Collect Microsoft Azure Resource logs

Supported in:

Google secops SIEM

This document explains how to collect Microsoft Azure Resource logs by setting up a Google Security Operations feed using Microsoft Azure Blob Storage V2.

Azure resource logs provide insight into operations performed within Azure resources. These logs capture detailed information about resource operations, status, and performance metrics. The content varies by resource type and includes data such as authentication events, configuration changes, access attempts, and operational metrics.

Before you begin

Ensure that you have the following prerequisites:

A Google SecOps instance
Privileged access to Microsoft Azure portal with permissions to:
- Create Storage Accounts
- Configure Diagnostic Settings for Azure resources
- Manage access keys
Note: If you restrict access to your Azure resources using an Azure Storage firewall, you must add the IP ranges used by Storage Transfer Service (STS) workers to your list of allowed IPs. See IP Allowlisting.

Configure Azure Storage Account

Create Storage Account

In the Azure portal, search for Storage accounts.
Click + Create.

Provide the following configuration details:

Setting	Value
Subscription	Select your Azure subscription
Resource group	Select existing or create new
Storage account name	Enter a unique name (for example, `azureresourcelogs`)
Region	Select the region (for example, `East US`)
Performance	Standard (recommended)
Redundancy	GRS (Geo-redundant storage) or LRS (Locally redundant storage)

Click Review + create.
Review the overview of the account and click Create.
Wait for the deployment to complete.

Get Storage Account credentials

Go to the Storage Account you just created.
In the left navigation, select Access keys under Security + networking.
Click Show keys.
Copy and save the following for later use:
- Storage account name: azureresourcelogs
- Key 1 or Key 2: The shared access key (a 512-bit random string in base-64 encoding)

Get Blob Service endpoint

In the same Storage Account, select Endpoints from the left navigation.
Copy and save the Blob service endpoint URL.
- Example: https://azureresourcelogs.blob.core.windows.net/

Configure Azure Resource Diagnostic Settings

Azure resource logs are not collected by default. You must create a diagnostic setting for each Azure resource to route logs to the storage account.

In the Azure portal, navigate to the Azure resource you want to monitor.
In the left navigation, select Diagnostic settings under Monitoring.
Click + Add diagnostic setting.
Provide the following configuration details:
- Diagnostic setting name: Enter a descriptive name (for example, export-to-secops).
- In the Logs section, select the log categories you want to collect. The available categories vary by resource type.
  
  Common categories include:
  - Administrative (for Activity Logs)
  - Security (for Activity Logs)
  - AuditEvent (for Key Vault)
  - ApplicationGatewayAccessLog (for Application Gateway)
  - ApplicationGatewayFirewallLog (for Application Gateway)
  - NetworkSecurityGroupEvent (for Network Security Groups)
- In the Metrics section (optional), select AllMetrics to send platform metrics to the storage account.
- In the Destination details section, select the Archive to a storage account checkbox.
- Subscription: Select the subscription containing your storage account.
- Storage account: Select the storage account you created earlier (for example, azureresourcelogs).
Click Save.

After configuration, logs are automatically exported to containers in the storage account. Azure creates containers using the naming pattern insights-logs-<log-category-name>. For example:
- Key Vault audit logs: insights-logs-auditevent
- Application Gateway access logs: insights-logs-applicationgatewayaccesslog
- Application Gateway firewall logs: insights-logs-applicationgatewayfirewalllog
- Network Security Group events: insights-logs-networksecuritygroupevent
Note: The specific container names depend on the log categories you selected in the diagnostic setting. Each log category creates a separate container.

