Collect Microsoft Entra ID sign-in (formerly Azure Active Directory) logs | Google Security Operations

Supported in:

Google secops SIEM

This document explains how to collect Microsoft Entra ID (formerly known as Azure Active Directory) sign-in logs by setting up a Google Security Operations feed. You can configure ingestion using two methods: Azure Event Hub (recommended) or the third-party API.

Before you begin

Make sure that you have the following prerequisites:

Google SecOps instance.
Privileged access to Microsoft Azure portal.
Security Administrator or Global Administrator role in Microsoft Entra ID (required for diagnostic settings).
For the Third Party API method, one of the following roles for granting admin consent:
- Global Administrator: can grant consent for any permission, for any API.
- Privileged Role Administrator: can grant consent for any permission, for any API.
- Cloud Application Administrator: can grant consent for any permission for any API, except Microsoft Graph app roles (application permissions).

Method 1: Azure Event Hub (recommended)

This method streams Microsoft Entra ID sign-in logs through Azure Event Hub using diagnostic settings. Google SecOps ingests the logs directly from the Event Hub using the Azure Event Hub feed type.

Create Event Hub namespace

An Event Hub namespace is a management container for one or more Event Hubs.

In the Azure portal, search for Event Hubs.
Click + Create.

Provide the following configuration details:

Setting	Value
Subscription	Select your Azure subscription
Resource group	Select existing or create new
Namespace name	Enter a unique name (for example, `secops-entraid-signin`)
Location	Select the region closest to your Microsoft Entra tenant
Pricing tier	Standard (recommended for production)
Throughput units	Start with 1, enable Auto-inflate (recommended)

Click Review + create.
Review the overview and click Create.
Wait for the deployment to complete (1-2 minutes).

Create Event Hub

After the namespace is deployed, go to the Event Hub namespace.
In the left navigation, select Event Hubs under Entities.
Click + Event Hub.

Provide the following configuration details:

Setting	Value
Name	Enter a unique name (for example, `entraid-signin-logs`)
Partition count	40 (recommended for optimal Google SecOps scaling)
Message retention	7 days (recommended minimum)
Capture	Disabled (not needed for Google SecOps)

Click Create.

Note: Partition count of 40 is recommended for Google SecOps feeds for optimal scaling. This setting cannot be changed after creation, so set it correctly during initial setup.

Get Event Hub connection string

Google SecOps requires a connection string to authenticate to the Event Hub.

Option A: Namespace-level connection string (recommended)

Go to the Event Hub namespace.
In the left navigation, select Shared access policies under Settings.
Click on the default policy RootManageSharedAccessKey.
Copy the Connection string - primary key.
Save this connection string securely.

Example:

Original: Endpoint=sb://secops-entraid-signin.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=abc123==;EntityPath=entraid-signin-logs

Remove EntityPath: Endpoint=sb://secops-entraid-signin.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=abc123==

Option B: Event Hub-level connection string

Go to the Event Hub (not the namespace).
In the left navigation, select Shared access policies under Settings.
Click + Add to create a new policy.
Provide the following configuration details:
- Policy name: Enter a descriptive name (for example, chronicle-read)
- Permissions: Select Listen only (read-only access)
Click Create.
Click on the newly created policy.
Copy the Connection string - primary key.
Save this connection string securely.

Note: Event Hub-level connection strings already include the EntityPath parameter, so no modification is needed.

Configure Microsoft Entra ID diagnostic settings

Sign in to the Microsoft Entra admin center as at least a Security Administrator.
Browse to Entra ID > Monitoring & health > Diagnostic settings.
Click + Add diagnostic setting.
Provide the following configuration details:
- Diagnostic setting name: Enter a descriptive name (for example, signin-logs-to-eventhub).
- In the Logs section, select the sign-in log categories you want to export:
  - SignInLogs: Interactive user sign-ins.
  - NonInteractiveUserSignInLogs: Non-interactive user sign-ins (recommended).
  - ServicePrincipalSignInLogs: Service principal sign-ins (optional).
  - ManagedIdentitySignInLogs: Managed identity sign-ins (optional).
  - ADFSSignInLogs: AD FS sign-in logs (optional, if AD FS is in use).
  - RiskyUsers: Users flagged for risk by Microsoft Entra ID Protection (optional).
  - UserRiskEvents: Risky sign-in event details (optional).
- In the Destination details section, select Stream to an event hub.
- Subscription: Select the subscription containing your Event Hub namespace.
- Event hub namespace: Select the namespace you created (for example, secops-entraid-signin).
- Event hub name: Select the Event Hub you created (for example, entraid-signin-logs).
- Event hub policy name: Select RootManageSharedAccessKey.
Click Save.

Note: It may take up to 15 minutes for sign-in logs to start flowing through the Event Hub. You can also select Export Settings from the Audit Logs or Sign-ins page to reach diagnostic settings.

(Optional) Configure Azure Blob Storage for checkpointing

Google SecOps can use Azure Blob Storage to store Event Hub checkpoints, which track which events have been processed. This prevents duplicate ingestion if the feed is temporarily interrupted.

