Collect Microsoft Entra ID sign-in logs

Supported in:

This document explains how to collect Microsoft Entra ID (formerly Azure Active Directory) sign-in logs by setting up a Google Security Operations feed. You can configure ingestion using two methods: Azure Event Hub (recommended) or the Third Party API.

Before you begin

Ensure that you have the following prerequisites:

  • A Google SecOps instance
  • Privileged access to Microsoft Azure portal
  • Security Administrator or Global Administrator role in Microsoft Entra ID (required for diagnostic settings)
  • For the Third Party API method, one of the following roles for granting admin consent:
    • Global Administrator - can grant consent for any permission, for any API
    • Privileged Role Administrator - can grant consent for any permission, for any API
    • Cloud Application Administrator - can grant consent for any permission for any API, except Microsoft Graph app roles (application permissions)

This method streams Entra ID sign-in logs through Azure Event Hub with Capture enabled, which writes the data to Azure Blob Storage. Google SecOps then ingests the logs from Blob Storage using the Azure Blob Storage V2 feed type.

Configure Azure Storage Account

Create Storage Account

  1. In the Azure portal, search for Storage accounts.
  2. Click + Create.

  3. Provide the following configuration details:

    Setting Value
    Subscription Select your Azure subscription
    Resource group Select existing or create new
    Storage account name Enter a unique name (for example, secopsaadsignin)
    Region Select the region closest to your Event Hub namespace
    Performance Standard (recommended)
    Redundancy LRS (Locally redundant storage) or GRS (Geo-redundant storage)

  4. Click Review + create.

  5. Review the overview and click Create.

  6. Wait for the deployment to complete.

Get Storage Account credentials

  1. Go to the Storage Account you created.
  2. In the left navigation, select Access keys under Security + networking.
  3. Click Show keys.
  4. Copy and save the following:
    • Storage account name
    • Key 1 or Key 2: The shared access key.

Create Event Hub namespace and Event Hub

Create Event Hub namespace

  1. In the Azure portal, search for Event Hubs.
  2. Click + Create.

  3. Provide the following configuration details:

    Setting Value
    Subscription Select your Azure subscription
    Resource group Select the same resource group as your storage account
    Namespace name Enter a unique name (for example, secops-entraid-signin)
    Location Select the same region as your storage account
    Pricing tier Standard (required for Event Hub Capture)

  4. Click Review + create, then click Create.

  5. Wait for the deployment to complete.

Create Event Hub

  1. Go to the Event Hub namespace you created.
  2. Click + Event Hub at the top.
  3. Provide the following configuration details:
    • Name: Enter a name (for example, entraid-signin-logs).
    • Partition count: 2 (default, increase for higher throughput).
    • Cleanup policy: Delete.
    • Retention time (hrs): 24 (minimum, increase if needed for resilience).
  4. Click Review + create, then click Create.

Enable Event Hub Capture

  1. Go to the Event Hub you created (inside the namespace).
  2. In the left navigation, select Capture.
  3. Set Capture to On.

  4. Provide the following configuration details:

    Setting Value
    Time window (minutes) 5 (or lower for near-real-time)
    Size window (MB) 300
    Capture Provider Azure Blob Storage
    Azure Subscription Select your subscription
    Storage Account Select the storage account you created
    Blob Container Create or select a container (for example, entraid-signin-capture)

  5. Click Save.

Configure Entra ID diagnostic settings

  1. In the Azure portal, search for Microsoft Entra ID.
  2. In the left navigation, go to Monitoring & health > Diagnostic settings.
  3. Click Add diagnostic setting.
  4. Provide the following configuration details:
    • Diagnostic setting name: Enter a descriptive name (for example, signin-logs-to-eventhub).
    • In the Logs section, select the sign-in log categories you want to export:
      • SignInLogs - Interactive user sign-ins.
      • NonInteractiveUserSignInLogs - Non-interactive user sign-ins (optional, recommended).
      • ServicePrincipalSignInLogs - Service principal sign-ins (optional).
      • ManagedIdentitySignInLogs - Managed identity sign-ins (optional).
    • In the Destination details section, select Stream to an event hub.
    • Subscription: Select the subscription containing your Event Hub namespace.
    • Event hub namespace: Select the namespace you created (for example, secops-entraid-signin).
    • Event hub name: Select the Event Hub you created (for example, entraid-signin-logs).
    • Event hub policy name: Select RootManageSharedAccessKey.

