Azure

The azure log type monitors log data for cloud applications managed by Azure Cloud Services.

The following code snippet contains all raw_field and ecs mappings for this log type:

  1. "mappings": [
  2. {
  3. "raw_field":"Resultdescription",
  4. "ecs":"azure.signinlogs.result_description"
  5. },
  6. {
  7. "raw_field":"eventSource",
  8. "ecs":"eventSource"
  9. },
  10. {
  11. "raw_field":"eventName",
  12. "ecs":"eventName"
  13. },
  14. {
  15. "raw_field":"Status",
  16. "ecs":"azure.platformlogs.status"
  17. },
  18. {
  19. "raw_field":"LoggedByService",
  20. "ecs":"azure.auditlogs.properties.logged_by_service"
  21. },
  22. {
  23. "raw_field":"properties_message",
  24. "ecs":"properties_message"
  25. },
  26. {
  27. "raw_field":"status",
  28. "ecs":"azure.platformlogs.status"
  29. },
  30. {
  31. "raw_field":"TargetUserName",
  32. "ecs":"azure.signinlogs.properties.user_id"
  33. },
  34. {
  35. "raw_field":"creationTime",
  36. "ecs":"timestamp"
  37. },
  38. {
  39. "raw_field":"Category",
  40. "ecs":"azure.activitylogs.category"
  41. },
  42. {
  43. "raw_field":"OperationName",
  44. "ecs":"azure.platformlogs.operation_name"
  45. },
  46. {
  47. "raw_field":"ModifiedProperties_NewValue",
  48. "ecs":"modified_properties.new_value"
  49. },
  50. {
  51. "raw_field":"ResourceProviderValue",
  52. "ecs":"azure.resource.provider"
  53. },
  54. {
  55. "raw_field":"conditionalAccessStatus",
  56. "ecs":"azure.signinlogs.properties.conditional_access_status"
  57. },
  58. {
  59. "raw_field":"SearchFilter",
  60. "ecs":"search_filter"
  61. },
  62. {
  63. "raw_field":"Operation",
  64. "ecs":"azure.platformlogs.operation_name"
  65. },
  66. {
  67. "raw_field":"ResultType",
  68. "ecs":"azure.platformlogs.result_type"
  69. },
  70. {
  71. "raw_field":"DeviceDetail_isCompliant",
  72. "ecs":"azure.signinlogs.properties.device_detail.is_compliant"
  73. },
  74. {
  75. "raw_field":"ResourceDisplayName",
  76. "ecs":"resource_display_name"
  77. },
  78. {
  79. "raw_field":"AuthenticationRequirement",
  80. "ecs":"azure.signinlogs.properties.authentication_requirement"
  81. },
  82. {
  83. "raw_field":"TargetResources",
  84. "ecs":"target_resources"
  85. },
  86. {
  87. "raw_field":"Workload",
  88. "ecs":"Workload"
  89. },
  90. {
  91. "raw_field":"DeviceDetail_deviceId",
  92. "ecs":"azure.signinlogs.properties.device_detail.device_id"
  93. },
  94. {
  95. "raw_field":"OperationNameValue",
  96. "ecs":"azure.platformlogs.operation_name"
  97. },
  98. {
  99. "raw_field":"ResourceId",
  100. "ecs":"azure.signinlogs.properties.resource_id"
  101. },
  102. {
  103. "raw_field":"ResultDescription",
  104. "ecs":"azure.signinlogs.result_description"
  105. },
  106. {
  107. "raw_field":"EventID",
  108. "ecs":"EventID"
  109. },
  110. {
  111. "raw_field":"NetworkLocationDetails",
  112. "ecs":"azure.signinlogs.properties.network_location_details"
  113. },
  114. {
  115. "raw_field":"CategoryValue",
  116. "ecs":"azure.activitylogs.category"
  117. },
  118. {
  119. "raw_field":"ActivityDisplayName",
  120. "ecs":"azure.auditlogs.properties.activity_display_name"
  121. },
  122. {
  123. "raw_field":"Initiatedby",
  124. "ecs":"azure.activitylogs.identity.claims_initiated_by_user.name"
  125. },
  126. {
  127. "raw_field":"Count",
  128. "ecs":"Count"
  129. },
  130. {
  131. "raw_field":"ResourceTenantId",
  132. "ecs":"azure.signinlogs.properties.resource_tenant_id"
  133. },
  134. {
  135. "raw_field":"failure_status_reason",
  136. "ecs":"failure_status_reason"
  137. },
  138. {
  139. "raw_field":"AppId",
  140. "ecs":"azure.signinlogs.properties.app_id"
  141. },
  142. {
  143. "raw_field":"properties.message",
  144. "ecs":"properties.message"
  145. },
  146. {
  147. "raw_field":"ClientApp",
  148. "ecs":"azure.signinlogs.properties.client_app_used"
  149. },
  150. {
  151. "raw_field":"ActivityDetails",
  152. "ecs":"ActivityDetails"
  153. },
  154. {
  155. "raw_field":"Target",
  156. "ecs":"Target"
  157. },
  158. {
  159. "raw_field":"DeviceDetail.trusttype",
  160. "ecs":"azure.signinlogs.properties.device_detail.trust_type"
  161. },
  162. {
  163. "raw_field":"HomeTenantId",
  164. "ecs":"azure.signinlogs.properties.home_tenant_id"
  165. },
  166. {
  167. "raw_field":"ConsentContext.IsAdminConsent",
  168. "ecs":"ConsentContext.IsAdminConsent"
  169. },
  170. {
  171. "raw_field":"InitiatedBy",
  172. "ecs":"InitiatedBy"
  173. },
  174. {
  175. "raw_field":"ActivityType",
  176. "ecs":"azure.auditlogs.properties.activity_display_name"
  177. },
  178. {
  179. "raw_field":"operationName",
  180. "ecs":"azure.activitylogs.operation_name"
  181. },
  182. {
  183. "raw_field":"ModifiedProperties{}.NewValue",
  184. "ecs":"modified_properties.new_value"
  185. },
  186. {
  187. "raw_field":"userAgent",
  188. "ecs":"user_agent.name"
  189. },
  190. {
  191. "raw_field":"RiskState",
  192. "ecs":"azure.signinlogs.properties.risk_state"
  193. },
  194. {
  195. "raw_field":"Username",
  196. "ecs":"azure.activitylogs.identity.claims_initiated_by_user.name"
  197. },
  198. {
  199. "raw_field":"DeviceDetail.deviceId",
  200. "ecs":"azure.signinlogs.properties.device_detail.device_id"
  201. },
  202. {
  203. "raw_field":"DeviceDetail.isCompliant",
  204. "ecs":"azure.signinlogs.properties.device_detail.is_compliant"
  205. },
  206. {
  207. "raw_field":"Location",
  208. "ecs":"azure.signinlogs.properties.network_location_details"
  209. }
  210. ]