetel ke SERVICE_ACCOUNT. |
errorCode |
security_result.detection_fields |
|
extension_employeeNumber |
user.employee_id |
Dipetakan ke user.employee_id jika employeeId kosong. |
extension_wfc_AccountingUnitName |
event.idm.entity.entity.labels.value (kunci: extension_wfc_AccountingUnitName) |
Dipetakan dari kolom extension_wfc_AccountingUnitName dalam log mentah dan ditambahkan sebagai label dengan kunci extension_wfc_AccountingUnitName. |
extension_wfc_AccountType |
event.idm.entity.entity.labels.value (kunci: wfc_AccountType) |
Dipetakan dari kolom extension_wfc_AccountType dalam log mentah dan ditambahkan sebagai label dengan kunci wfc_AccountType. |
extension_wfc_execDescription |
event.idm.entity.entity.labels.value (kunci: extension_wfc_execDescription) |
Dipetakan dari kolom extension_wfc_execDescription dalam log mentah dan ditambahkan sebagai label dengan kunci extension_wfc_execDescription. |
extension_wfc_groupDescription |
event.idm.entity.entity.labels.value (kunci: extension_wfc_groupDescription) |
Dipetakan dari kolom extension_wfc_groupDescription dalam log mentah dan ditambahkan sebagai label dengan kunci extension_wfc_groupDescription. |
extension_wfc_orgDescription |
event.idm.entity.entity.labels.value (kunci: extension_wfc_orgDescription) |
Dipetakan dari kolom extension_wfc_orgDescription dalam log mentah dan ditambahkan sebagai label dengan kunci extension_wfc_orgDescription. |
failureReason |
security_result.description |
|
federatedCredentialId |
additional.fields |
|
flaggedForReview |
additional.fields |
|
givenName |
user.first_name |
|
gopher-devices |
event.idm.entity.relations |
Setiap perangkat dalam array gopher-devices dipetakan ke entri relasi terpisah. deviceId dipetakan ke product_object_id, operatingSystem dan operatingSystemVersion digabungkan untuk membentuk model platform_version yang dipetakan secara langsung, dan createdDateTime dikonversi menjadi stempel waktu dan dipetakan ke created_timestamp. Hubungan disetel ke OWNS dan arah disetel ke UNIDIRECTIONAL. |
gopher-groups |
event.idm.entity.relations |
Setiap grup dalam array gopher-groups dipetakan ke entri relasi terpisah. id dipetakan ke product_object_id, dan displayName dipetakan ke group_display_name. Hubungan disetel ke MEMBER dan arah disetel ke UNIDIRECTIONAL. |
gopher-manager.businessPhones |
empmanager.phone_numbers |
Dipetakan ke empmanager.phone_numbers jika manager kosong. |
gopher-manager.country |
empmanager.personal_address.country_or_region |
Dipetakan ke empmanager.personal_address.country_or_region jika manager kosong. Jika gopher-manager.country dan gopher-manager.usageLocation kosong, kolom akan dibiarkan kosong. |
gopher-manager.department |
empmanager.department |
Dipetakan ke empmanager.department jika manager kosong. |
gopher-manager.displayName |
empmanager.user_display_name |
Dipetakan ke empmanager.user_display_name jika manager kosong. |
gopher-manager.employeeId |
empmanager.employee_id |
Dipetakan ke empmanager.employee_id jika manager kosong dan gopher-manager.employeeId tidak kosong. |
gopher-manager.extension_employeeNumber |
empmanager.employee_id |
Dipetakan ke empmanager.employee_id jika manager dan gopher-manager.employeeId kosong, dan gopher-manager.extension_employeeNumber tidak kosong. |
gopher-manager.givenName |
empmanager.first_name |
Dipetakan ke empmanager.first_name jika manager kosong. |
gopher-manager.id |
empmanager.product_object_id |
Dipetakan ke empmanager.product_object_id jika manager kosong. |
gopher-manager.jobTitle |
empmanager.title |
Dipetakan ke empmanager.title jika manager kosong. |
gopher-manager.mail |
empmanager.email_addresses |
Dipetakan ke empmanager.email_addresses jika manager kosong. |
gopher-manager.onPremisesImmutableId |
user.attribute.labels.value (kunci: gopher-manager onPremisesImmutableId) |