  5. Click Save.

Set up feeds

There are two different entry points to set up feeds in the Google SecOps platform:

  • SIEM Settings > Feeds > Add New Feed
  • Content Hub > Content Packs > Get Started

Configure a feed in Google SecOps to ingest Entra ID sign-in logs

  1. Click the Azure Platform pack.
  2. Locate the Azure AD log type.

  3. Specify values for the following fields:

    • Source Type: Microsoft Azure Blob Storage V2

    • Azure URI: Enter the Blob Service endpoint URL with the capture container path:

      https://<storage-account>.blob.core.windows.net/entraid-signin-capture/

      Replace <storage-account> with your Azure storage account name.

    • Source deletion option: Select the deletion option according to your preference:

      • Never: Never deletes any files after transfers.
      • Delete transferred files: Deletes files after successful transfer.
      • Delete transferred files and empty directories: Deletes files and empty directories after successful transfer.

    • Maximum File Age: Include files modified in the last number of days. Default is 180 days.

    • Shared key: Enter the shared access key value from the Storage Account.

    • Asset namespace: The asset namespace.

    • Ingestion labels: The label to be applied to the events from this feed.

  4. Click Create feed.

After creating the feed, it may take 5-10 minutes before logs start appearing in Google SecOps.

For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product.

For more information about Google Security Operations feeds, see Google Security Operations feeds documentation. For information about requirements for each feed type, see Feed configuration by type.

Configure Azure Storage firewall (if enabled)

If your Azure Storage Account uses a firewall, you must add Google SecOps IP ranges.

  1. In the Azure portal, go to your Storage Account.
  2. Select Networking under Security + networking.
  3. Under Firewalls and virtual networks, select Enabled from selected virtual networks and IP addresses.
  4. In the Firewall section, under Address range, click + Add IP range.
  5. Add each Google SecOps IP range in CIDR notation.
  6. Click Save.

Method 2: Third Party API

This method uses the Microsoft Graph API to retrieve Entra ID sign-in logs directly from your Microsoft tenant.

Configure IP allowlisting

Before creating the feed, you must allowlist Google SecOps IP ranges in your Microsoft Azure network settings or Conditional Access policies.

Get Google SecOps IP ranges

  1. Go to SIEM Settings > Feeds.
  2. Click Add New Feed.
  3. Note the IP ranges displayed in the feed creation interface.
  4. Alternatively, retrieve IP ranges programmatically using the Feed Management API.

Configure Conditional Access for workload identities (if required)

If your organization uses Conditional Access policies that restrict access by location:

  1. In the Microsoft Entra admin center, go to Protection > Conditional Access > Named locations.
  2. Click + New location.
  3. Provide the following configuration details:
    • Name: Enter Google SecOps IP Ranges.
    • Mark as trusted location: Optional, based on your security policy.
    • IP ranges: Add each Google SecOps IP range in CIDR notation.
  4. Click Create.
  5. Go to Conditional Access > Policies.
  6. For any policies that apply to workload identities, configure an exclusion for the Google SecOps IP Ranges named location or the specific service principal.

Configure Microsoft Azure AD API access

Create app registration

  1. Sign in to the Microsoft Entra admin center or Azure portal.
  2. Go to Identity > Applications > App registrations.
  3. Click New registration.

  4. Provide the following configuration details:

    • Name: Enter a descriptive name (for example, Google SecOps Sign-In Logs Integration).
    • Supported account types: Select Accounts in this organizational directory only (Single tenant).
    • Redirect URI: Leave blank (not required for service principal authentication).

  5. Click Register.

  6. After registration, copy and save the following values:

    • Application (client) ID
    • Directory (tenant) ID

Configure API permissions

The integration requires the following Microsoft Graph application permissions:

  1. In the app registration, go to API permissions.
  2. Click Add a permission.
  3. Select Microsoft Graph > Application permissions.
  4. Select the following permissions:
    • AuditLog.Read.All - Required to read sign-in logs.
    • Directory.Read.All - Required by Microsoft Graph API for sign-in log access (known issue).
    • SecurityEvents.Read.All - Required by Google Security Operations.
  5. Click Add permissions.
  6. Click Grant admin consent for [Your Organization].
  7. Verify that the Status column shows Granted for [Your Organization] for all three permissions.
Permission Type Description
AuditLog.Read.All Application Read all sign-in and audit log data
Directory.Read.All Application Read directory data (required for API access)
SecurityEvents.Read.All Application Read security events

Create client secret

  1. Go to Certificates & secrets.
  2. Click New client secret.

  3. Provide the following configuration details:

    • Description: Enter a descriptive name (for example, Google SecOps Feed).
    • Expires: Select an expiration period.