Create Storage Account for checkpointing

In the Azure portal, search for Storage accounts.
Click + Create.

Provide the following configuration details:

Setting	Value
Subscription	Select your Azure subscription
Resource group	Use the same resource group as Event Hub
Storage account name	Enter a unique name (for example, `secopsaadsignin`)
Region	Same region as Event Hub
Performance	Standard
Redundancy	LRS (Locally redundant storage)

Click Review + create.
Click Create.

Create Blob Container

Go to the Storage Account you created.
In the left navigation, select Containers under Data storage.
Click + Container.
Provide the following configuration details:
- Name: Enter checkpoints
- Public access level: Private (no anonymous access)
Click Create.

Get Storage Account credentials

In the Storage Account, select Access keys under Security + networking.
Click Show keys.
Copy and save:
- Storage account name: The name of your storage account.
- Key 1: The access key value.

(Optional) Create dedicated consumer group

By default, Event Hub provides a consumer group named $Default. For production environments, it is recommended to create a dedicated consumer group for Google SecOps.

Go to the Event Hub (not the namespace).
In the left navigation, select Consumer groups under Entities.
Click + Consumer group.
Provide the following configuration details:
- Name: Enter a descriptive name (for example, chronicle)
Click Create.

Note: If you create a dedicated consumer group, you must specify it when creating the feed in Google SecOps. Otherwise, use the default $Default consumer group.

Configure a feed in Google SecOps to ingest Microsoft Entra ID sign-in logs

Go to SIEM Settings > Feeds.
Click Add New Feed.
On the next page, click Configure a single feed.
In the Feed name field, enter a name for the feed (for example, Microsoft Entra ID Sign-In Logs - Event Hub).
Select Microsoft Azure Event Hub as the Source type.
Select Microsoft Azure AD as the Log type.
Click Next.
Specify values for the following input parameters:
- Event hub connection string: Enter the Event Hub connection string you captured earlier.
If using namespace-level connection string:
- Make sure you removed the EntityPath parameter.
- You must also provide the Event hub name in the next field.
If using event hub-level connection string:
- Use the connection string as-is (includes EntityPath).
- The Event hub name field can be left blank.
  - Event hub name: Enter the Event Hub name (for example, entraid-signin-logs).
  Required if using namespace-level connection string. Optional if using event hub-level connection string.
- Consumer group (optional): Enter the consumer group name.
- Leave blank to use the default $Default consumer group.
- If you created a dedicated consumer group, enter its name (for example, chronicle).
- Blob storage container name (optional): For checkpointing, enter the container name (for example, checkpoints).
If providing blob storage for checkpointing:
- Azure storage account name: Enter the storage account name from checkpointing configuration.
- Azure storage account key: Enter the access key from checkpointing configuration.
- Asset namespace: The asset namespace.
- Ingestion labels: The label to be applied to the events from this feed.
Click Next.
Review your new feed configuration in the Finalize screen, and then click Submit.

Note: After creating the feed, it may take 1-2 minutes before events start appearing in Google SecOps.

Method 2: Third Party API

This method uses the Microsoft Graph API to retrieve Microsoft Entra ID sign-in logs directly from your Microsoft tenant.

Configure IP allowlisting

Before creating the feed, you must allowlist Google SecOps IP ranges in your Microsoft Azure network settings or Conditional Access policies.

Get Google SecOps IP ranges

Go to SIEM Settings > Feeds.
Click Add New Feed.
Note the IP ranges displayed in the feed creation interface.
Alternatively, retrieve IP ranges programmatically using the Feed Management API.

Configure Conditional Access for workload identities (if required)

If your organization uses Conditional Access policies that restrict access by location:

In the Microsoft Entra admin center, go to Protection > Conditional Access > Named locations.
Click + New location.
Provide the following configuration details:
- Name: Enter Google SecOps IP Ranges.
- Mark as trusted location: Optional, based on your security policy.
- IP ranges: Add each Google SecOps IP range in CIDR notation.
Click Create.
Go to Conditional Access > Policies.
For any policies that apply to workload identities, configure an exclusion for the Google SecOps IP Ranges named location or the specific service principal.

Configure Microsoft Entra ID API access

Create app registration

Sign in to the Microsoft Entra admin center or Azure portal.
Go to Identity > Applications > App registrations.
Click New registration.
Provide the following configuration details:
- Name: Enter a descriptive name (for example, Google SecOps Sign-In Logs Integration).
- Supported account types: Select Accounts in this organizational directory only (Single tenant).
Note: Single tenant is the correct choice for third-party API integrations. Google SecOps will access sign-in logs from your specific Microsoft Entra tenant only. Choose multi-tenant only if you intentionally need to access logs from multiple tenants in a managed service provider scenario.
- Redirect URI: Leave blank (not required for service principal authentication).
Click Register.
After registration, copy and save the following values:
- Application (client) ID
- Directory (tenant) ID

Configure API permissions

The integration requires the following Microsoft Graph application permissions:

In the app registration, go to API permissions.
Click Add a permission.
Select Microsoft Graph > Application permissions.
Select the following permissions:
- AuditLog.Read.All: Required to read sign-in logs.
- Directory.Read.All: Required by Microsoft Graph API for sign-in log access (known issue).
- SecurityEvents.Read.All: Required by Google Security Operations.
Click Add permissions.
Click Grant admin consent for [Your Organization].
Verify that the Status column shows Granted for [Your Organization] for all three permissions.