Dipetakan sebagai label dengan kunci gopher-manager onPremisesImmutableId. |
gopher-manager.onPremisesSamAccountName |
empmanager.userid |
Dipetakan ke empmanager.userid jika manager kosong. |
gopher-manager.onPremisesSecurityIdentifier |
empmanager.windows_sid |
Dipetakan ke empmanager.windows_sid jika manager kosong. |
gopher-manager.proxyAddresses |
empmanager.email_addressesempmanager.group_identifiers |
Jika manager kosong, setiap alamat dalam array gopher-manager.proxyAddresses dipetakan ke empmanager.email_addresses atau empmanager.group_identifiers berdasarkan apakah alamat tersebut dimulai dengan smtp atau SMTP. |
gopher-manager.refreshTokensValidFromDateTime |
empmanager.attribute.labels.value (kunci: refreshTokensValidFromDateTime) |
Dipetakan sebagai label dengan kunci refreshTokensValidFromDateTime jika manager kosong. |
gopher-manager.streetAddress |
empmanager.personal_address.name |
Dipetakan ke empmanager.personal_address.name jika manager kosong. |
gopher-manager.surname |
empmanager.last_name |
Dipetakan ke empmanager.last_name jika manager kosong. |
gopher-manager.usageLocation |
user.attribute.labels.value (kunci: manager_src_usageLocation) |
Dipetakan sebagai label dengan kunci manager_src_usageLocation. |
gopher-manager.userType |
empmanager.attribute.roles.name |
Dipetakan ke empmanager.attribute.roles.name jika manager kosong. |
homeTenantId |
target.resource.attribute.labels |
|
homeTenantName |
target.resource.attribute.labels |
|
id |
user.product_object_id |
|
identities |
user.attribute.labels.value (kunci: signInType)user.attribute.labels.value (kunci: userPrincipalName) |
signInType dipetakan sebagai label dengan kunci signInType. Jika signInType dan userPrincipalName tidak kosong, keduanya akan digabungkan dan dipetakan sebagai label dengan kunci userPrincipalName. |
identity |
principal.user.user_display_name |
|
incomingTokenType |
additional.fields |
|
initiatedBy.app.displayName |
principal.application |
|
initiatedBy.app.servicePrincipalId |
principal.resource.product_object_id |
|
initiatedBy.user.homeTenantId |
target.resource.attribute.labels |
|
initiatedBy.user.homeTenantName |
target.resource.attribute.labels |
|
initiatedBy.user.userType |
additional.fields |
|
ipAddressFromResourceProvider |
principal.resource.attribute.labels |
|
isTenantRestricted |
additional.fields |
|
jobTitle |
user.title |
|
loggedByService |
observer.application |
|
mail |
user.email_addresses |
Jika mail dimulai dengan svc-, user_role.type ditetapkan ke SERVICE_ACCOUNT. |
mail |
user_role.type |
Jika mail dimulai dengan svc-, user_role.type ditetapkan ke SERVICE_ACCOUNT. |
mailNickname |
user.attribute.labels.value (kunci: mailNickname) |
Dipetakan dari kolom mailNickname dalam log mentah dan ditambahkan sebagai label dengan kunci mailNickname. |
manager.businessPhones |
empmanager.phone_numbers |
Dipetakan ke empmanager.phone_numbers jika gopher-manager kosong. |
manager.city |
empmanager.personal_address.city |
Dipetakan ke empmanager.personal_address.city jika gopher-manager kosong. |
manager.companyName |
empmanager.company_name |
Dipetakan ke empmanager.company_name jika gopher-manager kosong. |
manager.country |
empmanager.personal_address.country_or_region |
Dipetakan ke empmanager.personal_address.country_or_region jika gopher-manager kosong. Jika manager.country dan manager.usageLocation kosong, kolom akan dibiarkan kosong. |
manager.department |
empmanager.department |
Dipetakan ke empmanager.department jika gopher-manager kosong. |
manager.displayName |
empmanager.user_display_name |
Dipetakan ke empmanager.user_display_name jika gopher-manager kosong. |
manager.employeeId |
empmanager.employee_id |
Dipetakan ke empmanager.employee_id jika gopher-manager kosong dan manager.employeeId tidak kosong. |
manager.extension_employeeNumber |