  4. Click Add.

  5. Important: Copy the client secret Value immediately. This value is displayed only once and cannot be retrieved later.

Verify API access before creating feed

Before creating the Google SecOps feed, verify that the service principal can successfully authenticate and access the Microsoft Graph API.

  • Test authentication using PowerShell

    # Replace with your actual values
$tenantId = "your-tenant-id"
$clientId = "your-client-id"
$clientSecret = "your-client-secret"

# Token request parameters (must be lowercase)
$tokenBody = @{
    grant_type    = "client_credentials"
    client_id     = $clientId
    client_secret = $clientSecret
    scope         = "https://graph.microsoft.com/.default"
}

# Request access token
$tokenEndpoint = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
$tokenResponse = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -Body $tokenBody -ContentType "application/x-www-form-urlencoded"

if ($tokenResponse.access_token) {
    Write-Host "✓ Successfully obtained access token" -ForegroundColor Green

    # Test API call to sign-ins endpoint
    $apiUrl = "https://graph.microsoft.com/v1.0/auditLogs/signIns?`$top=1"
    $headers = @{
        Authorization = "Bearer $($tokenResponse.access_token)"
    }

    try {
        $signInResponse = Invoke-RestMethod -Method Get -Uri $apiUrl -Headers $headers
        Write-Host "✓ Successfully accessed sign-ins API" -ForegroundColor Green
        Write-Host "Sample sign-in log retrieved successfully" -ForegroundColor Green
    }
    catch {
        Write-Host "✗ Failed to access sign-ins API" -ForegroundColor Red
        Write-Host "Error: $($_.Exception.Message)" -ForegroundColor Red
    }
}
else {
    Write-Host "✗ Failed to obtain access token" -ForegroundColor Red
}

  • Expected output:

    ✓ Successfully obtained access token
✓ Successfully accessed sign-ins API
Sample sign-in log retrieved successfully

  • Test authentication using curl

    # Replace with your actual values
TENANT_ID="your-tenant-id"
CLIENT_ID="your-client-id"
CLIENT_SECRET="your-client-secret"

# Request access token
curl -X POST "https://login.microsoftonline.com/$TENANT_ID/oauth2/v2.0/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
-d "client_id=$CLIENT_ID" \
-d "client_secret=$CLIENT_SECRET" \
-d "scope=https://graph.microsoft.com/.default"

# Test API access
curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
"https://graph.microsoft.com/v1.0/auditLogs/signIns?\$top=1"

Set up feeds

There are two different entry points to set up feeds in the Google SecOps platform:

  • SIEM Settings > Feeds > Add New Feed
  • Content Hub > Content Packs > Get Started

Configure a feed in Google SecOps to ingest Microsoft Azure AD sign-in logs

  1. Click the Azure Platform pack.
  2. Locate the Azure AD log type.

  3. Specify values for the following fields:

    • Source Type: Third party API (recommended)
    • OAuth client ID: The Application (client) ID from the app registration.
    • OAuth client secret: The client secret value you copied earlier.
    • Tenant ID: Your Microsoft tenant ID from the app registration (UUID format, for example, 0fc279f9-fe30-41be-97d3-abe1d7681418).

    • API Full Path: Microsoft Graph REST API endpoint URL:

      graph.microsoft.com/v1.0/auditLogs/signIns

    • API Authentication Endpoint: Microsoft Active Directory Authentication Endpoint:

      login.microsoftonline.com

    Advanced Options:

    • Feed Name: A prepopulated value that identifies the feed.
    • Asset namespace: The asset namespace that the feed will be associated with.
    • Ingestion Labels: Labels will be added to all the events from this feed.

  4. Click Create feed.

After creating the feed, context data will be retrieved periodically. It may take up to 24 hours for the initial directory snapshot to appear in Google SecOps.

For more information about configuring multiple feeds for different log types within this product family, see Configure feeds by product.

For more information about Google Security Operations feeds, see Google Security Operations feeds documentation. For information about requirements for each feed type, see Feed configuration by type. If you encounter issues when you create feeds, contact Google Security Operations support.