Permission	Type	Description
AuditLog.Read.All	Application	Read all sign-in and audit log data
Directory.Read.All	Application	Read directory data (required for API access)
SecurityEvents.Read.All	Application	Read security events

Create client secret

Go to Certificates & secrets.
Click New client secret.
Provide the following configuration details:
- Description: Enter a descriptive name (for example, Google SecOps Feed).
- Expires: Select an expiration period.
Note: Microsoft recommends setting an expiration value of less than 12 months. The maximum allowed is 24 months. For enhanced security, consider using certificate credentials or federated identity credentials instead of client secrets. See Migrate applications from secret-based authentication.
Click Add.
Important: Copy the client secret Value immediately. This value is displayed only once and cannot be retrieved later.

Verify API access before creating feed

Before creating the Google SecOps feed, verify that the service principal can successfully authenticate and access the Microsoft Graph API.

Test authentication using PowerShell

# Replace with your actual values
$tenantId = "your-tenant-id"
$clientId = "your-client-id"
$clientSecret = "your-client-secret"

# Token request parameters (must be lowercase)
$tokenBody = @{
    grant_type    = "client_credentials"
    client_id     = $clientId
    client_secret = $clientSecret
    scope         = "https://graph.microsoft.com/.default"
}

# Request access token
$tokenEndpoint = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
$tokenResponse = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -Body $tokenBody -ContentType "application/x-www-form-urlencoded"

if ($tokenResponse.access_token) {
    Write-Host "✓ Successfully obtained access token" -ForegroundColor Green

    # Test API call to sign-ins endpoint
    $apiUrl = "https://graph.microsoft.com/v1.0/auditLogs/signIns?`$top=1"
    $headers = @{
        Authorization = "Bearer $($tokenResponse.access_token)"
    }

    try {
        $signInResponse = Invoke-RestMethod -Method Get -Uri $apiUrl -Headers $headers
        Write-Host "✓ Successfully accessed sign-ins API" -ForegroundColor Green
        Write-Host "Sample sign-in log retrieved successfully" -ForegroundColor Green
    }
    catch {
        Write-Host "✗ Failed to access sign-ins API" -ForegroundColor Red
        Write-Host "Error: $($_.Exception.Message)" -ForegroundColor Red
    }
}
else {
    Write-Host "✗ Failed to obtain access token" -ForegroundColor Red
}

Expected output:

✓ Successfully obtained access token
✓ Successfully accessed sign-ins API
Sample sign-in log retrieved successfully

Test authentication using curl

# Replace with your actual values
TENANT_ID="your-tenant-id"
CLIENT_ID="your-client-id"
CLIENT_SECRET="your-client-secret"

# Request access token
curl -X POST "https://login.microsoftonline.com/$TENANT_ID/oauth2/v2.0/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
-d "client_id=$CLIENT_ID" \
-d "client_secret=$CLIENT_SECRET" \
-d "scope=https://graph.microsoft.com/.default"

# Test API access
curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
"https://graph.microsoft.com/v1.0/auditLogs/signIns?\$top=1"

Configure a feed in Google SecOps to ingest Microsoft Entra ID sign-in logs

Set up the feed

Go to SIEM Settings > Feeds.
Click Add New Feed.
On the next page, click Configure a single feed.
In the Feed name field, enter a name for the feed (for example, Microsoft Entra ID Sign-In Logs).
Select Third party API as the Source type.
Select Microsoft Azure AD as the Log type.
Click Next.

Configure feed parameters

Specify values for the following input parameters:

OAuth client ID: The Application (client) ID from the app registration.
OAuth client secret: The client secret value you copied earlier.
Tenant ID: Your Microsoft tenant ID from the app registration (UUID format, for example, 0fc279f9-fe30-41be-97d3-abe1d7681418).
API Full Path: Microsoft Graph REST API endpoint URL:
```
graph.microsoft.com/v1.0/auditLogs/signIns
```
Note: Do NOT include https:// prefix. The feed will add the protocol automatically.
API Authentication Endpoint: Microsoft Active Directory Authentication Endpoint:
```
login.microsoftonline.com
```
Note: Do NOT include https:// prefix or the /oauth2/v2.0/token path. The feed will construct the full authentication URL automatically using your Tenant ID.
Advanced Options:
- Feed Name: A prepopulated value that identifies the feed.
- Source Type: Third party API (mechanism for collecting the logs into Google SecOps).
- Asset namespace: The asset namespace that the feed will be associated with.
- Ingestion Labels: Labels will be added to all the events from this feed.

Click Next.
Review your new feed configuration in the Finalize screen, and then click Submit.

