Azure fields

edit

Azure Module

azure

edit
azure.subscription_id

Azure subscription ID

type: keyword

azure.correlation_id

Correlation ID

type: keyword

azure.tenant_id

tenant ID

type: keyword

resource

edit

Resource

azure.resource.id

Resource ID

type: keyword

azure.resource.group

Resource group

type: keyword

azure.resource.provider

Resource type/namespace

type: keyword

azure.resource.namespace

Resource type/namespace

type: keyword

azure.resource.name

Name

type: keyword

azure.resource.authorization_rule

Authorization rule

type: keyword

activitylogs

edit

Fields for Azure activity logs.

identity

edit

Identity

claims_initiated_by_user

edit

Claims initiated by user

azure.activitylogs.identity.claims_initiated_by_user.name

Name

type: keyword

azure.activitylogs.identity.claims_initiated_by_user.givenname

Givenname

type: keyword

azure.activitylogs.identity.claims_initiated_by_user.surname

Surname

type: keyword

azure.activitylogs.identity.claims_initiated_by_user.fullname

Fullname

type: keyword

azure.activitylogs.identity.claims_initiated_by_user.schema

Schema

type: keyword

azure.activitylogs.identity.claims.*

Claims

type: object

authorization

edit

Authorization

azure.activitylogs.identity.authorization.scope

Scope

type: keyword

azure.activitylogs.identity.authorization.action

Action

type: keyword

evidence

edit

Evidence

azure.activitylogs.identity.authorization.evidence.role_assignment_scope

Role assignment scope

type: keyword

azure.activitylogs.identity.authorization.evidence.role_definition_id

Role definition ID

type: keyword

azure.activitylogs.identity.authorization.evidence.role

Role

type: keyword

azure.activitylogs.identity.authorization.evidence.role_assignment_id

Role assignment ID

type: keyword

azure.activitylogs.identity.authorization.evidence.principal_id

Principal ID

type: keyword

azure.activitylogs.identity.authorization.evidence.principal_type

Principal type

type: keyword

azure.activitylogs.operation_name

Operation name

type: keyword

azure.activitylogs.result_type

Result type

type: keyword

azure.activitylogs.result_signature

Result signature

type: keyword

azure.activitylogs.category

Category

type: keyword

azure.activitylogs.event_category

Event Category

type: keyword

azure.activitylogs.properties

Properties

type: flattened

auditlogs

edit

Fields for Azure audit logs.

azure.auditlogs.category

The category of the operation. Currently, Audit is the only supported value.

type: keyword

azure.auditlogs.operation_name

The operation name

type: keyword

azure.auditlogs.operation_version

The operation version

type: keyword

azure.auditlogs.identity

Identity

type: keyword

azure.auditlogs.tenant_id

Tenant ID

type: keyword

azure.auditlogs.result_signature

Result signature

type: keyword

properties

edit

The audit log properties

azure.auditlogs.properties.result

Log result

type: keyword

azure.auditlogs.properties.activity_display_name

Activity display name

type: keyword

azure.auditlogs.properties.result_reason

Reason for the log result

type: keyword

azure.auditlogs.properties.correlation_id

Correlation ID

type: keyword

azure.auditlogs.properties.logged_by_service

Logged by service

type: keyword

azure.auditlogs.properties.operation_type

Operation type

type: keyword

azure.auditlogs.properties.id

ID

type: keyword

azure.auditlogs.properties.activity_datetime

Activity timestamp

type: date

azure.auditlogs.properties.category

category

type: keyword

target_resources.*

edit

Target resources

azure.auditlogs.properties.target_resources.*.display_name

Display name

type: keyword

azure.auditlogs.properties.target_resources.*.id

ID

type: keyword

azure.auditlogs.properties.target_resources.*.type

Type

type: keyword

azure.auditlogs.properties.target_resources.*.ip_address

ip Address

type: keyword

azure.auditlogs.properties.target_resources.*.user_principal_name

User principal name

type: keyword

modified_properties.*

edit

Modified properties

azure.auditlogs.properties.target_resources.*.modified_properties.*.new_value

New value

type: keyword

azure.auditlogs.properties.target_resources.*.modified_properties.*.display_name

Display value

type: keyword

azure.auditlogs.properties.target_resources.*.modified_properties.*.old_value

Old value

type: keyword

initiated_by

edit

Information regarding the initiator

app

edit

App

azure.auditlogs.properties.initiated_by.app.servicePrincipalName

Service principal name

type: keyword

azure.auditlogs.properties.initiated_by.app.displayName

Display name

type: keyword

azure.auditlogs.properties.initiated_by.app.appId

App ID

type: keyword

azure.auditlogs.properties.initiated_by.app.servicePrincipalId

Service principal ID

type: keyword

user

edit

User

azure.auditlogs.properties.initiated_by.user.userPrincipalName

User principal name

type: keyword

azure.auditlogs.properties.initiated_by.user.displayName

Display name

type: keyword

azure.auditlogs.properties.initiated_by.user.id

ID

type: keyword

azure.auditlogs.properties.initiated_by.user.ipAddress

ip Address

type: keyword

platformlogs

edit

Fields for Azure platform logs.