Regional endpoints

For Microsoft Azure AD deployments in sovereign clouds, use the appropriate regional endpoints:

Cloud Environment API Full Path API Authentication Endpoint
Global graph.microsoft.com/v1.0/auditLogs/signIns login.microsoftonline.com
US Government L4 graph.microsoft.us/v1.0/auditLogs/signIns login.microsoftonline.us
US Government L5 (DOD) dod-graph.microsoft.us/v1.0/auditLogs/signIns login.microsoftonline.us
China (21Vianet) microsoftgraph.chinacloudapi.cn/v1.0/auditLogs/signIns login.chinacloudapi.cn

UDM Mapping Table

Log Field UDM Mapping Logic
activityDateTime principal.event_timestamp Parsed from the activityDateTime field. If the field is not in the expected "yyyy-MM-ddTHH:mm:ss.SSSZ" format or "ISO8601" format, the parser will try other formats like "MM/dd/yyyy HH:mm:ss A" or "MM/d/yyyy HH:mm:ss A".
activityDisplayName security_result.summary Directly mapped from activityDisplayName.
additionalDetails.0.value network.http.user_agent Directly mapped from additionalDetails.0.value.
additionalDetails.1.key target.resource.attribute.labels.key Directly mapped from additionalDetails.1.key.
additionalDetails.1.value target.resource.attribute.labels.value Directly mapped from additionalDetails.1.value.
additionalInfo.[].Key network.http.user_agent, target.url If Key is userAgent, map Value to network.http.user_agent and network.http.parsed_user_agent. If Key is alertUrl, map Value to target.url.
additionalInfo.[].Value network.http.user_agent, target.url If Key is userAgent, map Value to network.http.user_agent and network.http.parsed_user_agent. If Key is alertUrl, map Value to target.url.
am_category metadata.description Directly mapped from am_category.
am_tenantId metadata.product_deployment_id Directly mapped from am_tenantId.
appId target.resource.attribute.labels.value Directly mapped from appId with label key as "App Id".
appDisplayName target.application Directly mapped from appDisplayName.
appliedConditionalAccessPolicies.[].displayName security_result.[].rule_name, about.[].user.user_display_name Directly mapped from appliedConditionalAccessPolicies.[].displayName.
appliedConditionalAccessPolicies.[].enforcedGrantControls security_result.[].rule_labels.value Directly mapped from appliedConditionalAccessPolicies.[].enforcedGrantControls with label key as "applied_conditional_access_policies_enforced_grant_controls".
appliedConditionalAccessPolicies.[].enforcedSessionControls security_result.[].rule_labels.value Directly mapped from appliedConditionalAccessPolicies.[].enforcedSessionControls with label key as "applied_conditional_access_policies_enforced_session_controls".
appliedConditionalAccessPolicies.[].id security_result.[].rule_id, about.[].user.userid Directly mapped from appliedConditionalAccessPolicies.[].id.
appliedConditionalAccessPolicies.[].result security_result.[].detection_fields.value, about.[].labels.value Directly mapped from appliedConditionalAccessPolicies.[].result with label key as "Result".
authenticationDetails.[].authenticationMethod security_result.[].detection_fields.value Directly mapped from authenticationDetails.[].authenticationMethod with label key as "authenticationMethod".
authenticationDetails.[].authenticationMethodDetail security_result.[].detection_fields.value Directly mapped from authenticationDetails.[].authenticationMethodDetail with label key as "authenticationMethodDetail".
authenticationDetails.[].authenticationStepDateTime security_result.[].detection_fields.value Directly mapped from authenticationDetails.[].authenticationStepDateTime with label key as "authenticationStepDateTime".
authenticationDetails.[].authenticationStepRequirement security_result.[].detection_fields.value Directly mapped from authenticationDetails.[].authenticationStepRequirement with label key as "authenticationStepRequirement".
authenticationDetails.[].authenticationStepResultDetail security_result.[].detection_fields.value Directly mapped from authenticationDetails.[].authenticationStepResultDetail with label key as "authenticationStepResultDetail".
authenticationDetails.[].succeeded security_result.action If value is "true", then ALLOW, else BLOCK.
authenticationRequirement additional.fields.value.string_value Directly mapped from authenticationRequirement with label key as "AuthenticationRequirement".
authenticationRequirementPolicies.[].detail security_result.detection_fields.value Directly mapped from authenticationRequirementPolicies.[].detail with label key as "detail".
authenticationRequirementPolicies.[].requirementProvider security_result.detection_fields.value Directly mapped from authenticationRequirementPolicies.[].requirementProvider with label key as "requirementProvider".