Note: After creating the feed, it may take 5-10 minutes before logs start appearing in Google SecOps.

Regional endpoints

For Microsoft Entra ID deployments in sovereign clouds, use the appropriate regional endpoints:

Cloud Environment	API Full Path	API Authentication Endpoint
Global	`graph.microsoft.com/v1.0/auditLogs/signIns`	`login.microsoftonline.com`
US Government L4	`graph.microsoft.us/v1.0/auditLogs/signIns`	`login.microsoftonline.us`
US Government L5 (DOD)	`dod-graph.microsoft.us/v1.0/auditLogs/signIns`	`login.microsoftonline.us`
China (21Vianet)	`microsoftgraph.chinacloudapi.cn/v1.0/auditLogs/signIns`	`login.chinacloudapi.cn`

UDM Mapping Table

Log Field	UDM Mapping	Logic
`activityDateTime`	`principal.event_timestamp`	Parsed from the `activityDateTime` field. If the field is not in the expected "yyyy-MM-ddTHH:mm:ss.SSSZ" format or "ISO8601" format, the parser will try other formats like "MM/dd/yyyy HH:mm:ss A" or "MM/d/yyyy HH:mm:ss A".
`activityDisplayName`	`security_result.summary`	Directly mapped from `activityDisplayName`.
`additionalDetails.0.value`	`network.http.user_agent`	Directly mapped from `additionalDetails.0.value`.
`additionalDetails.1.key`	`target.resource.attribute.labels.key`	Directly mapped from `additionalDetails.1.key`.
`additionalDetails.1.value`	`target.resource.attribute.labels.value`	Directly mapped from `additionalDetails.1.value`.
`additionalInfo.[].Key`	`network.http.user_agent`, `target.url`	If `Key` is `userAgent`, map `Value` to `network.http.user_agent` and `network.http.parsed_user_agent`. If `Key` is `alertUrl`, map `Value` to `target.url`.
`additionalInfo.[].Value`	`network.http.user_agent`, `target.url`	If `Key` is `userAgent`, map `Value` to `network.http.user_agent` and `network.http.parsed_user_agent`. If `Key` is `alertUrl`, map `Value` to `target.url`.
`am_category`	`metadata.description`	Directly mapped from `am_category`.
`am_tenantId`	`metadata.product_deployment_id`	Directly mapped from `am_tenantId`.
`appId`	`target.resource.attribute.labels.value`	Directly mapped from `appId` with label key as "App Id".
`appDisplayName`	`target.application`	Directly mapped from `appDisplayName`.
`appliedConditionalAccessPolicies.[].displayName`	`security_result.[].rule_name`, `about.[].user.user_display_name`	Directly mapped from `appliedConditionalAccessPolicies.[].displayName`.
`appliedConditionalAccessPolicies.[].enforcedGrantControls`	`security_result.[].rule_labels.value`	Directly mapped from `appliedConditionalAccessPolicies.[].enforcedGrantControls` with label key as "applied_conditional_access_policies_enforced_grant_controls".
`appliedConditionalAccessPolicies.[].enforcedSessionControls`	`security_result.[].rule_labels.value`	Directly mapped from `appliedConditionalAccessPolicies.[].enforcedSessionControls` with label key as "applied_conditional_access_policies_enforced_session_controls".
`appliedConditionalAccessPolicies.[].id`	`security_result.[].rule_id`, `about.[].user.userid`	Directly mapped from `appliedConditionalAccessPolicies.[].id`.
`appliedConditionalAccessPolicies.[].result`	`security_result.[].detection_fields.value`, `about.[].labels.value`	Directly mapped from `appliedConditionalAccessPolicies.[].result` with label key as "Result".
`authenticationDetails.[].authenticationMethod`	`security_result.[].detection_fields.value`	Directly mapped from `authenticationDetails.[].authenticationMethod` with label key as "authenticationMethod".
`authenticationDetails.[].authenticationMethodDetail`	`security_result.[].detection_fields.value`	Directly mapped from `authenticationDetails.[].authenticationMethodDetail` with label key as "authenticationMethodDetail".
`authenticationDetails.[].authenticationStepDateTime`	`security_result.[].detection_fields.value`	Directly mapped from `authenticationDetails.[].authenticationStepDateTime` with label key as "authenticationStepDateTime".
`authenticationDetails.[].authenticationStepRequirement`	`security_result.[].detection_fields.value`	Directly mapped from `authenticationDetails.[].authenticationStepRequirement` with label key as "authenticationStepRequirement".
`authenticationDetails.[].authenticationStepResultDetail`	`security_result.[].detection_fields.value`	Directly mapped from `authenticationDetails.[].authenticationStepResultDetail` with label key as "authenticationStepResultDetail".
`authenticationDetails.[].succeeded`	`security_result.action`	If value is "true", then `ALLOW`, else `BLOCK`.
`authenticationRequirement`	`additional.fields.value.string_value`	Directly mapped from `authenticationRequirement` with label key as "AuthenticationRequirement".
`authenticationRequirementPolicies.[].detail`	`security_result.detection_fields.value`	Directly mapped from `authenticationRequirementPolicies.[].detail` with label key as "detail".
`authenticationRequirementPolicies.[].requirementProvider`	`security_result.detection_fields.value`	Directly mapped from `authenticationRequirementPolicies.[].requirementProvider` with label key as "requirementProvider".