Configure a feed in Google SecOps to ingest Azure Resource Logs

Go to SIEM Settings > Feeds.
Click Add New Feed.
On the next page, click Configure a single feed.
In the Feed name field, enter a name for the feed (for example, Azure Resource Logs).
Select Microsoft Azure Blob Storage V2 as the Source type.
Select Microsoft Azure Resource as the Log type.
Click Next.
Specify values for the following input parameters:
- Azure URI: Enter the Blob Service endpoint URL with the container path:
```
https://azureresourcelogs.blob.core.windows.net/insights-logs-<category-name>/
```
  Replace the following:
  - azureresourcelogs: Your Azure storage account name.
  - <category-name>: The log category name (for example, auditevent for Key Vault, applicationgatewayaccesslog for Application Gateway).
  Note: Include the trailing slash (/) at the end of the URI. If you have multiple log categories, create a separate feed for each container.
- Source deletion option: Select the deletion option according to your preference:
  - Never: Never deletes any files after transfers.
  - Delete transferred files: Deletes files after successful transfer.
  - Delete transferred files and empty directories: Deletes files and empty directories after successful transfer.
  Note: If you select a deletion option, make sure that you granted appropriate permissions to the service account.
- Maximum File Age: Include files modified in the last number of days. Default is 180 days.
- Shared key: Enter the shared key value (access key) you captured from the Storage Account in step 3.
- Asset namespace: The asset namespace.
- Ingestion labels: The label to be applied to the events from this feed.
Click Next.
Review your new feed configuration in the Finalize screen, and then click Submit.

Configure Azure Storage firewall (if enabled)

If your Azure Storage Account uses a firewall, you must add Google SecOps IP ranges.

To get the current IP ranges, choose one of the following options:
- See IP Allowlisting documentation
- Retrieve them programmatically using the Feed Management API
In the Azure portal, go to your Storage Account.
Select Networking under Security + networking.
Under Firewalls and virtual networks, select Enabled from selected virtual networks and IP addresses.
In the Firewall section, under Address range, click + Add IP range.
Add each Google SecOps IP range in CIDR notation.
Click Save.

Note: This feed source uses the Storage Transfer Service (STS) to transfer data from Azure storage to Google SecOps. Before using this feed source, you may need to add the IP ranges used by STS workers to your list of allowed IPs.