empmanager.employee_id |
Dipetakan ke empmanager.employee_id jika gopher-manager dan manager.employeeId kosong, dan manager.extension_employeeNumber tidak kosong. |
manager.givenName |
empmanager.first_name |
Dipetakan ke empmanager.first_name jika gopher-manager kosong. |
manager.id |
empmanager.product_object_id |
Dipetakan ke empmanager.product_object_id jika gopher-manager kosong. |
manager.jobTitle |
empmanager.title |
Dipetakan ke empmanager.title jika gopher-manager kosong. |
manager.mail |
empmanager.email_addresses |
Dipetakan ke empmanager.email_addresses jika gopher-manager kosong. |
manager.onPremisesSamAccountName |
empmanager.userid |
Dipetakan ke empmanager.userid jika gopher-manager kosong. |
manager.onPremisesSecurityIdentifier |
empmanager.windows_sid |
Dipetakan ke empmanager.windows_sid jika gopher-manager kosong. |
manager.proxyAddresses |
empmanager.email_addressesempmanager.group_identifiers |
Jika gopher-manager kosong, setiap alamat dalam array manager.proxyAddresses dipetakan ke empmanager.email_addresses atau empmanager.group_identifiers based on whether it starts withsmtporSMTP`. |
manager.refreshTokensValidFromDateTime |
empmanager.attribute.labels.value (kunci: refreshTokensValidFromDateTime) |
Dipetakan sebagai label dengan kunci refreshTokensValidFromDateTime jika gopher-manager kosong. |
manager.state |
empmanager.personal_address.state |
Dipetakan ke empmanager.personal_address.state jika gopher-manager kosong. |
manager.streetAddress |
empmanager.personal_address.name |
Dipetakan ke empmanager.personal_address.name jika gopher-manager kosong. |
manager.surname |
empmanager.last_name |
Dipetakan ke empmanager.last_name jika gopher-manager kosong. |
manager.usageLocation |
user.attribute.labels.value (kunci: manager_src_usageLocation)empmanager.personal_address.country_or_region |
Dipetakan sebagai label dengan kunci manager_src_usageLocation. Jika manager.country kosong, nilai juga dipetakan ke empmanager.personal_address.country_or_region. |
manager.userType |
empmanager.attribute.roles.name |
Dipetakan ke empmanager.attribute.roles.name jika gopher-manager kosong. |
mfaDetail.authDetail |
principal.user.phone_numbers |
|
onPremisesDistinguishedName |
user.attribute.labels.value (kunci: onPremisesDistinguishedName)user.attribute.labels.value (kunci: onPremisesDistinguishedName-OU data) |
Nama lengkap yang dibedakan dipetakan sebagai label dengan kunci onPremisesDistinguishedName. Bagian OU dari nama yang dibedakan diekstrak dan dipetakan sebagai label dengan kunci onPremisesDistinguishedName-OU data. Jika bagian OU berisi Admin, user_role.type akan disetel ke ADMINISTRATOR. Jika berisi Service Accounts, user_role.type disetel ke SERVICE_ACCOUNT. |
onPremisesDistinguishedName |
user_role.type |
Jika bagian OU dari nama khusus berisi Admin, user_role.type akan ditetapkan ke ADMINISTRATOR. Jika berisi Service Accounts, user_role.type disetel ke SERVICE_ACCOUNT. |
onPremisesDomainName |
user.group_identifiersuser.attribute.labels.value (kunci: onPremisesDomainName) |
Dipetakan langsung ke user.group_identifiers dan ditambahkan sebagai label dengan kunci onPremisesDomainName. |
onPremisesImmutableId |
user.attribute.labels.value (kunci: onPremisesImmutableId) |
Dipetakan dari kolom onPremisesImmutableId dalam log mentah dan ditambahkan sebagai label dengan kunci onPremisesImmutableId. |
onPremisesSamAccountName |
user.useriduser.attribute.labels.value (kunci: onPremisesSamAccountName) |
Dipetakan ke user.userid jika sAMAccountName kosong. Juga ditambahkan sebagai label dengan kunci onPremisesSamAccountName. |
onPremisesSecurityIdentifier |
user.windows_sid |
|
operationName |
metadata.product_event_type |
|
OrganizationId |
principal.resource.product_object_id |
|
originalRequestId |
network.session_id |
|
originalTransferMethod |
additional.fields |