`callerIpAddress`	`principal.ip`, `principal.asset.ip`	Directly mapped from `callerIpAddress`.
`category`	`metadata.description`	Directly mapped from `category`.
`clientAppUsed`	`principal.application`	Directly mapped from `clientAppUsed`.
`conditionalAccessStatus`	`additional.fields.value.string_value`	Directly mapped from `conditionalAccessStatus` with label key as "conditionalAccessStatus".
`correlationId`	`network.session_id`, `security_result.detection_fields.value`	Directly mapped from `correlationId`. Also used as `security_result.detection_fields.value` with label key as "CorrelationId".
`createdDateTime`	`when`	The `when` field is derived from the `createdDateTime` field. The date and time are extracted from the `createdDateTime` field using grok and then combined to form the `when` field.
`deviceDetail.browser`	`network.http.user_agent`	Directly mapped from `deviceDetail.browser`.
`deviceDetail.deviceId`	`principal.asset.asset_id`, `principal.asset_id`	Directly mapped from `deviceDetail.deviceId` and prefixed with "Device ID:".
`deviceDetail.displayName`	`principal.asset.hostname`	Directly mapped from `deviceDetail.displayName`.
`deviceDetail.isCompliant`	`principal.asset.attribute.labels.value`	Directly mapped from `deviceDetail.isCompliant` with label key as "isCompliant".
`deviceDetail.isManaged`	`principal.asset.attribute.labels.value`	Directly mapped from `deviceDetail.isManaged` with label key as "isManaged".
`deviceDetail.operatingSystem`	`principal.platform_version`	Directly mapped from `deviceDetail.operatingSystem`.
`deviceDetail.trustType`	`principal.asset.attribute.labels.value`	Directly mapped from `deviceDetail.trustType` with label key as "trustType".
`durationMs`	`additional.fields.value.string_value`	Directly mapped from `durationMs` with label key as "durationMs".
`event.id`	-	Not mapped as per instructions (point 3).
`id`	`metadata.product_log_id`	Directly mapped from `id`.
`identity`	`target.user.user_display_name`	Directly mapped from `identity` if it is different from `userId` and is not an email address.
`initiatedBy.user.displayName`	`principal.user.user_display_name`	Directly mapped from `initiatedBy.user.displayName`.
`initiatedBy.user.id`	`principal.user.userid`, `principal.user.windows_sid`	Directly mapped from `initiatedBy.user.id`.
`initiatedBy.user.ipAddress`	`principal.ip`, `principal.asset.ip`	Directly mapped from `initiatedBy.user.ipAddress`.
`initiatedBy.user.userPrincipalName`	`principal.user.email_addresses`, `principal.user.userid`	Directly mapped from `initiatedBy.user.userPrincipalName`. If it is an email address, it is mapped to `email_addresses`, otherwise to `userid`.
`Level`	`security_result.severity_details`, `level`	Directly mapped from `Level`.
`level`	`security_result.severity_details`, `security_result.severity`	Directly mapped from `level`. Also mapped to `security_result.severity` after converting to uppercase. Special handling for "Information", "Informational", "0", "4", "Warning", "1", "3", "Error", "2", and "Critical" values.
`location.city`	`principal.location.city`	Directly mapped from `location.city`.
`location.countryOrRegion`	`principal.location.country_or_region`	Directly mapped from `location.countryOrRegion`.
`location.geoCoordinates.altitude`	`additional.fields.value.string_value`	Directly mapped from `location.geoCoordinates.altitude` with label key as "location_geoCoordinates_altitude".
`location.geoCoordinates.latitude`	`principal.location.region_latitude`, `principal.location.region_coordinates.latitude`	Directly mapped from `location.geoCoordinates.latitude`.
`location.geoCoordinates.longitude`	`principal.location.region_longitude`, `principal.location.region_coordinates.longitude`	Directly mapped from `location.geoCoordinates.longitude`.
`location.state`	`principal.location.state`	Directly mapped from `location.state`.
`location`	`principal.location.name`	Directly mapped from `location`.
`log_type`	`metadata.log_type`	Directly mapped from `log_type`.
`networkLocationDetails.[].networkNames`	`additional.fields.value.string_value`	Concatenated values from `networkLocationDetails.[].networkNames` with label key as "networkName {index}".
`networkLocationDetails.[].networkType`	`security_result.detection_fields.value`, `additional.fields.value.string_value`	Directly mapped from `networkLocationDetails.[].networkType` with label key as "networkType". Also used as `additional.fields.value.string_value` with label key as "networkType {index}".
`operationName`	`event_type`	If `operationName` is "Sign-in activity", then `USER_LOGIN`. If `operationName` is "Add member to group", then `USER_CHANGE_PERMISSIONS`.
`operationType`	`security_result.action_details`	Directly mapped from `operationType`.
`properties.activity`	`security_result.summary`	Directly mapped from `properties.activity`.