callerIpAddress principal.ip, principal.asset.ip Directly mapped from callerIpAddress.
category metadata.description Directly mapped from category.
clientAppUsed principal.application Directly mapped from clientAppUsed.
conditionalAccessStatus additional.fields.value.string_value Directly mapped from conditionalAccessStatus with label key as "conditionalAccessStatus".
correlationId network.session_id, security_result.detection_fields.value Directly mapped from correlationId. Also used as security_result.detection_fields.value with label key as "CorrelationId".
createdDateTime when The when field is derived from the createdDateTime field. The date and time are extracted from the createdDateTime field using grok and then combined to form the when field.
deviceDetail.browser network.http.user_agent Directly mapped from deviceDetail.browser.
deviceDetail.deviceId principal.asset.asset_id, principal.asset_id Directly mapped from deviceDetail.deviceId and prefixed with "Device ID:".
deviceDetail.displayName principal.asset.hostname Directly mapped from deviceDetail.displayName.
deviceDetail.isCompliant principal.asset.attribute.labels.value Directly mapped from deviceDetail.isCompliant with label key as "isCompliant".
deviceDetail.isManaged principal.asset.attribute.labels.value Directly mapped from deviceDetail.isManaged with label key as "isManaged".
deviceDetail.operatingSystem principal.platform_version Directly mapped from deviceDetail.operatingSystem.
deviceDetail.trustType principal.asset.attribute.labels.value Directly mapped from deviceDetail.trustType with label key as "trustType".
durationMs additional.fields.value.string_value Directly mapped from durationMs with label key as "durationMs".
event.id - Not mapped as per instructions (point 3).
id metadata.product_log_id Directly mapped from id.
identity target.user.user_display_name Directly mapped from identity if it is different from userId and is not an email address.
initiatedBy.user.displayName principal.user.user_display_name Directly mapped from initiatedBy.user.displayName.
initiatedBy.user.id principal.user.userid, principal.user.windows_sid Directly mapped from initiatedBy.user.id.
initiatedBy.user.ipAddress principal.ip, principal.asset.ip Directly mapped from initiatedBy.user.ipAddress.
initiatedBy.user.userPrincipalName principal.user.email_addresses, principal.user.userid Directly mapped from initiatedBy.user.userPrincipalName. If it is an email address, it is mapped to email_addresses, otherwise to userid.
Level security_result.severity_details, level Directly mapped from Level.
level security_result.severity_details, security_result.severity Directly mapped from level. Also mapped to security_result.severity after converting to uppercase. Special handling for "Information", "Informational", "0", "4", "Warning", "1", "3", "Error", "2", and "Critical" values.
location.city principal.location.city Directly mapped from location.city.
location.countryOrRegion principal.location.country_or_region Directly mapped from location.countryOrRegion.
location.geoCoordinates.altitude additional.fields.value.string_value Directly mapped from location.geoCoordinates.altitude with label key as "location_geoCoordinates_altitude".
location.geoCoordinates.latitude principal.location.region_latitude, principal.location.region_coordinates.latitude Directly mapped from location.geoCoordinates.latitude.
location.geoCoordinates.longitude principal.location.region_longitude, principal.location.region_coordinates.longitude Directly mapped from location.geoCoordinates.longitude.
location.state principal.location.state Directly mapped from location.state.
location principal.location.name Directly mapped from location.
log_type metadata.log_type Directly mapped from log_type.
networkLocationDetails.[].networkNames additional.fields.value.string_value Concatenated values from networkLocationDetails.[].networkNames with label key as "networkName {index}".
networkLocationDetails.[].networkType security_result.detection_fields.value, additional.fields.value.string_value Directly mapped from networkLocationDetails.[].networkType with label key as "networkType". Also used as additional.fields.value.string_value with label key as "networkType {index}".
operationName event_type If operationName is "Sign-in activity", then USER_LOGIN. If operationName is "Add member to group", then USER_CHANGE_PERMISSIONS.
operationType security_result.action_details Directly mapped from operationType.
properties.activity security_result.summary Directly mapped from properties.activity.
properties.activityDateTime when Parsed from the properties.activityDateTime field. If the field is not in the expected "yyyy-MM-ddTHH:mm:ss.SSSZ" format or "ISO8601" format, the parser will try other formats like "MM/dd/yyyy HH:mm:ss A" or "MM/d/yyyy HH:mm:ss A".