|
Parser Logic |
UDM Mapping |
Logika |
policies.enforcedGrantControls |
security_result.detection_fields |
|
processingTimeInMilliseconds |
additional.fields |
|
properties.__UDI_RequiredFields_RegionScope |
target.location.country_or_region |
|
properties.additionalDetails |
additional.fields |
|
properties.alternateSignInName |
target.user.userid |
|
properties.appId |
principal.user.product_object_id |
|
properties.atContentH |
additional.fields |
|
properties.atContentP |
additional.fields |
|
properties.authenticationContextClassReferences |
additional.fields |
|
properties.C_DeviceId |
additional.fields |
|
properties.C_Iat |
additional.fields |
|
properties.C_Idtyp |
additional.fields |
|
properties.C_Sid |
additional.fields |
|
properties.category |
security_result.category_details |
|
properties.clientAuthMethod |
additional.fields |
|
properties.clientCredentialType |
additional.fields |
|
properties.correlationId |
security_result.detection_fields |
|
properties.deviceDetail.browser |
network.http.user_agent |
|
properties.deviceDetail.deviceId |
principal.asset.asset_id |
|
properties.deviceDetail.displayName |
principal.hostname,principal.asset.hostname |
|
properties.deviceDetail.operatingSystem |
principal.platform_version |
Jika operatingSystem dimulai dengan Win, Mac, atau Lin, maka dipetakan ke principal.platform. |
properties.deviceDetail.trustType |
principal.asset.attribute.labels |
|
properties.EventData.AuthenticationPackageName |
security_result.about.resource.name |
|
properties.EventData.CallerProcessId |
principal.process.pid |
|
properties.EventData.CallerProcessName |
principal.process.file.full_path |
|
properties.EventData.CertIssuerName |
additional.fields |
|
properties.EventData.CertSerialNumber |
about.artifact.last_https_certificate.serial_number |
|
properties.EventData.CertThumbprint |
additional.fields |
|
properties.EventData.HandleId |
target.resource.attribute.labels |
|
properties.EventData.ImpersonationLevel |
additional.fields |
|
properties.EventData.IpAddress |
principal.ipprincipal.asset.ip |
|
properties.EventData.IpPort |
principal.port |
|
properties.EventData.KeyLength |
additional.fields |
|
properties.EventData.LmPackageName |
target.resource.attribute.labels |
|
properties.EventData.LogonGuid |
security_result.detection_fields |
|
properties.EventData.LogonProcessName |
target.process.file.names |
|
properties.EventData.LogonType |
extensions.auth.auth_details |
|
properties.EventData.NewSd |
security_result.detection_fields |
|
properties.EventData.ObjectName |
target.resource.name |
|
properties.EventData.ObjectServer |
target.resource.attribute.labels |
|
properties.EventData.ObjectType |
target.resource.resource_subtype |
|
properties.EventData.OldSd |
security_result.detection_fields |
|
properties.EventData.PreAuthType |
extensions.auth.mechanism |
|
properties.EventData.ProcessId |
target.process.pid |
|
properties.EventData.ProcessName" |
target.process.file.full_path |
|
properties.EventData.ServiceName |
target.application |
|
properties.EventData.ServiceSid |
target.resource.user.windows_sid |
|
properties.EventData.Source |
principal.ipprincipal.asset.ip |
|
properties.EventData.Status |
security_result.detection_fields |
|
properties.EventData.SubjectDomainName |
principal.administrative_domain |
|
properties.EventData.SubjectLogonId |
principal.resource.attribute.labels |
|
properties.EventData.SubjectUserName |
principal.user.userid |
|
properties.EventData.SubjectUserSid |
principal.user.windows_sid |
|
properties.EventData.TargetDomainName |
target.administrative_domain |
|
properties.EventData.TargetLogonId |
target.resource.attribute.labels |
|
properties.EventData.TargetSid |
target.user.windows_sid |
|
properties.EventData.TargetUserName |
target.user.userid |
|
properties.EventData.TargetUserSid |