`properties.activityDateTime`	`when`	Parsed from the `properties.activityDateTime` field. If the field is not in the expected "yyyy-MM-ddTHH:mm:ss.SSSZ" format or "ISO8601" format, the parser will try other formats like "MM/dd/yyyy HH:mm:ss A" or "MM/d/yyyy HH:mm:ss A".
`properties.activityDisplayName`	`security_result.summary`	Directly mapped from `properties.activityDisplayName`.
`properties.additionalInfo`	`network.http.user_agent`, `target.url`	Parsed as JSON and if key is userAgent, map value to `network.http.user_agent` and `network.http.parsed_user_agent`. If key is alertUrl, map value to `target.url`.
`properties.appliedConditionalAccessPolicies.[].displayName`	`security_result.[].rule_name`	Directly mapped from `properties.appliedConditionalAccessPolicies.[].displayName`.
`properties.appliedConditionalAccessPolicies.[].enforcedGrantControls`	`security_result.[].rule_labels.value`	Directly mapped from `properties.appliedConditionalAccessPolicies.[].enforcedGrantControls` with label key as "applied_conditional_access_policies_enforced_grant_controls".
`properties.appliedConditionalAccessPolicies.[].enforcedSessionControls`	`security_result.[].rule_labels.value`	Directly mapped from `properties.appliedConditionalAccessPolicies.[].enforcedSessionControls` with label key as "applied_conditional_access_policies_enforced_session_controls".
`properties.appliedConditionalAccessPolicies.[].id`	`security_result.[].rule_id`	Directly mapped from `properties.appliedConditionalAccessPolicies.[].id`.
`properties.appliedConditionalAccessPolicies.[].result`	`security_result.[].detection_fields.value`	Directly mapped from `properties.appliedConditionalAccessPolicies.[].result` with label key as "Result".
`properties.appId`	`appId`	Directly mapped from `properties.appId`.
`properties.appDisplayName`	`target.application`	Directly mapped from `properties.appDisplayName`.
`properties.authenticationDetails.[].authenticationMethod`	`security_result.detection_fields.value`	Directly mapped from `properties.authenticationDetails.[].authenticationMethod` with label key as "authenticationMethod".
`properties.authenticationDetails.[].authenticationMethodDetail`	`security_result.detection_fields.value`	Directly mapped from `properties.authenticationDetails.[].authenticationMethodDetail` with label key as "authenticationMethodDetail".
`properties.authenticationDetails.[].authenticationStepDateTime`	`security_result.detection_fields.value`	Directly mapped from `properties.authenticationDetails.[].authenticationStepDateTime` with label key as "authenticationStepDateTime".
`properties.authenticationDetails.[].authenticationStepRequirement`	`security_result.detection_fields.value`	Directly mapped from `properties.authenticationDetails.[].authenticationStepRequirement` with label key as "authenticationStepRequirement".
`properties.authenticationDetails.[].authenticationStepResultDetail`	`security_result.detection_fields.value`	Directly mapped from `properties.authenticationDetails.[].authenticationStepResultDetail` with label key as "authenticationStepResultDetail".
`properties.authenticationRequirement`	`additional.fields.value.string_value`	Directly mapped from `properties.authenticationRequirement` with label key as "AuthenticationRequirement".
`properties.authenticationRequirementPolicies.[].detail`	`security_result.detection_fields.value`	Directly mapped from `properties.authenticationRequirementPolicies.[].detail` with label key as "detail".
`properties.authenticationRequirementPolicies.[].requirementProvider`	`security_result.detection_fields.value`	Directly mapped from `properties.authenticationRequirementPolicies.[].requirementProvider` with label key as "requirementProvider".
`properties.clientAppUsed`	`principal.application`	Directly mapped from `properties.clientAppUsed`.
`properties.conditionalAccessStatus`	`additional.fields.value.string_value`	Directly mapped from `properties.conditionalAccessStatus` with label key as "conditionalAccessStatus".
`properties.crossTenantAccessType`	`additional.fields.value.string_value`	Directly mapped from `properties.crossTenantAccessType` with label key as "crossTenantAccessType".
`properties.detectedDateTime`	`additional.fields.value.string_value`	Directly mapped from `properties.detectedDateTime` with label key as "detectedDateTime".
`properties.detectionTimingType`	`additional.fields.value.string_value`	Directly mapped from `properties.detectionTimingType` with label key as "detectionTimingType".
`properties.homeTenantId`	`additional.fields.value.string_value`	Directly mapped from `properties.homeTenantId` with label key as "homeTenantId".
`properties.id`	`metadata.product_log_id`	Directly mapped from `properties.id`.
`properties.initiatedBy.user.displayName`	`principal.user.user_display_name`	Directly mapped from `properties.initiatedBy.user.displayName`.
`properties.initiatedBy.user.id`	`principal.user.windows_sid`	Directly mapped from `properties.initiatedBy.user.id`.
