Azure fields

edit

Azure Module

azure

edit
azure.subscription_id

Azure subscription ID

type: keyword

azure.correlation_id

Correlation ID

type: keyword

azure.tenant_id

tenant ID

type: keyword

resource

edit

Resource

azure.resource.id

Resource ID

type: keyword

azure.resource.group

Resource group

type: keyword

azure.resource.provider

Resource type/namespace

type: keyword

azure.resource.namespace

Resource type/namespace

type: keyword

azure.resource.name

Name

type: keyword

azure.resource.authorization_rule

Authorization rule

type: keyword

activitylogs

edit

Fields for Azure activity logs.

identity

edit

Identity

claims_initiated_by_user

edit

Claims initiated by user

azure.activitylogs.identity.claims_initiated_by_user.name

Name

type: keyword

azure.activitylogs.identity.claims_initiated_by_user.givenname

Givenname

type: keyword

azure.activitylogs.identity.claims_initiated_by_user.surname

Surname

type: keyword

azure.activitylogs.identity.claims_initiated_by_user.fullname

Fullname

type: keyword

azure.activitylogs.identity.claims_initiated_by_user.schema

Schema

type: keyword

azure.activitylogs.identity.claims.*

Claims

type: object

authorization

edit

Authorization

azure.activitylogs.identity.authorization.scope

Scope

type: keyword

azure.activitylogs.identity.authorization.action

Action

type: keyword

evidence

edit

Evidence

azure.activitylogs.identity.authorization.evidence.role_assignment_scope

Role assignment scope

type: keyword

azure.activitylogs.identity.authorization.evidence.role_definition_id

Role definition ID

type: keyword

azure.activitylogs.identity.authorization.evidence.role

Role

type: keyword

azure.activitylogs.identity.authorization.evidence.role_assignment_id

Role assignment ID

type: keyword

azure.activitylogs.identity.authorization.evidence.principal_id

Principal ID

type: keyword

azure.activitylogs.identity.authorization.evidence.principal_type

Principal type

type: keyword

azure.activitylogs.operation_name

Operation name

type: keyword

azure.activitylogs.result_type

Result type

type: keyword

azure.activitylogs.result_signature

Result signature

type: keyword

azure.activitylogs.category

Category

type: keyword

azure.activitylogs.event_category

Event Category

type: keyword

azure.activitylogs.properties

Properties

type: flattened

auditlogs

edit

Fields for Azure audit logs.

azure.auditlogs.category

The category of the operation. Currently, Audit is the only supported value.