target.user.windows_sid |
|
properties.EventData.TicketEncryptionType |
security_result.detection_fields |
|
properties.EventData.TicketOptions |
security_result.detection_fields" |
|
properties.EventData.TransmittedServices |
security_result.detection_fields |
|
properties.EventData.WorkstationName |
target.hostnametarget.asset.hostname |
|
properties.flaggedForReview |
additional.fields |
|
properties.homeTenantId |
target.resource.attribute.labels |
|
properties.incomingTokenType |
additional.fields |
|
properties.initiatedBy.app.displayName |
principal.user.user_display_name |
|
properties.initiatedBy.user.displayName |
principal.user.user_display_name |
|
properties.initiatedBy.user.id |
principal.user.product_object_id |
|
properties.initiatedBy.user.ipAddress |
principal.ip,principal.asset.ip |
|
properties.ipAddressFromResourceProvider |
principal.resource.attribute.labels |
|
properties.isInteractive |
additional.fields |
|
properties.isTenantRestricted |
additional.fields |
|
properties.isThroughGlobalSecureAccess |
additional.fields |
|
properties.location.geoCoordinates.altitude |
additional.fields |
|
properties.loggedByService |
observer.application |
|
properties.mfaDetail.authDetail |
principal.user.phone_numbers |
|
properties.operationType |
target.resource.attribute.labels |
|
properties.originalRequestId |
network.session_id |
|
properties.originalTransferMethod |
additional.fields |
|
properties.processingTimeInMilliseconds |
additional.fields |
|
properties.RecordId |
metadata.product_log_id |
|
properties.requestId |
security_result.detection_fields |
|
properties.requestMethod |
network.http.method |
|
properties.requestUri |
network.http.referral_url |
|
properties.resourceDisplayName |
target.resource.name |
|
properties.resourceId |
target.resource.attribute.labels |
|
properties.resourceOwnerTenantId |
target.resource.attribute.labels |
|
properties.resourceTenantId |
target.resource.attribute.labels |
|
properties.responseSizeBytes |
network.received_bytes |
|
properties.responseStatusCode |
network.http.response_code |
|
properties.resultReason |
additional.fieldssecurity_result.summary |
|
properties.resultType |
additional.fields |
|
properties.riskDetail |
security_result.detection_fields |
|
properties.riskEventType |
security_result.detection_fields |
|
properties.riskLastUpdatedDateTime |
security_result.detection_fields |
|
properties.riskLevel |
security_result.detection_fields |
|
properties.riskLevelAggregated |
security_result.detection_fields |
|
properties.riskLevelDuringSignIn |
security_result.detection_fields |
|
properties.riskState |
security_result.detection_fields |
|
properties.riskType |
security_result.detection_fields |
|
properties.rngcStatus |
additional.fields |
|
properties.roles |
principal.user.attribute.roles |
|
properties.scopes |
security_result.detection_fields |
|
properties.servicePrincipalCredentialKeyId |
additional.fields |
|
properties.sessionLifetimePolicies |
security_result.detection_fields |
|
properties.signInActivityId |
additional.fields |
|
properties.SignInBondData.DeviceDetails.DeviceTrustType |
principal.asset.attribute.labels |
|
properties.SignInBondData.DeviceDetails.IsCompliant |
security_result.rule_labels |
|
properties.SignInBondData.DeviceDetails.IsManaged |
principal.asset.attribute.labels |
|
properties.SignInBondData.DisplayDetails.AttemptedUsername |
principal.user.email_addresses |
|
properties.SignInBondData.DisplayDetails.ProxyRestrictionTargetTenantName |
additional.fields |
|
properties.SignInBondData.DisplayDetails.ResourceDisplayName |
target.resource.name |
|
properties.SignInBondData.LocationDetails.IPChain |
target.ip |
|
properties.SignInBondData.LocationDetails.Latitude |
additional.fields |
|
properties.SignInBondData.LocationDetails.Longitude |