`properties.initiatedBy.user.ipAddress`	`principal.ip`, `principal.asset.ip`	Directly mapped from `properties.initiatedBy.user.ipAddress`.
`properties.initiatedBy.user.userPrincipalName`	`principal.user.email_addresses`, `principal.user.userid`	Directly mapped from `properties.initiatedBy.user.userPrincipalName`. If it is an email address, it is mapped to `email_addresses`, otherwise to `userid`.
`properties.ipAddress`	`principal.ip`, `principal.asset.ip`	Directly mapped from `properties.ipAddress`.
`properties.isGuest`	`additional.fields.value.string_value`	Directly mapped from `properties.isGuest` with label key as "isGuest".
`properties.isDeleted`	`additional.fields.value.string_value`	Directly mapped from `properties.isDeleted` with label key as "isDeleted".
`properties.isProcessing`	`additional.fields.value.string_value`	Directly mapped from `properties.isProcessing` with label key as "isProcessing".
`properties.lastUpdatedDateTime`	`additional.fields.value.string_value`	Directly mapped from `properties.lastUpdatedDateTime` with label key as "lastUpdatedDateTime".
`properties.location.city`	`principal.location.city`	Directly mapped from `properties.location.city`.
`properties.location.countryOrRegion`	`principal.location.country_or_region`	Directly mapped from `properties.location.countryOrRegion`.
`properties.location.geoCoordinates.latitude`	`principal.location.region_latitude`, `principal.location.region_coordinates.latitude`	Directly mapped from `properties.location.geoCoordinates.latitude`.
`properties.location.geoCoordinates.longitude`	`principal.location.region_longitude`, `principal.location.region_coordinates.longitude`	Directly mapped from `properties.location.geoCoordinates.longitude`.
`properties.location.state`	`principal.location.state`	Directly mapped from `properties.location.state`.
`properties.networkLocationDetails.[].networkNames`	`additional.fields.value.string_value`	Concatenated values from `properties.networkLocationDetails.[].networkNames` with label key as "properties networkName {index}".
`properties.networkLocationDetails.[].networkType`	`additional.fields.value.string_value`	Directly mapped from `properties.networkLocationDetails.[].networkType` with label key as "properties networkType {index}".
`properties.riskEventType`	`additional.fields.value.string_value`	Directly mapped from `properties.riskEventType` with label key as "riskEventType".
`properties.riskLastUpdatedDateTime`	`additional.fields.value.string_value`	Directly mapped from `properties.riskLastUpdatedDateTime` with label key as "riskLastUpdatedDateTime".
`properties.riskLevel`	`additional.fields.value.string_value`	Directly mapped from `properties.riskLevel` with label key as "riskLevel".
`properties.riskLevelDuringSignIn`	`additional.fields.value.string_value`	Directly mapped from `properties.riskLevelDuringSignIn` with label key as "riskLevelDuringSignIn".
`properties.riskState`	`additional.fields.value.string_value`	Directly mapped from `properties.riskState` with label key as "riskState".
`properties.riskDetail`	`additional.fields.value.string_value`	Directly mapped from `properties.riskDetail` with label key as "riskDetail".
`properties.riskType`	`additional.fields.value.string_value`	Directly mapped from `properties.riskType` with label key as "riskType".
`properties.source`	`additional.fields.value.string_value`	Directly mapped from `properties.source` with label key as "source".
`properties.targetResources.0.id`	`target.user.product_object_id`	Directly mapped from `properties.targetResources.0.id`.
`properties.targetResources.modifiedProperties.0.newValue`	`target.group.product_object_id`	Directly mapped from `properties.targetResources.modifiedProperties.0.newValue`.
`properties.tokenIssuerType`	`additional.fields.value.string_value`	Directly mapped from `properties.tokenIssuerType` with label key as "tokenIssuerType".
`properties.userAgent`	`network.http.user_agent`, `network.http.parsed_user_agent`	Directly mapped from `properties.userAgent`.
`properties.userDisplayName`	`target.user.user_display_name`	Directly mapped from `properties.userDisplayName`.
`properties.userId`	`target.user.product_object_id`	Directly mapped from `properties.userId`.
`properties.userPrincipalName`	`target.user.userid`, `target.user.email_addresses`	Directly mapped from `properties.userPrincipalName`. If it is an email address, it is mapped to `email_addresses`, otherwise to `userid`.
`result`	`security_result.action`, `security_result.action_details`	If `result` is "success", then `ALLOW`.
`resultDescription`	`security_result.description`	Directly mapped from `resultDescription`.
`resultSignature`	`additional.fields.value.string_value`	Directly mapped from `resultSignature` with label key as "resultSignature".
`resultType`	`security_result.rule_id`, `action`, `security_result.summary`	If `resultType` is "0", then `ALLOW` and "Successful login occurred". Otherwise, `BLOCK` and "Failed login occurred".