properties.activityDisplayName security_result.summary Directly mapped from properties.activityDisplayName.
properties.additionalInfo network.http.user_agent, target.url Parsed as JSON and if key is userAgent, map value to network.http.user_agent and network.http.parsed_user_agent. If key is alertUrl, map value to target.url.
properties.appliedConditionalAccessPolicies.[].displayName security_result.[].rule_name Directly mapped from properties.appliedConditionalAccessPolicies.[].displayName.
properties.appliedConditionalAccessPolicies.[].enforcedGrantControls security_result.[].rule_labels.value Directly mapped from properties.appliedConditionalAccessPolicies.[].enforcedGrantControls with label key as "applied_conditional_access_policies_enforced_grant_controls".
properties.appliedConditionalAccessPolicies.[].enforcedSessionControls security_result.[].rule_labels.value Directly mapped from properties.appliedConditionalAccessPolicies.[].enforcedSessionControls with label key as "applied_conditional_access_policies_enforced_session_controls".
properties.appliedConditionalAccessPolicies.[].id security_result.[].rule_id Directly mapped from properties.appliedConditionalAccessPolicies.[].id.
properties.appliedConditionalAccessPolicies.[].result security_result.[].detection_fields.value Directly mapped from properties.appliedConditionalAccessPolicies.[].result with label key as "Result".
properties.appId appId Directly mapped from properties.appId.
properties.appDisplayName target.application Directly mapped from properties.appDisplayName.
properties.authenticationDetails.[].authenticationMethod security_result.detection_fields.value Directly mapped from properties.authenticationDetails.[].authenticationMethod with label key as "authenticationMethod".
properties.authenticationDetails.[].authenticationMethodDetail security_result.detection_fields.value Directly mapped from properties.authenticationDetails.[].authenticationMethodDetail with label key as "authenticationMethodDetail".
properties.authenticationDetails.[].authenticationStepDateTime security_result.detection_fields.value Directly mapped from properties.authenticationDetails.[].authenticationStepDateTime with label key as "authenticationStepDateTime".
properties.authenticationDetails.[].authenticationStepRequirement security_result.detection_fields.value Directly mapped from properties.authenticationDetails.[].authenticationStepRequirement with label key as "authenticationStepRequirement".
properties.authenticationDetails.[].authenticationStepResultDetail security_result.detection_fields.value Directly mapped from properties.authenticationDetails.[].authenticationStepResultDetail with label key as "authenticationStepResultDetail".
properties.authenticationRequirement additional.fields.value.string_value Directly mapped from properties.authenticationRequirement with label key as "AuthenticationRequirement".
properties.authenticationRequirementPolicies.[].detail security_result.detection_fields.value Directly mapped from properties.authenticationRequirementPolicies.[].detail with label key as "detail".
properties.authenticationRequirementPolicies.[].requirementProvider security_result.detection_fields.value Directly mapped from properties.authenticationRequirementPolicies.[].requirementProvider with label key as "requirementProvider".
properties.clientAppUsed principal.application Directly mapped from properties.clientAppUsed.
properties.conditionalAccessStatus additional.fields.value.string_value Directly mapped from properties.conditionalAccessStatus with label key as "conditionalAccessStatus".
properties.crossTenantAccessType additional.fields.value.string_value Directly mapped from properties.crossTenantAccessType with label key as "crossTenantAccessType".
properties.detectedDateTime additional.fields.value.string_value Directly mapped from properties.detectedDateTime with label key as "detectedDateTime".
properties.detectionTimingType additional.fields.value.string_value Directly mapped from properties.detectionTimingType with label key as "detectionTimingType".
properties.homeTenantId additional.fields.value.string_value Directly mapped from properties.homeTenantId with label key as "homeTenantId".
properties.id metadata.product_log_id Directly mapped from properties.id.
properties.initiatedBy.user.displayName principal.user.user_display_name Directly mapped from properties.initiatedBy.user.displayName.
properties.initiatedBy.user.id principal.user.windows_sid Directly mapped from properties.initiatedBy.user.id.
properties.initiatedBy.user.ipAddress principal.ip, principal.asset.ip Directly mapped from properties.initiatedBy.user.ipAddress.