additional.fields |
|
properties.SignInBondData.MfaDetails |
additional.fields |
|
properties.SignInBondData.ProtocolDetails.AuthenticationMethodsUsed |
extensions.auth.auth_details |
|
properties.SignInBondData.ProtocolDetails.DomainHintPresent |
additional.fields |
|
properties.SignInBondData.ProtocolDetails.IsInteractive |
additional.fields |
|
properties.SignInBondData.ProtocolDetails.LoginHintPresent |
additional.fields |
|
properties.SignInBondData.ProtocolDetails.NetworkLocation |
additional.fields" |
|
properties.SignInBondData.ProtocolDetails.Protocol |
security_result.detection_fields |
Jika properties.SignInBondData.ProtocolDetails.Protocol == WSTrust, maka dipetakan ke security_result.detection_fields, jika tidak, dipetakan ke network.application_protocol. |
properties.SignInBondData.RamDetails.RamRecommendedAction |
additional.fields |
|
properties.SignInBondData.RamDetails.RamRecommender |
additional.fields |
|
properties.signInTokenProtectionStatus |
additional.fields |
|
properties.ssoExtensionVersion |
additional.fields |
|
properties.status.errorCode |
security_result.detection_fieldssecurity_result.action |
|
properties.targetResources |
target.resource.attribute.labels |
|
properties.tenantGeo |
Geolocation.country_or_region |
|
properties.tokenIssuerName |
additional.fields |
|
properties.tokenProtectionStatusDetails.signInSessionStatus |
additional.fields |
|
properties.tokenProtectionStatusDetails.signInSessionStatusCode |
additional.fields |
|
properties.userDisplayName |
principal.user.user_display_name |
|
properties.wids |
additional.fields |
|
proxyAddresses |
user.email_addressesuser.group_identifiers |
Setiap alamat dalam array proxyAddresses dipetakan ke user.email_addresses atau user.group_identifiers berdasarkan apakah alamat tersebut diawali dengan smtp atau SMTP. Jika alamat dimulai dengan smtp atau SMTP, awalan smtp: atau SMTP: akan dihapus dan alamat email yang tersisa akan diekstrak dan dipetakan ke user.email_addresses. |
record.CorrelationId |
additional.fields |
|
record.CrossTenantAccessType |
additional.fields |
|
record.DeviceDetail.deviceId |
network.session_id |
|
record.DeviceDetail.operatingSystem |
principal.platform_version |
Jika operatingSystem dimulai dengan Win, Mac, atau Lin, maka dipetakan ke principal.platform. |
record.IsInteractive |
additional.fields |
|
record.level |
security_result.severity_details |
Jika record_level ada di ["INFORMATION", "INFORMATIONAL", "0", "4", "WARNING", "1", "3","ERROR", "2","CRITICAL"], maka dipetakan ke security_result.severity. |
record.location |
principal.location.name |
|
record.properties.appServicePrincipalId |
additional.fields |
|
record.properties.authenticationProtocol |
additional.fields |
|
record.properties.autonomousSystemNumber |
principal.resource.attribute.labels |
|
record.properties.C_DeviceId |
principal.asset.asset_id |
|
record.properties.crossTenantAccessType |
additional.fields |
|
record.properties.deviceDetail.isCompliant |
security_result.rule_labels |
|
record.properties.deviceDetail.isManaged |
principal.asset.attribute.labels |
|
record.properties.deviceDetail.trustType |
principal.asset.attribute.labels |
|
record.properties.flaggedForReview |
additional.fields |
|
record.properties.incomingTokenType |
additional.fields |
|
record.properties.isInteractive |
extensions.auth.mechanism |
|
record.properties.isTenantRestricted |
additional.fields |
|
record.properties.isThroughGlobalSecureAccess |
additional.fields |
|
record.properties.location |
target.location.name |
|
record.properties.originalTransferMethod |
additional.fields |
|
record.properties.resourceDisplayName |
principal.resource.name |
|
record.properties.riskDetail |
security_result.detection_fields |
|
record.properties.riskLevelAggregated |
security_result.detection_fields |
|