UDM mapping table

Log Field	UDM Mapping	Logic
	event.idm.read_only_udm.additional.fields	Merged from various label fields like hostVersion_field, functionInvocationId_field, etc., based on conditions.
	event.idm.read_only_udm.extensions.auth.type	Set to "MACHINE" for SQLSecurityAuditEvents category.
	event.idm.read_only_udm.extensions.auth.type	Set to "AUTHTYPE_UNSPECIFIED" for RiskyServicePrincipals, RiskyUsers, UserRiskEvents, NonInteractiveUserSignInLogs, ServicePrincipalSignInLogs, ProvisioningLogs, ADFSSignInLogs, ServicePrincipalRiskEvents categories.
	event.idm.read_only_udm.extensions.auth.type	Set to "SSO" for categories in ["RiskyServicePrincipals","RiskyUsers","UserRiskEvents","NonInteractiveUserSignInLogs","ServicePrincipalSignInLogs","ProvisioningLogs","ADFSSignInLogs","ServicePrincipalRiskEvents"].
	event.idm.read_only_udm.extensions.auth.mechanism	Merged from auth_mechanism if set to "USERNAME_PASSWORD".
	event.idm.read_only_udm.intermediary	Merged from intermediary if not empty.
	event.idm.read_only_udm.metadata.collected_timestamp	Converted from stage_time using ISO8601 match for kube-audit categories.
	event.idm.read_only_udm.metadata.collected_timestamp	Converted from originalEventTimestamp using ISO8601 match.
	event.idm.read_only_udm.metadata.collected_timestamp	Converted from risk_time using ISO8601 or yyyy-MM-dd HH:mm:ss match.
	event.idm.read_only_udm.metadata.collected_timestamp	Converted from last_update_time using ISO8601 or yyyy-MM-dd HH:mm:ss.SSSZ match.
	event.idm.read_only_udm.metadata.collected_timestamp	Converted from time using ISO8601, yyyy-MM-ddTHH:mm:ssZ, or grok pattern for date parsing.
	event.idm.read_only_udm.metadata.description	Value taken from properties.message if not empty.
	event.idm.read_only_udm.metadata.description	Value taken from properties.log.stage for kube-audit categories.
	event.idm.read_only_udm.metadata.description	Value taken from properties.activity.
	event.idm.read_only_udm.metadata.event_type	Value taken from event_type if not empty; else set to "GENERIC_EVENT".
	event.idm.read_only_udm.metadata.product_deployment_id	Value taken from tenantid_value if additionaldetails.key == "TenantId".
	event.idm.read_only_udm.metadata.product_event_type	Value taken from category.
	event.idm.read_only_udm.metadata.product_log_id	Value taken from properties.event_id if not empty.
	event.idm.read_only_udm.metadata.product_log_id	Value taken from properties.log.auditID for kube-audit categories.
	event.idm.read_only_udm.metadata.product_log_id	Value taken from properties.id.
	event.idm.read_only_udm.metadata.product_version	Value taken from properties.log.apiVersion for kube-audit categories.
	event.idm.read_only_udm.metadata.vendor_name	Set to "Microsoft".
	event.idm.read_only_udm.network.application_protocol	Value taken from protocol if not empty.
	event.idm.read_only_udm.network.http.method	Value taken from properties.CsMethod for AppServiceHTTPLogs.
	event.idm.read_only_udm.network.http.referral_url	Value taken from properties.Referer for AppServiceHTTPLogs.
	event.idm.read_only_udm.network.http.referral_url	Value taken from uri if not empty.
	event.idm.read_only_udm.network.http.response_code	Converted from responseStatus.code to integer for kube-audit categories.
	event.idm.read_only_udm.network.http.response_code	Converted from properties.ScStatus to integer for AppServiceHTTPLogs.
	event.idm.read_only_udm.network.http.response_code	Converted from properties.statusCode to integer.
	event.idm.read_only_udm.network.http.response_code	Converted from statusCode to integer.
	event.idm.read_only_udm.network.http.user_agent	Value taken from user_agent if not empty.
	event.idm.read_only_udm.network.received_bytes	Value taken from properties.ScBytes for AppServiceHTTPLogs.
	event.idm.read_only_udm.network.received_bytes	Value taken from properties.responseLength.
	event.idm.read_only_udm.network.sent_bytes	Value taken from properties.CsBytes for AppServiceHTTPLogs.
	event.idm.read_only_udm.network.sent_bytes	Value taken from properties.requestLength.
	event.idm.read_only_udm.network.session_id	Value taken from properties.session_id.
	event.idm.read_only_udm.network.session_id	Value taken from record.properties.session_id.
	event.idm.read_only_udm.network.tls.version	Value taken from properties.tlsVersion if not empty.
	event.idm.read_only_udm.principal.application	Value taken from properties.application_name if not empty.
	event.idm.read_only_udm.principal.asset.asset_id	Value taken from prop_device_id if not null.
	event.idm.read_only_udm.principal.asset.hardware	Merged from hardware if not empty.
	event.idm.read_only_udm.principal.asset.hostname	Value taken from properties.host_name if not empty.
	event.idm.read_only_udm.principal.asset.hostname	Value taken from properties.CsHost for AppServiceHTTPLogs.
	event.idm.read_only_udm.principal.asset.hostname	Value taken from record.properties.CsHost for AppServiceHTTPLogs.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from callerIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from src_ip for AppServiceHTTPLogs.
	event.idm.read_only_udm.principal.asset.ip	Merged from src_ip1 for AppServiceHTTPLogs.
	event.idm.read_only_udm.principal.asset.ip	Merged from principal_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from ip for kube-audit categories.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from ip for kube-audit records.
	event.idm.read_only_udm.principal.asset.ip	Merged from src_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from callerIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from ip for kube-audit records.
	event.idm.read_only_udm.principal.asset.ip	Merged from src_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from callerIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from ip for kube-audit records.
	event.idm.read_only_udm.principal.asset.ip	Merged from src_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from callerIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from ip for kube-audit records.
	event.idm.read_only_udm.principal.asset.ip	Merged from src_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from callerIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from ip for kube-audit records.