azure.platformlogs.operation_name

Operation name

type: keyword

azure.platformlogs.result_type

Result type

type: keyword

azure.platformlogs.result_signature

Result signature

type: keyword

azure.platformlogs.category

Category

type: keyword

azure.platformlogs.event_category

Event Category

type: keyword

azure.platformlogs.status

Status

type: keyword

azure.platformlogs.ccpNamespace

ccpNamespace

type: keyword

azure.platformlogs.Cloud

Cloud

type: keyword

azure.platformlogs.Environment

Environment

type: keyword

azure.platformlogs.EventTimeString

EventTimeString

type: keyword

azure.platformlogs.Caller

Caller

type: keyword

azure.platformlogs.ScaleUnit

ScaleUnit

type: keyword

azure.platformlogs.ActivityId

ActivityId

type: keyword

azure.platformlogs.properties

Event inner properties

type: flattened

signinlogs

edit

Fields for Azure sign-in logs.

azure.signinlogs.operation_name

The operation name

type: keyword

azure.signinlogs.operation_version

The operation version

type: keyword

azure.signinlogs.tenant_id

Tenant ID

type: keyword

azure.signinlogs.result_signature

Result signature

type: keyword

azure.signinlogs.result_description

Result description

type: keyword

azure.signinlogs.result_type

Result type

type: keyword

azure.signinlogs.identity

Identity

type: keyword

azure.signinlogs.category

Category

type: keyword

azure.signinlogs.properties.id

Unique ID representing the sign-in activity.

type: keyword

azure.signinlogs.properties.created_at

Date and time (UTC) the sign-in was initiated.

type: date

azure.signinlogs.properties.user_display_name

User display name

type: keyword

azure.signinlogs.properties.correlation_id

Correlation ID

type: keyword

azure.signinlogs.properties.user_principal_name

User principal name

type: keyword

azure.signinlogs.properties.user_id

User ID

type: keyword

azure.signinlogs.properties.app_id

App ID

type: keyword

azure.signinlogs.properties.app_display_name

App display name

type: keyword

azure.signinlogs.properties.autonomous_system_number

Autonomous system number.

type: long

azure.signinlogs.properties.client_app_used

Client app used

type: keyword

azure.signinlogs.properties.conditional_access_status

Conditional access status

type: keyword

azure.signinlogs.properties.original_request_id

Original request ID

type: keyword

azure.signinlogs.properties.is_interactive

Is interactive

type: boolean

azure.signinlogs.properties.token_issuer_name

Token issuer name

type: keyword

azure.signinlogs.properties.token_issuer_type

Token issuer type

type: keyword

azure.signinlogs.properties.processing_time_ms

Processing time in milliseconds

type: float

azure.signinlogs.properties.risk_detail

Risk detail

type: keyword

azure.signinlogs.properties.risk_level_aggregated

Risk level aggregated

type: keyword

azure.signinlogs.properties.risk_level_during_signin

Risk level during signIn

type: keyword

azure.signinlogs.properties.risk_state

Risk state

type: keyword

azure.signinlogs.properties.resource_display_name

Resource display name

type: keyword

azure.signinlogs.properties.status.error_code

Error code

type: long

azure.signinlogs.properties.device_detail.device_id

Device ID

type: keyword

azure.signinlogs.properties.device_detail.operating_system

Operating system

type: keyword

azure.signinlogs.properties.device_detail.browser

Browser

type: keyword

azure.signinlogs.properties.device_detail.display_name

Display name

type: keyword

azure.signinlogs.properties.device_detail.trust_type

Trust type

type: keyword

azure.signinlogs.properties.applied_conditional_access_policies

A list of conditional access policies that are triggered by the corresponding sign-in activity.

type: array

azure.signinlogs.properties.authentication_details

The result of the authentication attempt and additional details on the authentication method.

type: array

azure.signinlogs.properties.authentication_processing_details

Additional authentication processing details, such as the agent name in case of PTA/PHS or Server/farm name in case of federated authentication.

type: flattened

azure.signinlogs.properties.authentication_requirement

This holds the highest level of authentication needed through all the sign-in steps, for sign-in to succeed.

type: keyword

azure.signinlogs.properties.authentication_requirement_policies

Set of CA policies that apply to this sign-in, each as CA: policy name, and/or MFA: Per-user

type: keyword

azure.signinlogs.properties.flagged_for_review

type: boolean

azure.signinlogs.properties.home_tenant_id

type: keyword

azure.signinlogs.properties.network_location_details

The network location details including the type of network used and its names.

type: array

azure.signinlogs.properties.resource_id

The identifier of the resource that the user signed in to.

type: keyword

azure.signinlogs.properties.resource_tenant_id

type: keyword

azure.signinlogs.properties.risk_event_types

The list of risk event types associated with the sign-in. Possible values: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic, or unknownFutureValue.

type: keyword

azure.signinlogs.properties.risk_event_types_v2

The list of risk event types associated with the sign-in. Possible values: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic, or unknownFutureValue.

type: keyword

azure.signinlogs.properties.service_principal_name

The application name used for sign-in. This field is populated when you are signing in using an application.

type: keyword

azure.signinlogs.properties.user_type

type: keyword

azure.signinlogs.properties.service_principal_id

The application identifier used for sign-in. This field is populated when you are signing in using an application.

type: keyword

azure.signinlogs.properties.cross_tenant_access_type

type: keyword

azure.signinlogs.properties.is_tenant_restricted

type: boolean

azure.signinlogs.properties.sso_extension_version

type: keyword