record.properties.riskLevelDuringSignIn |
security_result.detection_fields |
|
record.properties.riskState |
security_result.detection_fields |
|
record.properties.rngcStatus |
additional.fields |
|
record.properties.roles |
principal.user.attribute.roles |
|
record.properties.scopes |
security_result.detection_fields |
|
record.properties.servicePrincipalId |
target.resource.attribute.labels |
|
record.properties.servicePrincipalId |
principal.user.userid |
|
record.properties.signInTokenProtectionStatus |
additional.fields |
|
record.properties.ssoExtensionVersion |
additional.fields |
|
record.properties.status.additionalDetails |
additional.fields |
|
record.properties.tokenProtectionStatusDetails.signInSessionStatus |
additional.fields |
|
record.properties.tokenProtectionStatusDetails.signInSessionStatusCode |
additional.fields |
|
record.RiskDetail |
security_result.detection_fields |
|
record.RiskEventTypes |
security_result.detection_fields |
|
record.RiskLevelAggregated |
security_result.detection_fields |
|
record.RiskLevelDuringSignIn |
security_result.detection_fields |
|
record.RiskState |
security_result.detection_fields |
|
refreshTokensValidFromDateTime |
user.attribute.labels.value (kunci: refreshTokensValidFromDateTime) |
Dipetakan dari kolom refreshTokensValidFromDateTime dalam log mentah dan ditambahkan sebagai label dengan kunci refreshTokensValidFromDateTime. |
resourceOwnerTenantId |
target.resource.attribute.labels |
|
resourceTenantId |
target.resource.attribute.labels |
|
resultDescription |
security_result.description |
|
resultReason |
additional.fields |
|
resultType |
additional.fields |
|
riskDetail |
security_result.detection_fields |
|
riskLevelAggregated |
security_result.detection_fields |
|
riskLevelDuringSignIn |
security_result.detection_fields |
|
riskState |
security_result.detection_fields |
|
sAMAccountName |
user.userid |
|
servicePrincipalCredentialKeyId |
additional.fields |
|
servicePrincipalCredentialThumbprint |
additional.fields |
|
servicePrincipalId |
target.resource.attribute.labels |
|
servicePrincipalName |
additional.fields |
|
sessionId |
network.session_id |
|
signInIdentifier |
target.user.userid |
|
signInIdentifierType |
additional.fields |
|
signInTokenProtectionStatus |
additional.fields |
|
state |
user.personal_address.state |
|
status.additionalDetails |
additional.fields |
|
streetAddress |
user.personal_address.name |
|
surname |
user.last_name |
|
targets.modifiedProperties |
target.resource.attribute.labels |
|
tokenIssuerName |
additional.fields |
|
tokenIssuerType |
additional.fields |
|
tokenProtectionStatusDetails.signInSessionStatus |
security_result.detection_fields |
|
uniqueTokenIdentifier |
additional.fields |
|
usageLocation |
user.personal_address.country_or_region |
Jika country kosong, nilai akan dipetakan ke user.personal_address.country_or_region. |
userDisplayName |
principal.user.user_display_name |
|
userId |
principal.user.product_object_id |
|
userPrincipalName |
user.email_addresses |
Jika userPrincipalName dimulai dengan svc-, user_role.type ditetapkan ke SERVICE_ACCOUNT. |
userPrincipalName |
user_role.type |
Jika userPrincipalName dimulai dengan svc-, user_role.type ditetapkan ke SERVICE_ACCOUNT. |
userType |
additional.fields |
|
| T/A | event.idm.entity.metadata.vendor_name |
Tetapkan ke Microsoft. |
| T/A | event.idm.entity.metadata.product_name |
Tetapkan ke Azure Active Directory. |
| T/A | event.idm.entity.metadata.entity_type |
Tetapkan ke USER. |
| T/A | event.idm.entity.metadata.collected_timestamp |
Ditetapkan ke kolom create_time dari log mentah. |
Referensi delta pemetaan UDM
Pada 1 Januari 2026, Google SecOps merilis versi baru parser Azure AD, yang mencakup perubahan signifikan pada pemetaan kolom log Azure AD ke kolom UDM dan perubahan pada pemetaan jenis peristiwa.