properties.initiatedBy.user.userPrincipalName principal.user.email_addresses, principal.user.userid Directly mapped from properties.initiatedBy.user.userPrincipalName. If it is an email address, it is mapped to email_addresses, otherwise to userid.
properties.ipAddress principal.ip, principal.asset.ip Directly mapped from properties.ipAddress.
properties.isGuest additional.fields.value.string_value Directly mapped from properties.isGuest with label key as "isGuest".
properties.isDeleted additional.fields.value.string_value Directly mapped from properties.isDeleted with label key as "isDeleted".
properties.isProcessing additional.fields.value.string_value Directly mapped from properties.isProcessing with label key as "isProcessing".
properties.lastUpdatedDateTime additional.fields.value.string_value Directly mapped from properties.lastUpdatedDateTime with label key as "lastUpdatedDateTime".
properties.location.city principal.location.city Directly mapped from properties.location.city.
properties.location.countryOrRegion principal.location.country_or_region Directly mapped from properties.location.countryOrRegion.
properties.location.geoCoordinates.latitude principal.location.region_latitude, principal.location.region_coordinates.latitude Directly mapped from properties.location.geoCoordinates.latitude.
properties.location.geoCoordinates.longitude principal.location.region_longitude, principal.location.region_coordinates.longitude Directly mapped from properties.location.geoCoordinates.longitude.
properties.location.state principal.location.state Directly mapped from properties.location.state.
properties.networkLocationDetails.[].networkNames additional.fields.value.string_value Concatenated values from properties.networkLocationDetails.[].networkNames with label key as "properties networkName {index}".
properties.networkLocationDetails.[].networkType additional.fields.value.string_value Directly mapped from properties.networkLocationDetails.[].networkType with label key as "properties networkType {index}".
properties.riskEventType additional.fields.value.string_value Directly mapped from properties.riskEventType with label key as "riskEventType".
properties.riskLastUpdatedDateTime additional.fields.value.string_value Directly mapped from properties.riskLastUpdatedDateTime with label key as "riskLastUpdatedDateTime".
properties.riskLevel additional.fields.value.string_value Directly mapped from properties.riskLevel with label key as "riskLevel".
properties.riskLevelDuringSignIn additional.fields.value.string_value Directly mapped from properties.riskLevelDuringSignIn with label key as "riskLevelDuringSignIn".
properties.riskState additional.fields.value.string_value Directly mapped from properties.riskState with label key as "riskState".
properties.riskDetail additional.fields.value.string_value Directly mapped from properties.riskDetail with label key as "riskDetail".
properties.riskType additional.fields.value.string_value Directly mapped from properties.riskType with label key as "riskType".
properties.source additional.fields.value.string_value Directly mapped from properties.source with label key as "source".
properties.targetResources.0.id target.user.product_object_id Directly mapped from properties.targetResources.0.id.
properties.targetResources.modifiedProperties.0.newValue target.group.product_object_id Directly mapped from properties.targetResources.modifiedProperties.0.newValue.
properties.tokenIssuerType additional.fields.value.string_value Directly mapped from properties.tokenIssuerType with label key as "tokenIssuerType".
properties.userAgent network.http.user_agent, network.http.parsed_user_agent Directly mapped from properties.userAgent.
properties.userDisplayName target.user.user_display_name Directly mapped from properties.userDisplayName.
properties.userId target.user.product_object_id Directly mapped from properties.userId.
properties.userPrincipalName target.user.userid, target.user.email_addresses Directly mapped from properties.userPrincipalName. If it is an email address, it is mapped to email_addresses, otherwise to userid.
result security_result.action, security_result.action_details If result is "success", then ALLOW.
resultDescription security_result.description Directly mapped from resultDescription.
resultSignature additional.fields.value.string_value Directly mapped from resultSignature with label key as "resultSignature".
resultType security_result.rule_id, action, security_result.summary If resultType is "0", then ALLOW and "Successful login occurred". Otherwise, BLOCK and "Failed login occurred".
resourceId target.resource.id, target.resource.product_object_id Directly mapped from resourceId.