	event.idm.read_only_udm.principal.asset.ip	Merged from src_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from callerIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from ip for kube-audit records.
	event.idm.read_only_udm.principal.asset.ip	Merged from src_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from callerIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from ip for kube-audit records.
	event.idm.read_only_udm.principal.asset.ip	Merged from src_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from callerIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from ip for kube-audit records.
	event.idm.read_only_udm.principal.asset.ip	Merged from src_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from callerIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from ip for kube-audit records.
	event.idm.read_only_udm.principal.asset.ip	Merged from src_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from callerIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from ip for kube-audit records.
	event.idm.read_only_udm.principal.asset.ip	Merged from src_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from callerIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from ip for kube-audit records.
	event.idm.read_only_udm.principal.asset.ip	Merged from src_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from callerIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from ip for kube-audit records.
	event.idm.read_only_udm.principal.asset.ip	Merged from src_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from callerIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from ip for kube-audit records.
	event.idm.read_only_udm.principal.asset.ip	Merged from src_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from callerIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from ip for kube-audit records.
	event.idm.read_only_udm.principal.asset.ip	Merged from src_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from callerIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from ip for kube-audit records.
	event.idm.read_only_udm.principal.asset.ip	Merged from src_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from callerIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from ip for kube-audit records.
	event.idm.read_only_udm.principal.asset.ip	Merged from src_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from callerIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from ip for kube-audit records.
	event.idm.read_only_udm.principal.asset.ip	Merged from src_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from callerIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from ip for kube-audit records.
	event.idm.read_only_udm.principal.asset.ip	Merged from src_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from callerIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from ip for kube-audit records.
	event.idm.read_only_udm.principal.asset.ip	Merged from src_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from callerIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from ip for kube-audit records.
	event.idm.read_only_udm.principal.asset.ip	Merged from src_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from callerIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from ip for kube-audit records.
	event.idm.read_only_udm.principal.asset.ip	Merged from src_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from callerIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from ip for kube-audit records.
	event.idm.read_only_udm.principal.asset.ip	Merged from src_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from callerIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from ip for kube-audit records.
	event.idm.read_only_udm.principal.asset.ip	Merged from src_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from callerIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from ip for kube-audit records.
	event.idm.read_only_udm.principal.asset.ip	Merged from src_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from callerIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from ip for kube-audit records.
	event.idm.read_only_udm.principal.asset.ip	Merged from src_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from callerIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from ip for kube-audit records.
	event.idm.read_only_udm.principal.asset.ip	Merged from src_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from callerIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from ip for kube-audit records.
	event.idm.read_only_udm.principal.asset.ip	Merged from src_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from callerIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from ip for kube-audit records.
	event.idm.read_only_udm.principal.asset.ip	Merged from src_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from callerIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from ip for kube-audit records.
	event.idm.read_only_udm.principal.asset.ip	Merged from src_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from callerIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from ip for kube-audit records.
	event.idm.read_only_udm.principal.asset.ip	Merged from src_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from callerIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from ip for kube-audit records.
	event.idm.read_only_udm.principal.asset.ip	Merged from src_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from callerIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from ip for kube-audit records.
	event.idm.read_only_udm.principal.asset.ip	Merged from src_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from callerIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from record.properties.clientIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from ip for kube-audit records.
	event.idm.read_only_udm.principal.asset.ip	Merged from src_ip.
	event.idm.read_only_udm.principal.asset.ip	Merged from ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.ipAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from callerIpAddress.
	event.idm.read_only_udm.principal.asset.ip	Merged from properties.client_ip.

Need more help? Get answers from Community members and Google SecOps professionals.