`resourceId`	`target.resource.id`, `target.resource.product_object_id`	Directly mapped from `resourceId`.
`resourceDisplayName`	`target.resource.name`, `appDisplayName`	Directly mapped from `resourceDisplayName`.
`riskDetail`	`additional.fields.value.string_value`	Directly mapped from `riskDetail` with label key as "riskDetail".
`riskEventTypes.[].`	`additional.fields.value.string_value`, `additional.fields.value.list_value.values.string_value`	Values are added to a list with key as "riskEventTypes" in `additional.fields`. Also, each value is added as a separate field with key as "riskEventType" in `additional.fields`.
`riskEventTypes_v2.[].`	`additional.fields.value.list_value.values.string_value`	Values are added to a list with key as "riskEventTypes_v2" in `additional.fields`.
`riskLevelAggregated`	`additional.fields.value.string_value`	Directly mapped from `riskLevelAggregated` with label key as "riskLevelAggregated".
`riskLevelDuringSignIn`	`additional.fields.value.string_value`	Directly mapped from `riskLevelDuringSignIn` with label key as "riskLevelDuringSignIn".
`riskState`	`additional.fields.value.string_value`	Directly mapped from `riskState` with label key as "riskState".
`status.additionalDetails`	`security_result.description`	Directly mapped from `status.additionalDetails`.
`status.errorCode`	`security_result.rule_id`, `errorCode`	Directly mapped from `status.errorCode`.
`target.displayName`	`resourceDisplayName`	Directly mapped from `target.displayName`.
`target.id`	`resourceId`	Directly mapped from `target.id`.
`target.modifiedProperties.[].displayName`	`target.resource.attribute.labels.key`	Directly mapped from `target.modifiedProperties.[].displayName`.
`target.modifiedProperties.[].newValue`	`target.resource.attribute.labels.value`, `target.resource.product_object_id`	Directly mapped from `target.modifiedProperties.[].newValue`.
`target.modifiedProperties.[].oldValue`	`target.resource.attribute.labels.value`	Directly mapped from `target.modifiedProperties.[].oldValue`.
`target.type`	`target.resource.type`	Directly mapped from `target.type`.
`tenantId`	`metadata.product_deployment_id`	Directly mapped from `tenantId`.
`time`	`when`	The `when` field is derived from the `time` field. The date and time are extracted from the `time` field using grok and then combined to form the `when` field.
`userAgent`	`network.http.user_agent`, `network.http.parsed_user_agent`	Directly mapped from `userAgent`.
`userDisplayName`	`target.user.user_display_name`	Directly mapped from `userDisplayName`.
`userId`	`target.user.product_object_id`	Directly mapped from `userId`.
`userPrincipalName`	`target.user.userid`, `principal.administrative_domain`, `target.user.email_addresses`	Directly mapped from `userPrincipalName`. If it is an email address, it is mapped to `email_addresses` and the domain part is extracted and mapped to `principal.administrative_domain`. Otherwise, it is mapped to `userid`.
(Parser Logic)	`event.idm.is_alert`, `event.idm.is_significant`	Set to true if level is "Critical".
(Parser Logic)	`event.idm.read_only_udm.metadata.event_type`	Set to "USER_LOGIN" if `has_target_user` is "true". Set to "USER_UNCATEGORIZED" if `has_principal_user` is "true". Set to "STATUS_UPDATE" if `has_principal` is "true". Set to "GENERIC_EVENT" otherwise.
(Parser Logic)	`event.idm.read_only_udm.metadata.vendor_name`	Set to "Microsoft".
(Parser Logic)	`event.idm.read_only_udm.metadata.product_name`	Set to "Azure AD".
(Parser Logic)	`event.idm.read_only_udm.extensions.auth.type`	Set to "SSO".
(Parser Logic)	`event.idm.read_only_udm.extensions.auth.mechanism`	Set to "INTERACTIVE" if `isInteractive` is "true". Set to "MECHANISM_OTHER" otherwise.
(Parser Logic)	`security_result.action`	Set to ALLOW if result is success.
(Parser Logic)	`security_result.action`	Set to ALLOW if resultType is 0.
(Parser Logic)	`security_result.action`	Set to BLOCK if resultType is not 0 and not "".
(Parser Logic)	`security_result.category`	Set to "AUTH_VIOLATION" if resultType is not 0 and not "".
(Parser Logic)	`security_result.description`	Set to "Group membership modified" if operationName is "Add member to group" and result is "success".
(Parser Logic)	`security_result.priority`	Set to "MEDIUM_PRIORITY" if properties.riskLevelDuringSignIn is "medium".
(Parser Logic)	`security_result.summary`	Set to "Successful login occurred" if resultType is 0.
(Parser Logic)	`security_result.summary`	Set to "Failed login occurred" if resultType is not 0 and not "".
(Parser Logic)	`security_result.summary`	Set to properties.activityDisplayName if it exists.
(Parser Logic)	`security_result.severity`	Set to INFORMATIONAL if level is "Information", "Informational", "0", or "4". Set to MEDIUM if level is "Warning", "1", or "3". Set to ERROR if level is "Error" or "2". Set to CRITICAL if level is "Critical".
(Parser Logic)	`security_result.severity`	Set to ERROR if resultType is not 0 and not "".

Need more help? Get answers from Community members and Google SecOps professionals.