Delta pemetaan kolom log
Tabel berikut mencantumkan delta pemetaan untuk kolom log Azure AD ke UDM yang diekspos sebelum 1 Januari 2026 dan setelahnya (masing-masing tercantum dalam kolom Pemetaan lama dan Pemetaan saat ini):
| Kolom log | Pemetaan lama | Pemetaan saat ini |
|---|---|---|
additionalDetails |
security_result.description |
additional.fields |
browser |
principal.resource.attribute.labels |
network.http.user_agent |
browser |
principal.resource.attribute.labels |
network.http.user_agent |
deviceDetail.displayName |
principal.asset.hardware |
principal.hostname,principal.asset.hostname |
errorCode |
security_result.rule_id |
security_result.detection_fields |
failureReason |
additional.fields |
security_result.description |
identity |
target.user.user_display_name |
principal.user.user_display_name |
loggedByService |
target.application |
observer.application |
operationName |
additional.fields |
metadata.product_event_type |
OrganizationId |
principal.resource.id |
principal.resource.product_object_id |
properties.homeTenantId |
additional.fields |
target.resource.attribute.labels |
properties.initiatedBy.user.id |
principal.user.windows_sid |
principal.user.product_object_id |
properties.resourceOwnerTenantId |
additional.fields |
target.resource.attribute.labels |
properties.riskDetail |
additional.fields |
security_result.detection_fields |
properties.riskEventType |
additional.fields |
security_result.detection_fields |
properties.riskLastUpdatedDateTime |
additional.fields |
security_result.detection_fields |
properties.riskLevel |
additional.fields |
security_result.detection_fields |
properties.riskLevelAggregated |
additional.fields |
security_result.detection_fields |
properties.riskLevelDuringSignIn |
additional.fields |
security_result.detection_fields |
properties.riskState |
additional.fields |
security_result.detection_fields |
properties.riskType |
additional.fields |
security_result.detection_fields |
properties.userDisplayName |
target.user.user_display_name |
principal.user.user_display_name |
record.CorrelationId |
metadata.product_log_id |
additional.fields |
record.properties.C_DeviceId |
additional.fields |
principal.asset.asset_id |
record.properties.resourceDisplayName |
target.resource.attribute.labels |
principal.resource.name |
record.properties.riskDetail |
additional.fields |
security_result.detection_fields |
record.properties.riskLevelAggregated |
additional.fields |
security_result.detection_fields |
record.properties.riskLevelDuringSignIn |
additional.fields |
security_result.detection_fields |
record.properties.riskState |
additional.fields |
security_result.detection_fields |
record.properties.roles |
target.user.role_name |
principal.user.attribute.roles |
record.properties.servicePrincipalId |
additional.fields |
target.resource.attribute.labels |
record.properties.servicePrincipalId |
additional.fields |
principal.user.userid |
record.RiskDetail |
target.resource.attribute.labels |
security_result.detection_fields |
record.RiskEventTypes |
target.resource.attribute.labels |
security_result.detection_fields |
record.RiskLevelAggregated |
target.resource.attribute.labels |
security_result.detection_fields |
record.RiskState |
target.resource.attribute.labels |
security_result.detection_fields |
resultType |
security_result.rule_id |
additional.fields |
riskDetail |
additional.fields |
security_result.detection_fields |
riskLevelAggregated |
additional.fields |
security_result.detection_fields |
riskLevelDuringSignIn |
additional.fields |
security_result.detection_fields |
riskState |
additional.fields |
security_result.detection_fields |
riskState |
additional.fields |
security_result.detection_fields |
status.additionalDetails |
security_result.description |
additional.fields |
userDisplayName |
target.user.user_display_name |
principal.user.user_display_name |
userId |
target.user.product_object_id |
principal.user.product_object_id |
Delta pemetaan jenis peristiwa
Tabel berikut mencantumkan perbedaan penanganan jenis peristiwa Azure AD sebelum 1 Januari 2026 dan setelahnya (masing-masing tercantum di kolom Old event_type dan Current event-type):
| ID peristiwa dari log | event_type lama | event_type saat ini | Keterangan |
|---|---|---|---|
has_resource = true |
GENERIC_EVENT |
USER_RESOURCE_ACCESS |
Jenis peristiwa dipetakan ke USER_RESOURCE_ACCESS untuk kasus saat peristiwa berkaitan dengan resource (ditunjukkan oleh has_resource = true). |
operationName = Add member to group |
USER_CHANGE_PERMISSIONS |
GROUP_MODIFICATION |
Jenis peristiwa dipetakan ke GROUP_MODIFICATION untuk operasi yang secara khusus melibatkan penambahan anggota ke grup (dengan operationName = Add member to group). |
Perlu bantuan lain? Dapatkan jawaban dari anggota Komunitas dan profesional Google SecOps.