resourceDisplayName target.resource.name, appDisplayName Directly mapped from resourceDisplayName.
riskDetail additional.fields.value.string_value Directly mapped from riskDetail with label key as "riskDetail".
riskEventTypes.[]. additional.fields.value.string_value, additional.fields.value.list_value.values.string_value Values are added to a list with key as "riskEventTypes" in additional.fields. Also, each value is added as a separate field with key as "riskEventType" in additional.fields.
riskEventTypes_v2.[]. additional.fields.value.list_value.values.string_value Values are added to a list with key as "riskEventTypes_v2" in additional.fields.
riskLevelAggregated additional.fields.value.string_value Directly mapped from riskLevelAggregated with label key as "riskLevelAggregated".
riskLevelDuringSignIn additional.fields.value.string_value Directly mapped from riskLevelDuringSignIn with label key as "riskLevelDuringSignIn".
riskState additional.fields.value.string_value Directly mapped from riskState with label key as "riskState".
status.additionalDetails security_result.description Directly mapped from status.additionalDetails.
status.errorCode security_result.rule_id, errorCode Directly mapped from status.errorCode.
target.displayName resourceDisplayName Directly mapped from target.displayName.
target.id resourceId Directly mapped from target.id.
target.modifiedProperties.[].displayName target.resource.attribute.labels.key Directly mapped from target.modifiedProperties.[].displayName.
target.modifiedProperties.[].newValue target.resource.attribute.labels.value, target.resource.product_object_id Directly mapped from target.modifiedProperties.[].newValue.
target.modifiedProperties.[].oldValue target.resource.attribute.labels.value Directly mapped from target.modifiedProperties.[].oldValue.
target.type target.resource.type Directly mapped from target.type.
tenantId metadata.product_deployment_id Directly mapped from tenantId.
time when The when field is derived from the time field. The date and time are extracted from the time field using grok and then combined to form the when field.
userAgent network.http.user_agent, network.http.parsed_user_agent Directly mapped from userAgent.
userDisplayName target.user.user_display_name Directly mapped from userDisplayName.
userId target.user.product_object_id Directly mapped from userId.
userPrincipalName target.user.userid, principal.administrative_domain, target.user.email_addresses Directly mapped from userPrincipalName. If it is an email address, it is mapped to email_addresses and the domain part is extracted and mapped to principal.administrative_domain. Otherwise, it is mapped to userid.
(Parser Logic) event.idm.is_alert, event.idm.is_significant Set to true if level is "Critical".
(Parser Logic) event.idm.read_only_udm.metadata.event_type Set to "USER_LOGIN" if has_target_user is "true". Set to "USER_UNCATEGORIZED" if has_principal_user is "true". Set to "STATUS_UPDATE" if has_principal is "true". Set to "GENERIC_EVENT" otherwise.
(Parser Logic) event.idm.read_only_udm.metadata.vendor_name Set to "Microsoft".
(Parser Logic) event.idm.read_only_udm.metadata.product_name Set to "Azure AD".
(Parser Logic) event.idm.read_only_udm.extensions.auth.type Set to "SSO".
(Parser Logic) event.idm.read_only_udm.extensions.auth.mechanism Set to "INTERACTIVE" if isInteractive is "true". Set to "MECHANISM_OTHER" otherwise.
(Parser Logic) security_result.action Set to ALLOW if result is success.
(Parser Logic) security_result.action Set to ALLOW if resultType is 0.
(Parser Logic) security_result.action Set to BLOCK if resultType is not 0 and not "".
(Parser Logic) security_result.category Set to "AUTH_VIOLATION" if resultType is not 0 and not "".
(Parser Logic) security_result.description Set to "Group membership modified" if operationName is "Add member to group" and result is "success".
(Parser Logic) security_result.priority Set to "MEDIUM_PRIORITY" if properties.riskLevelDuringSignIn is "medium".
(Parser Logic) security_result.summary Set to "Successful login occurred" if resultType is 0.
(Parser Logic) security_result.summary Set to "Failed login occurred" if resultType is not 0 and not "".
(Parser Logic) security_result.summary Set to properties.activityDisplayName if it exists.
(Parser Logic) security_result.severity Set to INFORMATIONAL if level is "Information", "Informational", "0", or "4". Set to MEDIUM if level is "Warning", "1", or "3". Set to ERROR if level is "Error" or "2". Set to CRITICAL if level is "Critical".
(Parser Logic) security_result.severity Set to ERROR if resultType is not 0 and not "".

Need more help? Get answers from Community members and Google SecOps professionals.