type: keyword

azure.auditlogs.operation_name

The operation name

type: keyword

azure.auditlogs.operation_version

The operation version

type: keyword

azure.auditlogs.identity

Identity

type: keyword

azure.auditlogs.tenant_id

Tenant ID

type: keyword

azure.auditlogs.result_signature

Result signature

type: keyword

properties

edit

The audit log properties

azure.auditlogs.properties.result

Log result

type: keyword

azure.auditlogs.properties.activity_display_name

Activity display name

type: keyword

azure.auditlogs.properties.result_reason

Reason for the log result

type: keyword

azure.auditlogs.properties.correlation_id

Correlation ID

type: keyword

azure.auditlogs.properties.logged_by_service

Logged by service

type: keyword

azure.auditlogs.properties.operation_type

Operation type

type: keyword

azure.auditlogs.properties.id

ID

type: keyword

azure.auditlogs.properties.activity_datetime

Activity timestamp

type: date

azure.auditlogs.properties.category

category

type: keyword

target_resources.*

edit

Target resources

azure.auditlogs.properties.target_resources.*.display_name

Display name

type: keyword

azure.auditlogs.properties.target_resources.*.id

ID

type: keyword

azure.auditlogs.properties.target_resources.*.type

Type

type: keyword

azure.auditlogs.properties.target_resources.*.ip_address

ip Address

type: keyword

azure.auditlogs.properties.target_resources.*.user_principal_name

User principal name

type: keyword

modified_properties.*

edit

Modified properties

azure.auditlogs.properties.target_resources.*.modified_properties.*.new_value

New value

type: keyword

azure.auditlogs.properties.target_resources.*.modified_properties.*.display_name

Display value

type: keyword

azure.auditlogs.properties.target_resources.*.modified_properties.*.old_value

Old value

type: keyword

initiated_by

edit

Information regarding the initiator

app

edit

App

azure.auditlogs.properties.initiated_by.app.servicePrincipalName

Service principal name

type: keyword

azure.auditlogs.properties.initiated_by.app.displayName

Display name

type: keyword

azure.auditlogs.properties.initiated_by.app.appId

App ID

type: keyword

azure.auditlogs.properties.initiated_by.app.servicePrincipalId

Service principal ID

type: keyword

user

edit

User

azure.auditlogs.properties.initiated_by.user.userPrincipalName

User principal name

type: keyword

azure.auditlogs.properties.initiated_by.user.displayName

Display name

type: keyword

azure.auditlogs.properties.initiated_by.user.id

ID

type: keyword

azure.auditlogs.properties.initiated_by.user.ipAddress

ip Address

type: keyword

platformlogs

edit

Fields for Azure platform logs.

azure.platformlogs.operation_name

Operation name

type: keyword

azure.platformlogs.result_type

Result type

type: keyword

azure.platformlogs.result_signature

Result signature

type: keyword

azure.platformlogs.category

Category

type: keyword

azure.platformlogs.event_category

Event Category

type: keyword

azure.platformlogs.status

Status

type: keyword

azure.platformlogs.ccpNamespace

ccpNamespace

type: keyword

azure.platformlogs.Cloud

Cloud

type: keyword

azure.platformlogs.Environment

Environment

type: keyword

azure.platformlogs.EventTimeString

EventTimeString

type: keyword

azure.platformlogs.Caller

Caller

type: keyword

azure.platformlogs.ScaleUnit

ScaleUnit

type: keyword

azure.platformlogs.ActivityId

ActivityId

type: keyword

azure.platformlogs.properties

Event inner properties

type: flattened

signinlogs

edit

Fields for Azure sign-in logs.

azure.signinlogs.operation_name

The operation name

type: keyword

azure.signinlogs.operation_version

The operation version

type: keyword

azure.signinlogs.tenant_id

Tenant ID

type: keyword

azure.signinlogs.result_signature

Result signature

type: keyword

azure.signinlogs.result_description

Result description

type: keyword

azure.signinlogs.result_type

Result type

type: keyword

azure.signinlogs.identity

Identity

type: keyword

azure.signinlogs.category

Category

type: keyword

properties

edit

The signin log properties

azure.signinlogs.properties.id

ID

type: keyword

azure.signinlogs.properties.created_at

Created date time

type: date

azure.signinlogs.properties.user_display_name

User display name

type: keyword

azure.signinlogs.properties.correlation_id

Correlation ID

type: keyword

azure.signinlogs.properties.user_principal_name

User principal name

type: keyword

azure.signinlogs.properties.user_id

User ID

type: keyword

azure.signinlogs.properties.app_id

App ID

type: keyword

azure.signinlogs.properties.app_display_name

App display name

type: keyword

azure.signinlogs.properties.ip_address

Ip address

type: keyword

azure.signinlogs.properties.client_app_used

Client app used

type: keyword

azure.signinlogs.properties.conditional_access_status

Conditional access status

type: keyword

azure.signinlogs.properties.original_request_id

Original request ID

type: keyword

azure.signinlogs.properties.is_interactive

Is interactive

type: keyword

azure.signinlogs.properties.token_issuer_name

Token issuer name

type: keyword

azure.signinlogs.properties.token_issuer_type

Token issuer type

type: keyword

azure.signinlogs.properties.processing_time_ms

Processing time in milliseconds

type: float

azure.signinlogs.properties.risk_detail

Risk detail

type: keyword

azure.signinlogs.properties.risk_level_aggregated

Risk level aggregated

type: keyword

azure.signinlogs.properties.risk_level_during_signin

Risk level during signIn

type: keyword

azure.signinlogs.properties.risk_state

Risk state

type: keyword

azure.signinlogs.properties.resource_display_name

Resource display name

type: keyword

status

edit

Status

azure.signinlogs.properties.status.error_code

Error code

type: keyword

device_detail

edit

Status

azure.signinlogs.properties.device_detail.device_id

Device ID

type: keyword

azure.signinlogs.properties.device_detail.operating_system

Operating system

type: keyword

azure.signinlogs.properties.device_detail.browser

Browser

type: keyword

azure.signinlogs.properties.device_detail.display_name

Display name

type: keyword

azure.signinlogs.properties.device_detail.trust_type

Trust type

type: keyword

azure.signinlogs.properties.service_principal_id

Status

type: keyword